# ASIM Standardization ### Description The ASIM Standardization processor transforms log data into events that conform to the [Microsoft Advanced Security Information Model (ASIM)](https://learn.microsoft.com/en-us/azure/sentinel/normalization). It maps fields from incoming logs to the column contract for one of the ten native ASIM tables in a Microsoft Sentinel workspace. It also adds the routing attribute that the [Microsoft Sentinel destination](/integrations/destinations/microsoft-sentinel.md) uses to send each record to the correct table. ### Use Use the ASIM Standardization processor to normalize security logs from diverse sources into ASIM schemas before routing them to Microsoft Sentinel. The processor replaces the log body with ASIM-compliant columns and sets the `sentinel_stream_name` log record attribute. In ASIM mode, the [Microsoft Sentinel destination](/integrations/destinations/microsoft-sentinel.md) uses that attribute to route each record to the correct ASIM table. Records that do not match a configured mapping are dropped so untransformed data cannot land in an ASIM table. ### Supported Types | Metrics | Logs | Traces | | ------- | ---- | ------ | | | ✓ | | ### Configuration
FieldRequiredTypeDescription
Telemetry TypesYestelemetrySelectorThe types of telemetry to apply the processor to. Only Logs are supported.
Runtime ValidationYesboolEnable runtime validation of records against the ASIM column contract. Records missing required columns are dropped.
Resource PresetsNoresourcePreset[]Apply prebuilt event-mapping presets for common log sources (Windows Security, Linux SSH syslog, CEF). Presets attach to the Event Mappings list.
Event MappingsYesasimStandardizationOne or more mappings that define how incoming logs are transformed into ASIM events. See Event Mappings below.
#### Event Mappings Each event mapping defines the rules for transforming a matched log into one of the ten ASIM tables. You can configure multiple mappings to handle different log types in the same processor. The first mapping whose **Filter** matches a log record is applied. If no mapping matches, the record is dropped. | Field | Required | Type | Description | | -------------- | -------- | -------------------- | ------------------------------------------------------------------------------------------------------------------- | | Target Table | Yes | `enum` | The ASIM table to route matched records to, such as `ASimAuthenticationEventLogs`. See Supported ASIM Tables below. | | Filter | No | `condition` | A condition that determines which logs this mapping applies to. If omitted, the mapping applies to all logs. | | Field Mappings | Yes | `asimFieldMapping[]` | A list of field mappings that copy or set values in the ASIM output. | #### **Event Mapping Fields** Each entry in the field mappings list defines how a single ASIM column is populated. | Field | Required | Type | Description | | ------- | -------- | -------- | ------------------------------------------------------------------------------------------------------- | | To | Yes | `string` | The target ASIM column name, such as `TargetUsername`, `SrcIpAddr`, or `EventStartTime`. | | From | No\* | `string` | An expression that extracts a value from the source log, such as `body["EventData"]["TargetUserName"]`. | | Default | No\* | `any` | A static value used when the source field is absent or the `From` expression returns `nil`. | \*At least one of `From` or `Default` must be provided for each field mapping. ### Automatically Populated Fields In addition to the fields defined in your event mappings, the processor automatically populates the following values on every matched record: | Output | Description | | -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `EventSchema` | Set to the ASIM schema name for the matched target table, such as `Authentication`, `NetworkSession`, or `Dns`. | | `AdditionalFields` | Preserves the original log body as a dynamic column so the original data is retained when the body is replaced. | | `sentinel_stream_name` attribute | Set to `Custom-`, such as `Custom-ASimAuthenticationEventLogs`. The [Microsoft Sentinel destination](/integrations/destinations/microsoft-sentinel.md) reads this attribute on each record to select the correct destination stream in the consolidated DCR. | `TimeGenerated` is set by the destination at ingest time. The processor does not populate