New Blog Post | Azure Sentinel Information Model DNS Schema and normalized content now public

%3CLINGO-SUB%20id%3D%22lingo-sub-2450503%22%20slang%3D%22en-US%22%3ENew%20Blog%20Post%20%7C%20Azure%20Sentinel%20Information%20Model%20DNS%20Schema%20and%20normalized%20content%20now%20public%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2450503%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22JasonCohen1892_0-1623784691174.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F288897iF2D4DA8E9C9177B2%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22JasonCohen1892_0-1623784691174.png%22%20alt%3D%22JasonCohen1892_0-1623784691174.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fwhat-s-new-azure-sentinel-information-model-dns-schema-and%2Fba-p%2F2429926%22%20target%3D%22_blank%22%3EWhat's%20new%3A%20Azure%20Sentinel%20Information%20Model%20DNS%20Schema%20and%20normalized%20content%20now%20public%20-%20Microsoft%20Tech%20Community%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EFollowing%20our%20networking%20schema%2C%20we%20now%20extend%20our%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FAzSentinelNormalization%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Sentinel%20Information%20Model%20(ASIM)%20guidance%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eand%20release%20our%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FAzSentinelDnsDoc%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EDNS%20schema%3C%2FA%3E.%20We%20expect%20to%20follow%20suit%20with%20additional%20schemas%20in%20the%20coming%20weeks.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20release%20includes%20additional%20artifacts%20to%20ensure%20easier%20use%20of%20ASIM%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ENew%20extensive%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FAzSentinelNormalization%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eoverview%20of%20the%20Azure%20Sentinel%20Information%20Model%20(ASIM)%3C%2FA%3E%2C%20including%20schema%20guidelines%20and%20a%20parser%20writing%20guide.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EAll%20the%20normalizing%20parsers%20can%20be%20deployed%20in%20a%20click%20using%20an%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FAzSentinelDns%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EARM%20template%3C%2FA%3E.%20The%20initial%20release%20contains%20normalizing%20parsers%20for%20Infoblox%2C%20Cisco%20Umbrella%2C%20and%20Microsoft%20DNS%20server.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EWe%20have%20migrated%20analytic%20rules%20that%20worked%20on%20a%20single%20DNS%20source%20to%20use%20the%20normalized%20template.%20Those%20are%20available%20in%20GitHub%20and%20will%20be%20available%20in%20the%20in%20product%20gallery%20in%20the%20coming%20days.%20You%20can%20find%20the%20list%20at%20the%20end%20of%20this%20post.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EAnd%20of%20course%2C%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FAzSentinelDnsDoc%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eschema%20documentation%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eis%20available%20on%20docs.microsoft.com.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20a%20single%20click%20deployment%20and%20support%20for%20normalized%20content%20in%20analytic%20rules%2C%20we%20believe%20we%20will%20see%20an%20accelerated%20adaption%20of%20the%20Azure%20Sentinel%20Information%20Model.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2450503%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

JasonCohen1892_0-1623784691174.png

What's new: Azure Sentinel Information Model DNS Schema and normalized content now public - Microsof...

Following our networking schema, we now extend our Azure Sentinel Information Model (ASIM) guidance and release our DNS schema. We expect to follow suit with additional schemas in the coming weeks.

 

This release includes additional artifacts to ensure easier use of ASIM:

 

 

  • All the normalizing parsers can be deployed in a click using an ARM template. The initial release contains normalizing parsers for Infoblox, Cisco Umbrella, and Microsoft DNS server.

 

  • We have migrated analytic rules that worked on a single DNS source to use the normalized template. Those are available in GitHub and will be available in the in product gallery in the coming days. You can find the list at the end of this post.

 

 

With a single click deployment and support for normalized content in analytic rules, we believe we will see an accelerated adaption of the Azure Sentinel Information Model.

0 Replies