Closed dave-007 closed 1 month ago
Hi @dave-007, I'll review this.
@KenMAG This seems to be a problem with the deployment of the parser. We might need to either skip this lab and inform the GitHub ASIM repo owner or create our own parser for the matter.
I can't get the deployment to work without blowing up.
I submitted a issue/bug - https://github.com/Azure/Azure-Sentinel/issues/10481
@dave-007 @KenMAG we have this parser available for 'Registry' based SecurityEvent logs=> https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimRegistryEvent/Parsers/vimRegistryEventMicrosoftWindowsEvent.yaml
[like] Ken Lawson reacted to your message:
From: Varun Kohli @.> Sent: Wednesday, May 15, 2024 10:19:03 AM To: MicrosoftLearning/SC-200T00A-Microsoft-Security-Operations-Analyst @.> Cc: Ken Lawson @.>; Mention @.> Subject: Re: [MicrosoftLearning/SC-200T00A-Microsoft-Security-Operations-Analyst] Learning Path 7 - Lab 1 - Exercise 9 - Deploy ASIM parsers, cannot find vimRegistryEventMicrosoftSecurityEvent (Issue #260)
we have this parser available for 'Registry' based SecurityEvent logs=> https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimRegistryEvent/Parsers/vimRegistryEventMicrosoftWindowsEvent.yaml
— Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftLearning/SC-200T00A-Microsoft-Security-Operations-Analyst/issues/260#issuecomment-2112126198, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIZYBZTTULG3ZUBUOWOVSKDZCMZBPAVCNFSM6AAAAABENBYEMSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJSGEZDMMJZHA. You are receiving this because you were mentioned.Message ID: @.***>
So as noted, we need to start using vimRegistryEventMicrosoftWindowsEvent. It is parsing security events too. The question is does it get loaded by default or not?
So as noted, we need to start using vimRegistryEventMicrosoftWindowsEvent. It is parsing security events too. The question is does it get loaded by default or not?
It's deployed as part of out of the box Sentinel functions. Check you Sentinel Workspace, for function name _Im_RegistryEvent_MicrosoftWindowsEvent
Hi @vakohl I am seeing __Im_RegistryEventMicrosoftWindowsEventV02 in new Sentinel instances. Is that what you recommend we use in training? Or would it be more appropriate to use something like __Im_RegistryEventMicrosoftWindowsEvent* without a version? Thanks!
Contact Details
david@cobbinfotech.com
What happened?
Description of issue: Description of issue:
Learning Path 7 - Lab 1 - Exercise 9 - Deploy ASIM parsers Task 1, step 19 Cannot hover over the workspace function
vimRegistryEventMicrosoftSecurityEvents
, it doesn't show, it has been removed from the project, see:https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimRegistryEvent/Parsers/vimRegistryEventMicrosoftSecurityEvent.yaml
As a replacement, can we possibly use the parser namedvimRegistryEventMicrosoftWindowsEvent
to parse EventID == 4657Found this on the parser list page here (Control-F search for 4657):
https://github.com/Azure/Azure-Sentinel/blob/master/ASIM/ASIM%20parsers%20list.md
Lab
Lab 08 Exercise 01 Perform Threat Hunting in Microsoft Sentinel
Relevant screenshots
paste here 😉
Do you want to help us? 👏