it. ### Required ASIM Columns ASIM requires these columns on every record, in addition to any required columns for the target table. The processor does not populate them automatically. Set them with field mappings or defaults where appropriate. * `EventCount` * `EventStartTime` * `EventEndTime` * `EventType` * `EventResult` * `EventProduct` * `EventVendor` * `EventSchemaVersion` * `Dvc` When **Runtime Validation** is enabled, records missing any of these columns are dropped. ### Supported ASIM Tables The processor supports ten native ASIM tables. It derives the `sentinel_stream_name` attribute as `Custom-`. | Target Table | Sentinel Table Family | `EventSchema` | | -------------------------------- | --------------------- | ---------------- | | `ASimAuthenticationEventLogs` | Authentication | `Authentication` | | `ASimNetworkSessionLogs` | Network Session | `NetworkSession` | | `ASimDnsActivityLogs` | DNS Activity | `Dns` | | `ASimProcessEventLogs` | Process Event | `ProcessEvent` | | `ASimFileEventLogs` | File Event | `FileEvent` | | `ASimAuditEventLogs` | Audit Event | `AuditEvent` | | `ASimWebSessionLogs` | Web Session | `WebSession` | | `ASimDhcpEventLogs` | DHCP Event | `Dhcp` | | `ASimRegistryEventLogs` | Registry Event | `RegistryEvent` | | `ASimUserManagementActivityLogs` | User Management | `UserManagement` | ### Type Coercion The processor coerces mapped values to the target ASIM column type when possible. If a value cannot be coerced, the field is dropped with a warning. If **Runtime Validation** is enabled and the column is required, the record is dropped. | ASIM Column Type | Accepted Source Types | Canonical Output | | ---------------- | --------------------------------------------------------------------------------------------- | -------------------------------------------- | | `string` | `string`, `bool`, any `int` or `uint`, any `float`, `time.Time`, arrays, maps, `fmt.Stringer` | `string`. Composite values are JSON-encoded. | | `int` | `int`, `int32`, `int64`, any `uint`, `float32`, `float64`, `bool`, numeric `string` | `int32`. Overflow is rejected. | | `long` | `int`, `int32`, `int64`, any `uint`, `float32`, `float64`, `bool`, numeric `string` | `int64` | | `real` | `float32`, `float64`, any `int` or `uint`, decimal `string` | `float64` | | `boolean` | `bool`, any `int`, `string` values such as `"true"`, `"1"`, `"yes"`, `"false"`, `"0"`, `"no"` | `bool` | | `datetime` | `time.Time`, `string` in RFC3339, RFC3339Nano, or ISO8601 formats | RFC3339Nano `string` | | `dynamic` | Any JSON-serializable value | Passed through unchanged | Numeric epoch values are not accepted for `datetime` columns because the unit is ambiguous. Convert epoch values to an RFC3339 string upstream before mapping them. ### Routing to Microsoft Sentinel Pair this processor with the [Microsoft Sentinel destination](/integrations/destinations/microsoft-sentinel.md) in **ASIM** mode. The destination uses one consolidated Data Collection Rule with one stream for each ASIM table. For each record: 1. The processor matches the record to an event mapping and rewrites the body to ASIM columns. 2. The processor sets the `sentinel_stream_name` attribute, such as `Custom-ASimNetworkSessionLogs`. 3. The Microsoft Sentinel destination reads that attribute and sends the record to the matching DCR stream. Records that reach the destination without `sentinel_stream_name` are dropped. This prevents untransformed data from reaching native ASIM tables. Bindplane also warns you when a Microsoft Sentinel destination in **ASIM** mode has no ASIM Standardization processor upstream. ### Example configuration #### Map Windows logon events to ASIM Authentication This example maps Windows Security Event ID `4624` to `ASimAuthenticationEventLogs`. The filter limits the mapping to successful logon events. The field mappings populate common required columns and key Authentication columns. {% hint style="info" %} This example shows the core mapping shape. Add any other required table-specific columns for your source before enabling strict validation in production. {% endhint %} #### Standalone processor ```yaml apiVersion: bindplane.observiq.com/v1 kind: Processor metadata: id: asim_standardization name: asim_standardization spec: type: asim_standardization parameters: - name: telemetry_types value: - Logs - name: runtime_validation value: true - name: event_mappings value: - targetTable: