No video :(

Using the Microsoft Sentinel Information Model Process Events Schema ASIM

Подписаться 1,3 тыс.

Просмотров 1,6 тыс.

50% 1

Using the Azure Sentinel Information Model Process Events Schema ASIM
--------------------------------------------------------------------------------------------------
🔔 Subscribe and ring the bell to get notified when I post a video!
🔴 Check out my blog 🔴
craigclouditpr...
🔥Social Media's 🔥
🐥 Twitter: / craigclouditpro
📸 Instagram: / craigclouditpro
📩 LinkedIn: / craig-fretwell
🎵Outro music on the video by Spojaz
Azure Sentinel, threat intelligence, ASIM, Azure Information model query parsing, mastering analytics,hunting, azure sentinel hunting, detection, hacking, azure analytic rules, lolbas, binaries and scripts detections, threat hunting malware, security hacking, azure sentinel hacking, blue team azure sentinel, red team sentinel, analytics, splunk, use cases, detection rule creation, azure security mappings

Опубликовано:

16 авг 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 7

@olafhoogstad446 Месяц назад

Hi Craig, first of all, thank you so much for your videos, they really help me understand a lot on the SC-200 course and exam I am currently studying for! If I understand correctly, for parsers there are (generally speaking) the following types: _Im_ = Built-in UNIFYING parser Im = Built-in WORKSPACE DEPLOYED parser _Im__ = Built-in SOURCE-SPECIFIC parser vim = WORKSPACE-DEPLOYED SOURCE SPECIFIC parser A corresponding set of parsers that use _ASim_ and ASim are also available. It is not completely clear to me when to use these last parsers, actually. Could you (or someone else of course) help me out please? Thank you :)

@CraigCloudITPro 14 дней назад

Hi Olaf, Thank you for your kind words! I’m glad my videos have been helpful to you in your SC-200 course and exam preparation. To clarify your understanding of parsers in Microsoft Sentinel: • Im: Built-in UNIFYING parser. • Im: Built-in WORKSPACE DEPLOYED parser. • Im_: Built-in SOURCE-SPECIFIC parser. • vim: WORKSPACE-DEPLOYED SOURCE SPECIFIC parser. When to use ASIM parsers: • Use ASim when you need a built-in unifying parser for a specific schema across different sources. This helps in normalizing data from various sources into a common schema. • Use ASim for workspace-deployed parsers that are customized for your specific environment and use cases. These are useful when you have specific log sources that require customized parsing rules. These ASIM parsers are especially valuable when dealing with complex environments with multiple data sources, as they help in unifying and simplifying the analysis process. I hope this helps! Let me know if you have any more questions.

@travelmore9626 2 года назад

Thanks for sharing this info Craig. Why do some KQL functions begin with "im" and others with "vim" ? What do these stand for? Thanks

@CraigCloudITPro 2 года назад

Hey TravelMore, very good question and quite tricky as well, so IM means Source Agnostic for example the im source agnostic parser name would be imDns, then vim is Source Specific, for example vimDnsAzureFirewall or vimDnsGcp (so these are all the parses contained inside the imDns parse) I hope that answers your question :)

@travelmore9626 2 года назад

@@CraigCloudITPro ahh that makes sense and a sensible way of differentiating. Cheers Craig!

@MultiRam73 Месяц назад

Hats off to you Craig! It was mindblowing the way you simplified the whole jargon, I feel so rich with the knowledge you shared here, I was so poor before this class

@CraigCloudITPro Месяц назад

@MultiRam73 thank you so much for your kind words :)