Advanced Security Information Model (ASIM) Analytic Rules in Microsoft Sentinel

Published Jun 06 2022 02:42 PM 1,337 Views
Senior Member

It's that time of year where I decide to rebuild my demo environment once again. I enjoy doing this because every time I learn something and get better at it. When I deployed Microsoft Sentinel and started configuring Analytic Rules, I ran into a familiar issue. I was trying to add some of the templates that were listed as ASIM Version.

 

ASIM version rulesASIM version rules

 

The error shows that there's an expression (KQL) that is unrecognized.

 

MicrosoftTeams-image (1).png

 

I asked around with my peers and they also just mostly ignored the error when building their demo tenants. So I decided to try and find a fix thinking I'm not the only person who has run into this issue.

 

ASIM parsers normalize data from different sources so that it can be easily read and handled within Sentinel. The official documentation is here: Normalization and the Advanced Security Information Model (ASIM) | Microsoft Docs

 

But how do you get the parser deployed? Some additional digging found aka.ms/deployasim. This links to a Github repo with a few ARM templates that can easily be deployed. You can deploy the entire set of parsers or individual schemas.

2022-06-06 16_39_58-Azure-Sentinel_ASIM at master · Azure_Azure-Sentinel · GitHub and 7 more pages -.png

 

As long as your account has the write permissions to deploy ARM templates on the subscription, you can click and deploy. Once they are deployed, you can go back and configure the rules and start monitoring alerts.

 

Hopefully this helps folks who might run into this ASIM error!

Co-Authors
Version history
Last update:
‎Jun 06 2022 02:42 PM
Updated by: