Document Details
Normalization Develop Parsers
❌
This page contains Windows bias
About This Page
This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
Bias Analysis
Bias Types:
⚠️
windows_first
⚠️
windows_tools
⚠️
missing_linux_example
Summary:
The documentation demonstrates a Windows bias by referencing Windows-specific event sources (e.g., 'Microsoft-Windows-Sysmon'), using Windows-centric terminology and examples (such as EventID and the Event table), and recommending PowerShell and Azure Portal for deployment and management tasks. There are no explicit Linux or cross-platform deployment/test examples, and Linux-specific tools or workflows are not mentioned, even though Microsoft Sentinel supports ingesting logs from Linux sources (e.g., Syslog).
Recommendations:
- Provide equivalent Linux-based examples alongside Windows examples, such as using Linux Syslog event types and fields in KQL queries.
- Include instructions for deploying and managing parsers using Linux-native tools (e.g., Azure CLI, Bash scripts) in addition to PowerShell.
- Mention and demonstrate cross-platform or Linux-specific log sources and how to map their fields to ASIM schemas.
- Clarify that the guidance applies to both Windows and Linux data sources, and highlight any differences or additional steps required for Linux environments.
- Add sample parser development and deployment workflows for Linux users, including exporting logs, running tests, and submitting contributions from Linux systems.
Create pull request
Scan History
| Date | Scan ID | Status | Bias Status |
|---|---|---|---|
| 2025-08-17 00:01 | #83 | in_progress | ✅ Clean |
| 2025-07-13 21:37 | #48 | completed | ❌ Biased |
| 2025-07-12 23:44 | #41 | in_progress | ❌ Biased |
Flagged Code Snippets
Event | where Source == "Microsoft-Windows-Sysmon" and EventID == 1
| invoke _ASIM_ResolveSrcFQDN('Computer')
To avoid duplicate events and excessive processing, make sure each function starts by filtering, using native fields, only the events that it is intended to parse. Also, if needed, use project-away at each branch, before the union.
## Deploy parsers
Deploy parsers manually by copying them to the Azure Monitor Log page and saving the query as a function. This method is useful for testing. For more information, see [Create a function](/azure/azure-monitor/logs/functions).
To deploy a large number of parsers, we recommend using parser ARM templates, as follows:
1. Create a YAML file based on the relevant template for each schema and include your query in it. Start with the [YAML template](https://aka.ms/ASimYamlTemplates) relevant for your schema and parser type, filtering or parameter-less.
1. Use the [ASIM YAML to ARM template converter](https://aka.ms/ASimYaml2ARM) to convert your YAML file to an ARM template.
1. If deploying an update, delete older versions of the functions using the portal or the [function delete PowerShell tool](https://aka.ms/ASimDelFunctionScript).
1. Deploy your template using the [Azure portal](../azure-resource-manager/templates/quickstart-create-templates-use-the-portal.md#edit-and-deploy-the-template) or [PowerShell](../azure-resource-manager/templates/deploy-powershell.md).
You can also combine multiple templates to a single deploy process using [linked templates](../azure-resource-manager/templates/linked-templates.md?tabs=azure-powershell#linked-template)
> [!TIP]
> ARM templates can combine different resources, so parsers can be deployed alongside connectors, analytic rules, or watchlists, to name a few useful options. For example, your parser can reference a watchlist deployed alongside it.
>
## Test parsers
This section describes that testing tools ASIM provides that enables you to test your parsers. That said, parsers are code, sometimes complex, and standard quality assurance practices such as code reviews are recommended in addition to automated testing.
### Install ASIM testing tools
To test ASIM, [deploy the ASIM testing tool](https://aka.ms/ASimTestingTools) to a Microsoft Sentinel workspace where:
- Your parser is deployed.
- The source table used by the parser is available.
- The source table used by the parser is populated with a varied collection of relevant events.
### Validate the output schema
To make sure that your parser produces a valid schema, use the ASIM schema tester by running the following query in the Microsoft Sentinel **Logs** page: