This article is contributed. See the original author and article here.
Continuing our normalization journey, we added to the networking and DNS schemas the Authentication, Process Events, and Registry Events schemas and delivered normalized content based on the two. We also added ARM template deployment and support for Microsoft Defender for Endpoints to the Network Schema.
Special thanks to @Yuval Naor , @Yaron Fruchtmann , and @Batami Gold , who made all this possible.
Why should you care?
Join us to learn more about the Azure Sentinel information model in two webinars:
Why normalization, and what is the Azure Sentinel Information Model?
Working with various data types and tables together presents a challenge. You must become familiar with many different data types and schemas, write and use a unique set of analytics rules, workbooks, and hunting queries for each, even for those that share commonalities (for example, DNS servers). Correlation between the different data types necessary for investigation and hunting is also tricky.
The Azure Sentinel Information Model (ASIM) provides a seamless experience for handling various sources in uniform, normalized views. ASIM aligns with the Open-Source Security Events Metadata (OSSEM) common information model, promoting vendor agnostic, industry-wide normalization. ASIM:
Principal Product Manager, Azure Sentinel
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.