ASimAuthenticationEventLogs filter: 'body["System"]["EventID"] == 4624' fieldMappings: - to: EventCount default: 1 - to: EventType default: Logon - to: EventResult default: Success - to: EventProduct default: Windows - to: EventVendor default: Microsoft - to: EventSchemaVersion default: "0.1.4" - to: EventStartTime from: 'body["System"]["TimeCreated"]["SystemTime"]' - to: EventEndTime from: 'body["System"]["TimeCreated"]["SystemTime"]' - to: Dvc from: 'body["System"]["Computer"]' - to: TargetUsername from: 'body["EventData"]["TargetUserName"]' - to: TargetDomain from: 'body["EventData"]["TargetDomainName"]' - to: ActorUsername from: 'body["EventData"]["SubjectUserName"]' - to: SrcIpAddr from: 'body["EventData"]["IpAddress"]' - to: SrcHostname from: 'body["EventData"]["WorkstationName"]' ``` The resulting log body conforms to the ASIM Authentication schema. The table below shows the populated columns, including values the processor adds automatically. | ASIM Column | Source | Value | | -------------------- | ------------- | -------------------------------------------------------------------------------- | | `EventSchema` | Auto | `Authentication` | | `AdditionalFields` | Auto | The original log body, preserved as a dynamic value | | `EventCount` | Field mapping | `1` | | `EventType` | Field mapping | `Logon` | | `EventResult` | Field mapping | `Success` | | `EventProduct` | Field mapping | `Windows` | | `EventVendor` | Field mapping | `Microsoft` | | `EventSchemaVersion` | Field mapping | `0.1.4` | | `EventStartTime` | Field mapping | Value from `body["System"]["TimeCreated"]["SystemTime"]`, coerced to RFC3339Nano | | `EventEndTime` | Field mapping | Same source, coerced to RFC3339Nano | | `Dvc` | Field mapping | Value from `body["System"]["Computer"]` | | `TargetUsername` | Field mapping | Value from `body["EventData"]["TargetUserName"]` | | `TargetDomain` | Field mapping | Value from `body["EventData"]["TargetDomainName"]` | | `ActorUsername` | Field mapping | Value from `body["EventData"]["SubjectUserName"]` | | `SrcIpAddr` | Field mapping | Value from `body["EventData"]["IpAddress"]` | | `SrcHostname` | Field mapping | Value from `body["EventData"]["WorkstationName"]` | The `sentinel_stream_name` attribute is set to `Custom-ASimAuthenticationEventLogs`. Microsoft Sentinel adds `TimeGenerated` at ingest time. ### Resource Presets For common sources, use a preset instead of writing every field mapping by hand: * `asim_windows_security` — maps Windows Security events such as `4624`, `4625`, `4688`, `4720`, and `4726` to Authentication, Process, and User Management tables. * `asim_linux_syslog` — maps SSH and auth syslog events to the Authentication table. This assumes an upstream parser has promoted fields such as `body.program`, `body.host`, `body.message`, `body.user`, and `body.src_ip`. * `asim_cef` — maps CEF-formatted security events to the appropriate ASIM table family. Presets are added as event mapping entries and can be edited after import. ### Schema Validation #### Configuration-time validation When you save the processor, Bindplane validates the configuration against the ASIM schema. Validation checks: * each event mapping uses a supported **Target Table** * all `Filter` and `From` expressions are syntactically valid * every required ASIM column for the target table has either a `From` or a `Default` mapping `EventSchema` and `AdditionalFields` count toward coverage automatically. Configuration-time validation does not verify runtime values. A field mapping can still pass validation and later be coerced or dropped if the source value is invalid. #### Runtime validation When **Runtime Validation** is enabled, each processed log record is checked after all mappings run. Records that fail validation are dropped and logged. Runtime validation checks: * required columns are present, including common ASIM columns and any table-specific required columns * populated values coerce cleanly to the declared ASIM types If a value cannot be coerced, the field is dropped. If that field is required, the whole record is dropped. Disable **Runtime Validation** while building mappings. Re-enable it after you confirm the output so records sent to Microsoft Sentinel are ASIM-compliant. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.bindplane.com/integrations/processors/asim-standardization.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.