Learning Path 7 - Lab 1 - Exercise 9 - Deploy ASIM parsers

Lab scenario

Lab overview.

You are a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You need to model ASIM parsers for a specific Windows registry event. These simplified parsers will be finalized at a later time following the Advanced Security Information Model (ASIM) Registry Event normalization schema reference.

Note: An interactive lab simulation is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same.

Task 1: Deploy the Registry Schema ASIM parsers

In this task, you will deploy the Registry Schema parsers from the Microsoft Sentinel GitHub repository.

  1. Log in to WIN1 virtual machine as Admin with the password: Pa55w.rd.

  2. In the Edge browser, navigate to the Azure portal at https://portal.azure.com.

  3. In the Sign in dialog box, copy and paste in the Tenant Email account provided by your lab hosting provider and then select Next.

  4. In the Enter password dialog box, copy and paste in the Tenant Password provided by your lab hosting provider and then select Sign in.

  5. In the Search bar of the Azure portal, type Sentinel, then select Microsoft Sentinel.

  6. Select your Microsoft Sentinel Workspace you created earlier.

  7. In the Edge browser, open a new tab (Ctrl+T) and navigate to the Microsoft Sentinel GitHub ASIM page https://github.com/Azure/Azure-Sentinel/tree/master/ASIM.

    Note: In the ASIM folder you can deploy templates that contain all ASIM parsers, but we will only focus on the Registry Schema.

  8. Scroll down and next to Registry, select the Deploy to Azure button.

  9. For Resource Group, select RG-Defender where your Sentinel workspace resides.

  10. For Workspace, type your Sentinel workspace name, like uniquenameDefender.

  11. Leave the other default values and select Review + create.

  12. Select Create to deploy the template. Notice the Names of the different resources.

  13. After the deployment completes return to the Microsoft Sentinel tab.

  14. Select Logs under the General left menu.

  15. Open the Schema and Filter blade by selecting » if needed.

  16. Select the Functions tab (next to the Tables and Queries tabs). Hint: You might need to select the ellipsis icon (…) to select the tab.

  17. Expand Workspace functions. Notice that the names correspond to the templates you just deployed.

  18. Hover over the vimRegistryEventMicrosoftSecurityEvents workspace parser and then select Load the function code in the popup window.

  19. Review the KQL that is parsing the Event ID 4657 to simplifying your analysis of the data in the Microsoft Sentinel workspace.

  20. Run the query. You should not get any results nor errors, it is just for validation purposes.

  21. Go back to the Schema and Filter blade and now hover the inRegistry unifying parser and then select Load the function code.

  22. Notice that the unifying parsers uses the union operator to run all the workspace parsers at once. If you develop a parser for the Registry Schema you will need to add it here.

  23. Run the query. You should not get any result nor errors, it is just for validation purposes.

  24. This unifying parser can now be used for Analytic Rules or Hunting Queries.

Proceed to Exercise 10