Blog Post

Microsoft Sentinel Blog
2 MIN READ

What's new: ASIM File Activity schema

Ofer_Shezaf's avatar
Ofer_Shezaf
Icon for Microsoft rankMicrosoft
Aug 04, 2021

Hello everyone,

 

Continuing our normalization journey, we now add the file activity schema.

 

Retweet, Re-share on LinkedIn

 

Why should you care?

 

In addition to ASIM advantages: cross source analytics, source agnostic rules, and ease of use, the File Activity Schema lets you write rules that span endpoint, server, and cloud activity. We have included parsers for Sysmon, Microsoft 365 Defender for Endpoint, SharePoint, OneDrive, and Azure Storage. For example:

 

  • Analyzing file activity is instrumental for ransomware detection. Now your on-prem ransomware analytics can secure cloud workloads.

 

  • When looking for malware leftovers, you will find them on the affected endpoints and on cloud services that may have served to spread them.

 

Learn more

 

Read more about Azure Sentinel Information Model and the File Activity schema, and deploy the File Activity parser packs in a single click using an ARM template

 

Join us to learn more about the Azure Sentinel information model in two webinars:

 

  • The Information Model: Understanding Normalization in Azure Sentinel: Presentation, YouTube.
  • Deep Dive into Azure Sentinel Normalizing Parsers and Normalized Content: next week, register here.

 

Special thanks to @Yaron Fruchtmann, who made all this possible.

 

Why normalization, and what is the Azure Sentinel Information Model?

 

Working with various data types and tables together presents a challenge. You must become familiar with many different data types and schemas, write and use a unique set of analytics rules, workbooks, and hunting queries for each, even for those that share commonalities (for example, DNS servers). Correlation between the different data types necessary for investigation and hunting is also tricky.

 

The Azure Sentinel Information Model (ASIM) provides a seamless experience for handling various sources in uniform, normalized views. ASIM aligns with the Open-Source Security Events Metadata (OSSEM) common information model, promoting vendor agnostic, industry-wide normalization. ASIM:

  • Allows source agnostic content and solutions
  • Simplifies analyst use of the data in sentinel workspaces

 

The current implementation is based on query time normalization using KQL functions. And includes the following:

  • Normalized schemas cover standard sets of predictable event types that are easy to work with and build unified capabilities. The schema defines which fields should represent an event, a normalized column naming convention, and a standard format for the field values.
  • Parsers map existing data to the normalized schemas. Parsers are implemented using KQL functions.
  • Content for each normalized schema includes analytics rules, workbooks, hunting queries, and additional content. This content works on any normalized data without the need to create source-specific content.

Thanks!

Updated Aug 04, 2021
Version 3.0
what's new
  • John_McCash's avatar
    John_McCash
    Copper Contributor
    Aug 12, 2021

    Ofer -

    How can we maintain these ASIM parsers going forward? It looks like these are under active development, so when they change, how do we make sure we get all the new updates installed as soon as possible after release? When they are updated, do we just click the associated 'Deploy to Azure' buttons again? Is there a way to track what versions of each parser are currently installed? And when these are eventually incorporated into the standard Sentinel install (as I assume is the intent) will the new code transparently overwrite what we had previously installed from GitHub? Also, I see that there are a variety of rule templates in Sentinel that already depend on these (which is actually where I heard about ASIM in the first place). As new templates are added, will there be some kind of reference to the required version of the associated parsers?