Continuing our normalization journey, we now add the file activity schema.
Retweet, Re-share on LinkedIn
Why should you care?
In addition to ASIM advantages: cross source analytics, source agnostic rules, and ease of use, the File Activity Schema lets you write rules that span endpoint, server, and cloud activity. We have included parsers for Sysmon, Microsoft 365 Defender for Endpoint, SharePoint, OneDrive, and Azure Storage. For example:
- Analyzing file activity is instrumental for ransomware detection. Now your on-prem ransomware analytics can secure cloud workloads.
- When looking for malware leftovers, you will find them on the affected endpoints and on cloud services that may have served to spread them.
Read more about Azure Sentinel Information Model and the File Activity schema, and deploy the File Activity parser packs in a single click using an ARM template.
Join us to learn more about the Azure Sentinel information model in two webinars:
- The Information Model: Understanding Normalization in Azure Sentinel: Presentation, YouTube.
- Deep Dive into Azure Sentinel Normalizing Parsers and Normalized Content: next week, register here.
Special thanks to @Yaron Fruchtmann, who made all this possible.
Why normalization, and what is the Azure Sentinel Information Model?
Working with various data types and tables together presents a challenge. You must become familiar with many different data types and schemas, write and use a unique set of analytics rules, workbooks, and hunting queries for each, even for those that share commonalities (for example, DNS servers). Correlation between the different data types necessary for investigation and hunting is also tricky.
The Azure Sentinel Information Model (ASIM) provides a seamless experience for handling various sources in uniform, normalized views. ASIM aligns with the Open-Source Security Events Metadata (OSSEM) common information model, promoting vendor agnostic, industry-wide normalization. ASIM:
- Allows source agnostic content and solutions
- Simplifies analyst use of the data in sentinel workspaces
The current implementation is based on query time normalization using KQL functions. And includes the following:
- Normalized schemas cover standard sets of predictable event types that are easy to work with and build unified capabilities. The schema defines which fields should represent an event, a normalized column naming convention, and a standard format for the field values.
- Parsers map existing data to the normalized schemas. Parsers are implemented using KQL functions.
- Content for each normalized schema includes analytics rules, workbooks, hunting queries, and additional content. This content works on any normalized data without the need to create source-specific content.