Normalization is at the core of every SIEM, and Microsoft Sentinel is no exception. The Advanced Security Information Model (ASIM) is Microsoft Sentinel's normalization engine. Until now, you had to deploy ASIM from Microsoft Sentinel's GitHub. Starting today, ASIM is built into Microsoft Sentinel. Once onboarding Microsoft Sentinel, you can immediately:
Just use ASIM views such as _Im_Dns as your table names in a query and ensure you query all relevant normalized information in a consistent, well-documented, and easy-to-use schema.
To make ASIM part of Microsoft Sentinel, we had to double down on parsers' quality. To do that, we have created the ASIM tester, which we have used to test the built-in parsers, but you can also use it for your custom ASIM parsers. Interestingly, we found that the testing tools are great in evaluating the quality of the data you send to Microsoft Sentinel, not just the parsers. After all, even the best parser cannot convert partial or inaccurate data to gold.
Microsoft Sentinel ingests data from many sources. Working with various data types and tables together requires you to understand each of them and write and use unique data sets for analytics rules, workbooks, and hunting queries for each type or schema. Sometimes, you'll need separate rules, workbooks, and queries, even when data types share common elements, such as firewall devices. Correlating between different data types during an investigation and hunting can also be challenging.
ASIM provides a seamless experience for handling various sources in uniform, normalized views by providing the following functionality:
What is ASIM?
ASIM is a framework that provides normalization to Microsoft Sentinel. It includes the following parts:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.