Skip to main content

Integrations

Advanced Security Information Model (ASIM) Parsers

ASIM parsers in general have two variants:

A parameter variant
A parameter-less variant

See List of Microsoft Sentinel Advanced Security Information Model (ASIM) parsers.

Audit Parser

This parser queries the Illumio_Auditable_Events_CL custom table. It supports the following parser arguments:

starttime
endtime
srcipaddr_has_any_prefix
actorusername_has_any
eventtype_in
eventresult
operation_has_any
object_has_any
newvalue_has_any
disabled

See The Advanced Security Information Model (ASIM) Audit Events normalization schema reference for the ASIM audit schema.

Network Session Parser

This parser queries the Illumio_Flow_Events_CL custom table. It supports the following parser arguments:

starttime
endtime
srcipaddress_has_any_prefix
dstipaddr_has_any_prefix
ipaddr_has_any_prefix
dstportnumber
hostname_has_any
dvcation
eventresult
disabled

See The Advanced Security Information Model (ASIM) Network Session normalization schema reference for the ASIM network session schema.

Authentication Parser

This parser queries the Illumio_Auditable_Events_CL custom table and looks for specific authentication-related events like:

user.signin
user.login
user.sign_out
user.logout
user.authenticate
user.use_expired_password

It supports the following parser arguments:

starttime
endtime
username_has_any
targetappname_has_any
srchostname_has_any
srcipaddr_has_any_prefix
eventtype_in
eventresultdetails_in
eventresult
disabled

See The Advanced Security Information Model (ASIM) Authentication normalization schema reference for the ASIM authentication schema.

Was this helpful?

Would you like to provide feedback? Just click here to suggest edits.