Learning Path 9 - Lab 1 - Exercise 9 - Deploy ASIM parsers

Lab scenario

Lab overview.

You’re a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You need to model ASIM parsers for a specific Windows registry event. These parsers will be finalized at a later time following the Advanced Security Information Model (ASIM) Registry Event normalization schema reference.

Important: The lab exercises for Learning Path #9 are in a standalone environment. If you exit the lab before completing it, you will be required to re-run the configurations again.

Estimated time to complete this lab: 30 minutes

Task 1: Deploy the Registry Schema ASIM parsers

In this task, you’ll review the Registry Schema parsers that are included with the Microsoft Sentinel deployment.

  1. Log in to WIN1 virtual machine as Admin with the password: Pa55w.rd.

  2. In the Microsoft Edge browser, navigate to the Azure portal at https://portal.azure.com.

  3. In the Sign in dialog box, copy, and paste in the Tenant Email account provided by your lab hosting provider and then select Next.

  4. In the Enter password dialog box, copy, and paste in the Tenant Password provided by your lab hosting provider and then select Sign in.

  5. In the Search bar of the Azure portal, type Sentinel, then select Microsoft Sentinel.

  6. Select your Microsoft Sentinel Workspace.

  1. Select Logs under the General left menu.

  2. Open the Schema and Filter blade by selecting » if needed.

  3. Select the Functions tab (next to the Tables and Queries tabs). Hint: You might need to select the ellipsis icon (…) to select the tab.

  4. In the Search bar type registry, and scroll down through the ASIM parser functions until you see the following _Im_RegistryEvent_MicrosoftWindowsEventxxxfor Microsoft Windows under the Microsoft Sentinel heading.

    Note: We’re using the xxx in the ASIM parser function name to account for version changes. At the time this lab was updated the function was _Im_RegistryEvent_MicrosoftWindowsEventV02.

  5. Hover over the _Im_RegistryEvent_MicrosoftWindowsEventxxx ASIM function and then select Load the function code in the popup window.

  6. Review the KQL that is parsing the Event ID 4657 to simplifying your analysis of the data in the Microsoft Sentinel workspace.

    Hint: Typing ctrl+f in the code window brings up Find and makes searching for EventID: 4657 much easier.

  7. In Logs Open a New Query tab.

  8. Go back to the Schema and Filter blade and now hover the _Im_RegistryEvent_MicrosoftWindowsEventxxx Registry Event ASIM filtering parser for Microsoft Windows Events and Security Events and then select Use in editor.

  9. Run the ASIM function query. If you’ve completed the previous lab exercises you should see results and noerror messages.

Proceed to Exercise 10