Advanced Security Information Model (ASIM) parsers in Microsoft Sentinel provide a unified way to query security data across multiple data sources using normalized schemas. ASIM parsers translate vendor-specific data into a common format, enabling analysts to write queries that work consistently reβ¦Advanced Security Information Model (ASIM) parsers in Microsoft Sentinel provide a unified way to query security data across multiple data sources using normalized schemas. ASIM parsers translate vendor-specific data into a common format, enabling analysts to write queries that work consistently regardless of the underlying data source.
ASIM parsers are built on Kusto Query Language (KQL) functions that normalize raw log data into standardized schemas. Microsoft Sentinel includes built-in parsers for common security scenarios including network sessions, DNS events, authentication events, process events, and file activity.
To use ASIM parsers effectively, you call the parser function in your KQL query rather than querying raw tables. For example, instead of querying the Syslog table for DNS data, you would use _Im_Dns() which returns normalized DNS events from all configured sources. The underscore prefix indicates an ASIM parser, and 'Im' stands for Information Model.
ASIM parsers support filtering parameters to optimize query performance. You can pass parameters like starttime, endtime, srcipaddr, or domain_has_any to filter data at the parser level, reducing the amount of data processed. For instance: _Im_NetworkSession(starttime=ago(1d), dstportnumber=443) returns network sessions from the last day targeting port 443.
There are two types of ASIM parsers: unifying parsers that combine data from multiple sources, and source-specific parsers that normalize data from a single source. Unifying parsers are preferable for most detection rules and hunting queries because they provide comprehensive coverage.
Benefits of using ASIM parsers include simplified query writing, cross-source correlation, future-proof detection rules that automatically incorporate new data sources, and consistent field naming across different security products. When building custom analytics rules or workbooks, leveraging ASIM parsers ensures your content remains functional as your data sources evolve.
Query Microsoft Sentinel Data Using ASIM Parsers
Why ASIM Parsers Are Important
The Advanced Security Information Model (ASIM) is a critical component in Microsoft Sentinel that enables source-agnostic queries. In enterprise environments, security data comes from multiple vendors and sources, each with their own schema and field names. ASIM parsers normalize this data into a unified schema, allowing security analysts to write queries that work across all data sources rather than creating separate queries for each source.
What Are ASIM Parsers?
ASIM parsers are KQL functions that translate vendor-specific data into normalized schemas. They act as a translation layer between raw log data and your queries. Microsoft provides built-in parsers for common schemas including:
- imNetworkSession - Network connection events - imDns - DNS query events - imAuthentication - Authentication and sign-in events - imProcessEvent - Process creation and termination - imFileEvent - File system activities - imWebSession - Web proxy and HTTP events
How ASIM Parsers Work
1. Unifying Parsers: These combine data from multiple sources. For example, imAuthentication normalizes sign-in data from Azure AD, Windows Security Events, and third-party sources into one unified view.
2. Source-Specific Parsers: Named with prefixes like vimAuthenticationAADSigninLogs, these parse data from individual sources.
3. Parameter Filtering: ASIM parsers accept parameters to filter data at query time, improving performance. Example: imAuthentication(starttime=ago(1d), targetusername_has='admin')
4. Schema Normalization: Raw fields are mapped to standard field names. For instance, different sources may call the username field 'User', 'AccountName', or 'UserPrincipalName', but ASIM normalizes these to 'TargetUsername'.
Using ASIM in Queries
To query normalized authentication events: imAuthentication | where EventResult == 'Failure' | summarize FailedAttempts = count() by TargetUsername, SrcIpAddr
This single query analyzes failed sign-ins across ALL connected authentication sources.
Exam Tips: Answering Questions on ASIM Parsers
1. Remember the 'im' Prefix: Unifying parsers use the 'im' prefix (imDns, imNetworkSession). Source-specific parsers use 'vim' prefix.
2. Know Common Schemas: Be familiar with Authentication, Network Session, DNS, Process Event, and File Event schemas as these are frequently tested.
3. Understand Benefits: When asked why to use ASIM, emphasize source-agnostic querying, simplified analytics rules, and future-proofing when new data sources are added.
4. Parameter Usage: Remember that passing parameters to parsers (like time ranges) improves query performance by filtering early.
5. Custom Parsers: Know that organizations can create custom ASIM parsers for unsupported data sources using KQL functions.
6. Scenario Questions: If asked about querying multiple firewall vendors simultaneously, ASIM is the answer. If asked about normalizing data from various sources, ASIM is the solution.
7. Field Names: ASIM uses standardized field names like SrcIpAddr, DstIpAddr, TargetUsername, ActorUsername, and EventResult. Recognize these in exam questions.
8. Built-in Content: Microsoft Sentinel's built-in analytics rules and workbooks increasingly use ASIM parsers for broader coverage.