Skip to content

Commit

Permalink
Merge pull request #288 from KenMAG/master
Browse files Browse the repository at this point in the history 
Resolves issue#260 ASIM parsers lab
  • Loading branch information
@KenMAG
KenMAG authored Jun 7, 2024
2 parents ffceb92 + b62710e commit 417068d
Showing 1 changed file with 17 additions and 19 deletions.
36 changes: 17 additions & 19 deletions Instructions/Labs/LAB_AK_07_Lab1_Ex9_ASIM.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,64 +10,62 @@ lab:

![Lab overview.](../Media/SC-200-Lab_Diagrams_Mod7_L1_Ex9.png)

You are a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You need to model ASIM parsers for a specific Windows registry event. These simplified parsers will be finalized at a later time following the [Advanced Security Information Model (ASIM) Registry Event normalization schema reference](https://docs.microsoft.com/en-us/azure/sentinel/registry-event-normalization-schema).
You're a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You need to model ASIM parsers for a specific Windows registry event. These parsers will be finalized at a later time following the [Advanced Security Information Model (ASIM) Registry Event normalization schema reference](https://docs.microsoft.com/en-us/azure/sentinel/registry-event-normalization-schema).

>**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/SC-200%20Lab%20Simulation%20-%20Create%20Advanced%20Security%20Information%20Model%20Parsers)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same.
### Task 1: Deploy the Registry Schema ASIM parsers

In this task, you will deploy the Registry Schema parsers from the Microsoft Sentinel GitHub repository.
In this task, you'll review the Registry Schema parsers that are included with the Microsoft Sentinel deployment.

1. Log in to WIN1 virtual machine as Admin with the password: **Pa55w.rd**.

1. In the Edge browser, navigate to the Azure portal at https://portal.azure.com.
1. In the Microsoft Edge browser, navigate to the Azure portal at https://portal.azure.com.

1. In the **Sign in** dialog box, copy and paste in the **Tenant Email** account provided by your lab hosting provider and then select **Next**.
1. In the **Sign in** dialog box, copy, and paste in the **Tenant Email** account provided by your lab hosting provider and then select **Next**.

1. In the **Enter password** dialog box, copy and paste in the **Tenant Password** provided by your lab hosting provider and then select **Sign in**.
1. In the **Enter password** dialog box, copy, and paste in the **Tenant Password** provided by your lab hosting provider and then select **Sign in**.

1. In the Search bar of the Azure portal, type *Sentinel*, then select **Microsoft Sentinel**.

1. Select your Microsoft Sentinel Workspace you created earlier.

1. In the Edge browser, open a new tab (Ctrl+T) and navigate to the Microsoft Sentinel GitHub ASIM page <https://github.com/Azure/Azure-Sentinel/tree/master/ASIM>.
<!--- 1. In the Edge browser, open a new tab (Ctrl+T) and navigate to the Microsoft Sentinel GitHub ASIM page <https://github.com/Azure/Azure-Sentinel/tree/master/ASIM>.
<!--- 1. On the right pane, select the **Onboard community content** link. This will open a new tab in the Edge Browser for Microsoft Sentinel GitHub content. **Hint:** You might need to scroll right to see the link. Alternatively, follow this link instead: [Microsoft Sentinel on GitHub](https://github.com/Azure/Azure-Sentinel). --->
1. On the right pane, select the **Onboard community content** link. This will open a new tab in the Edge Browser for Microsoft Sentinel GitHub content. **Hint:** You might need to scroll right to see the link. Alternatively, follow this link instead: [Microsoft Sentinel on GitHub](https://github.com/Azure/Azure-Sentinel).
>**Note:** In the **ASIM** folder you can deploy templates that contain all ASIM parsers, but we will only focus on the Registry Schema.
1. Scroll down and next to **Registry**, select the **Deploy to Azure** button.
<!--- 1. Scroll down and next to **Registry Event**, select the **Deploy to Azure** button.
1. For *Resource Group*, select **RG-Defender** where your Sentinel workspace resides.
1. For *Workspace*, type your Sentinel workspace name, like *uniquenameDefender*.
1. Leave the other default values and select **Review + create**.
1. Select **Create** to deploy the template. Notice the Names of the different resources.
1. Select **Create** to deploy the template. Notice the Names of the different resources.
1. After the deployment completes return to the *Microsoft Sentinel* tab.
1. After the deployment completes return to the *Microsoft Sentinel* tab. --->

1. Select **Logs** under the *General* left menu.

1. Open the *Schema and Filter* blade by selecting **>>** if needed.

1. Select the **Functions** tab (next to the Tables and Queries tabs). **Hint:** You might need to select the ellipsis icon **(...)** to select the tab.

1. Expand **Workspace functions**. Notice that the names correspond to the templates you just deployed.
1. In the *Search* bar type **registry**, and scroll down through the ASIM parser functions until you see the following *_Im_RegistryEvent_MicrosoftWindowsEventxxx*for Microsoft Windows under the *Microsoft Sentinel* heading.

1. Hover over the **vimRegistryEventMicrosoftSecurityEvents** *workspace parser* and then select **Load the function code** in the popup window.
>**Note:** We're using the xxx in the ASIM parser function name to account for version changes. At the time this lab was updated the function was _Im_RegistryEvent_MicrosoftWindowsEvent*V02*.
1. Review the KQL that is parsing the Event ID 4657 to simplifying your analysis of the data in the Microsoft Sentinel workspace.

1. **Run** the query. You should not get any results nor errors, it is just for validation purposes.
1. Hover over the **_Im_RegistryEvent_MicrosoftWindowsEventxxx** ASIM function and then select **Load the function code** in the popup window.

1. Go back to the *Schema and Filter* blade and now hover the **inRegistry** *unifying parser* and then select **Load the function code**.
1. Review the KQL that is parsing the Event ID 4657 to simplifying your analysis of the data in the Microsoft Sentinel workspace.

1. Notice that the unifying parsers uses the *union* operator to run all the workspace parsers at once. If you develop a parser for the Registry Schema you will need to add it here.
>**Hint:** Typing ctrl+f in the code window brings up *Find* and makes searching for *EventID: 4657* much easier.
1. **Run** the query. You should not get any result nor errors, it is just for validation purposes.
1. Go back to the *Schema and Filter* blade and now hover the **_Im_RegistryEvent_MicrosoftWindowsEventxxx** *Registry Event ASIM filtering parser for Microsoft Windows Events and Security Events* and then select **Use in editor**.

1. This unifying parser can now be used for Analytic Rules or Hunting Queries.
1. **Run** the ASIM function query. You shouldn't get any result nor errors, it's just for validation purposes.

## Proceed to Exercise 10

0 comments on commit 417068d

Please sign in to comment.