Microsoft Sentinel - Custom ASIM Parser for Solarwind Data source

This article provides guidance on creating a custom Advanced Security Information Model (ASIM) parser for a log source that is not available in the out-of-the-box (OOB) data connector but supports the syslog log format. The process involves the following steps:

1. First, collect sample logs from the log source to understand the data structure and fields.
2. Next, identify the relevant schemas that the events from the log source represent.
3. Once the schemas are identified, map the fields from the log source to the corresponding schema fields.  

This mapping is done using Kusto Query Language (KQL) user-defined functions, which transform the raw log data into a normalized format. Finally, deploy the custom parser to your Microsoft Sentinel workspace, ensuring it integrates seamlessly with existing unifying parsers to provide a comprehensive view of the data 

Here are the detailed steps to create a custom ASIM parser for a log source that supports the syslog log format:

1. Collect Sample Logs: 

• • Gather a representative set of logs from the log source. This helps in understanding the structure and content of the logs.

2. Identify Relevant Schemas: 

• • Determine which ASIM schemas the events from the log source correspond to. ASIM schemas define the structure and fields for different types of security events. 

3. Map Source Fields to Schema Fields: 

• • Map the fields from the log source to the corresponding fields in the identified ASIM schemas. This involves understanding the data in the logs and how it fits into the ASIM schema structure. 

4. Develop ASIM Parsers: 

• • Create one or more ASIM parsers for the log source. This typically involves writing Kusto Query Language (KQL) functions to transform the raw log data into the normalized format defined by the ASIM schemas. You will need to develop both a filtering parser and a parameter-less parser for each relevant schema. 

5. Test the Parser: 

• • Test the custom parser to ensure it correctly transforms the log data and integrates with Microsoft Sentinel. This step is crucial to verify that the parser works as expected and accurately maps the log data to the ASIM schemas. 

6. Deploy the Parser: 

• • Deploy the custom parser to your Microsoft Sentinel workspace. This involves uploading the parser and configuring it to process incoming log data. 

Custom Parser for Data source - Solarwind: 

Custom ASIM parser for the data source Solarwind which supports syslog data format:

• Step 1: Integrate the logs using the supported method. In this case, solar wind logs support the syslog method. The logs have been onboarded via the supported method. 

• Step 2: Understand the log format by collecting a representative set of log samples. 

• Step 3: Identify the mandatory and recommended fields required for the schema you intend to use. 

• Step 4: Develop the parser in KQL.

 

A parser query has three parts: 

Filtering: A parser should filter only the relevant records, which can be achieved using where KQL operator. 

Parsing: After selecting the relevant records, parse them and divide the fields into normalized ones using KQL operators such as split or parse or regex.

Normalizing: Once parsed, normalize the data and rename the fields.  

• Once the source-specific parser is created save the query as a function. 

• This source-specific parser can then be added to an existing unifying parser to ensure the custom device is considered when using the unifying parsers. 

Creating a custom ASIM parser for Solarwind in Microsoft Sentinel is crucial for improving security event detection and data analysis. By collecting sample logs, identifying schemas, mapping source fields, and using KQL to develop parsers, organizations achieve seamless integration and better threat management. Deploying this custom parser enhances security posture and operational efficiency.