Hello everyone,
Continuing our normalization journey, we now add the file activity schema.
In addition to ASIM advantages: cross source analytics, source agnostic rules, and ease of use, the File Activity Schema lets you write rules that span endpoint, server, and cloud activity. We have included parsers for Sysmon, Microsoft 365 Defender for Endpoint, SharePoint, OneDrive, and Azure Storage. For example:
|
Read more about Azure Sentinel Information Model and the File Activity schema, and deploy the File Activity parser packs in a single click using an ARM template.
Join us to learn more about the Azure Sentinel information model in two webinars:
Special thanks to @Yaron Fruchtmann, who made all this possible.
Working with various data types and tables together presents a challenge. You must become familiar with many different data types and schemas, write and use a unique set of analytics rules, workbooks, and hunting queries for each, even for those that share commonalities (for example, DNS servers). Correlation between the different data types necessary for investigation and hunting is also tricky.
The Azure Sentinel Information Model (ASIM) provides a seamless experience for handling various sources in uniform, normalized views. ASIM aligns with the Open-Source Security Events Metadata (OSSEM) common information model, promoting vendor agnostic, industry-wide normalization. ASIM:
The current implementation is based on query time normalization using KQL functions. And includes the following:
Thanks!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.