Hello everyone,
Continuing our normalization journey, we added to the networking and DNS schemas the Authentication, Process Events, and Registry Events schemas and delivered normalized content based on the two. We also added ARM template deployment and support for Microsoft Defender for Endpoints to the Network Schema.
Special thanks to @Yuval Naor , @Yaron Fruchtmann , and @Batami Gold , who made all this possible.
Why should you care?
Deploy the Authentication, Process Events, Registry Events, or Network Session parser packs in a single click using ARM templates.
Join us to learn more about the Azure Sentinel information model in two webinars:
Why normalization, and what is the Azure Sentinel Information Model?
Working with various data types and tables together presents a challenge. You must become familiar with many different data types and schemas, write and use a unique set of analytics rules, workbooks, and hunting queries for each, even for those that share commonalities (for example, DNS servers). Correlation between the different data types necessary for investigation and hunting is also tricky.
The Azure Sentinel Information Model (ASIM) provides a seamless experience for handling various sources in uniform, normalized views. ASIM aligns with the Open-Source Security Events Metadata (OSSEM) common information model, promoting vendor agnostic, industry-wide normalization. ASIM:
|
||
Ofer Shezaf Principal Product Manager, Azure Sentinel |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.