It's that time of year where I decide to rebuild my demo environment once again. I enjoy doing this because every time I learn something and get better at it. When I deployed Microsoft Sentinel and started configuring Analytic Rules, I ran into a familiar issue. I was trying to add some of the templates that were listed as ASIM Version.
The error shows that there's an expression (KQL) that is unrecognized.
I asked around with my peers and they also just mostly ignored the error when building their demo tenants. So I decided to try and find a fix thinking I'm not the only person who has run into this issue.
ASIM parsers normalize data from different sources so that it can be easily read and handled within Sentinel. The official documentation is here: Normalization and the Advanced Security Information Model (ASIM) | Microsoft Docs
But how do you get the parser deployed? Some additional digging found aka.ms/deployasim. This links to a Github repo with a few ARM templates that can easily be deployed. You can deploy the entire set of parsers or individual schemas.
As long as your account has the write permissions to deploy ARM templates on the subscription, you can click and deploy. Once they are deployed, you can go back and configure the rules and start monitoring alerts.
Hopefully this helps folks who might run into this ASIM error!