I thought I'd write some tips, tricks, and notes on how to build out an effective parser for your Sentinel Workspace.
There are a heap of GitHub repos out there that have a bunch of pre-built parsers available for your consumption and can be easily added to your workspace within a few clicks.
Things to keep in mind when messing with parsers are;
What datasource are you trying to apply a structure to?
Is there a parser already available that you can steal? (yes, I encourage it; it really really helps with learning this)
Have you checked to see if your datasource hasn't already been added to the ASIM model already?
What is a Parser?
Parsers are a way to shape data that has been ingested into Sentinel into useable, readable, and more formatted information for your security team. Within Microsoft Sentinel, the feature is called a "Function."
What do they do?
Functions under the hood within Microsoft Sentinel are just saved queries using KQL that are stored within the Sentinel workspace. You can use "Functions" to provide different solutions within your environment depending on the use cases you might have for structuring data.
Where do I find Parsers in Microsoft Sentinel?
Parsers are easy to find within any Sentinel workspace, to find what you currently have, select your Microsoft Sentinel > Your Workspace > Logs > Functions
How do I setup a Microsoft Sentinel Parser?
Soooo to set one up, you need to identify what your use case is for parsing information into a more structured format first. If you have a use case, create your KQL query and to save follow the below steps
Create your Parser, then select Save > Save as function
A Save as function box will appear to save your parser under a given name. Remember that whatever name you give it here will be the table name that you query within Sentinel.
Fill in the appropriate details as seen above;
Legacy Category is the old method of categorizing parsers within Sentinel and can still be used to search if you have many parsers
Parameters are used for additional information/structure within your parser
Once saved, use the name of your parser as the table name within Microsoft Sentinel, and you will be able to see your Parser in action.
NOTE: Keep in mind when working with Parsers the ASIM model created by Microsoft. This will help you categorize and structure your Parsers and information within Sentinel into Normalized tables. I'll do a separate blog on that, because it is a big subject :)
Comments