Learning Path 7 - Lab 1 - Exercise 9 - Deploy ASIM parsers, cannot find vimRegistryEventMicrosoftSecurityEvent

[dave-007]

Contact Details

david@cobbinfotech.com

What happened?

Description of issue: Description of issue:

Learning Path 7 - Lab 1 - Exercise 9 - Deploy ASIM parsers Task 1, step 19 Cannot hover over the workspace function vimRegistryEventMicrosoftSecurityEvents, it doesn't show, it has been removed from the project, see: https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimRegistryEvent/Parsers/vimRegistryEventMicrosoftSecurityEvent.yaml As a replacement, can we possibly use the parser named vimRegistryEventMicrosoftWindowsEvent to parse EventID == 4657

Found this on the parser list page here (Control-F search for 4657): https://github.com/Azure/Azure-Sentinel/blob/master/ASIM/ASIM%20parsers%20list.md

Lab

Lab 08 Exercise 01 Perform Threat Hunting in Microsoft Sentinel

Relevant screenshots

paste here 😉

Do you want to help us? 👏

• [X] Create a Pull Requestt by following this project's Contribution Guide

[KenMAG]

Hi @dave-007, I'll review this.

[MSFT-MarcoEs]

@KenMAG This seems to be a problem with the deployment of the parser. We might need to either skip this lab and inform the GitHub ASIM repo owner or create our own parser for the matter.

[KenMAG]

I can't get the deployment to work without blowing up.

[KenMAG]

I submitted a issue/bug - https://github.com/Azure/Azure-Sentinel/issues/10481

[vakohl]

@dave-007 @KenMAG we have this parser available for 'Registry' based SecurityEvent logs=> https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimRegistryEvent/Parsers/vimRegistryEventMicrosoftWindowsEvent.yaml

[KenMAG]

[like] Ken Lawson reacted to your message:

---

From: Varun Kohli @.> Sent: Wednesday, May 15, 2024 10:19:03 AM To: MicrosoftLearning/SC-200T00A-Microsoft-Security-Operations-Analyst @.> Cc: Ken Lawson @.>; Mention @.> Subject: Re: [MicrosoftLearning/SC-200T00A-Microsoft-Security-Operations-Analyst] Learning Path 7 - Lab 1 - Exercise 9 - Deploy ASIM parsers, cannot find vimRegistryEventMicrosoftSecurityEvent (Issue #260)

we have this parser available for 'Registry' based SecurityEvent logs=> https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimRegistryEvent/Parsers/vimRegistryEventMicrosoftWindowsEvent.yaml

— Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftLearning/SC-200T00A-Microsoft-Security-Operations-Analyst/issues/260#issuecomment-2112126198, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIZYBZTTULG3ZUBUOWOVSKDZCMZBPAVCNFSM6AAAAABENBYEMSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJSGEZDMMJZHA. You are receiving this because you were mentioned.Message ID: @.***>

[KenMAG]

So as noted, we need to start using vimRegistryEventMicrosoftWindowsEvent. It is parsing security events too. The question is does it get loaded by default or not?

[vakohl]

So as noted, we need to start using vimRegistryEventMicrosoftWindowsEvent. It is parsing security events too. The question is does it get loaded by default or not?

It's deployed as part of out of the box Sentinel functions. Check you Sentinel Workspace, for function name _Im_RegistryEvent_MicrosoftWindowsEvent

[KenMAG]

Hi @vakohl I am seeing __Im_RegistryEventMicrosoftWindowsEventV02 in new Sentinel instances. Is that what you recommend we use in training? Or would it be more appropriate to use something like __Im_RegistryEventMicrosoftWindowsEvent* without a version? Thanks!