How BlueVoyant's ASIM-First Strategy Simplifies Threat Detection in Microsoft Sentinel

An ASIM-First Approach

Earlier this year, BlueVoyant adopted a new detection strategy built on the Advanced Security Information Model (ASIM). For those unfamiliar, ASIM is Microsoft's normalisation layer that standardises log data across products into consistent schemas.

Our approach is simple:

• For any log source falling within ASIM's 13 schema categories, we build rules using ASIM as the primary standard
• For sources outside these categories, such as email gateways like Proofpoint, we query native tables directly

The result? Dramatically faster use case development and cleaner, more maintainable detection logic.

The Numbers Speak for Themselves

Out of the box, ASIM supports:

• 197 parsers
• 143 products
• Growing categories including Entity and the recently added AI Agent category

And this is expanding rapidly. Just search "ASIM" in the Azure-Sentinel GitHub repository to see new products being added regularly.

Real-World Impact: The Password Spray Example

Here's a practical example from our MDR offering.

Our Password Spray detection rule correlates authentication events with Microsoft Defender to generate Unified Attack Stories by leveraging Sentinel & Defender-native entities.

The key point to using ASIM is that a single rule covers 27 authentication products.

We're able to avoid cumbersome unions, duplicated logic, and parsing & normalization gymnastics.

For one enterprise customer, this rule automatically reviewed all seven of their authentication products and successfully identified a source IP conducting a password spray. The detection was clean, readable, and required zero additional KQL or parsing effort inside of the rule.

SOC Efficiency Through Normalization

Next to the efficiency gains on the detection engineering side, adopting ASIM has also improved our SOC analysts' experience.

Instead of having to hunt across dozens of different schemas with significant variances between vendors, our SOC now has a unified view of the most relevant security data.

Taking the ASIM Network Session schema as an example, they have a comprehensive view of network traffic in a schema of up to 138 columns, with consistent and normalized values in the vast majority of them, compared to over 250 unaligned columns and extensions across just 2 vendors' firewall logs.

By decreasing the number of fields that an analyst has to take into account when evaluating events by almost 50%, we've lowered the context switching required to investigate any given incident.

The filtering ASIM parsers allow our analysts to quickly review all the relevant logs for specific indicators without having to write multiple queries to support the different technologies a customer may use.

They can now quickly and confidently tell if an IP was observed on a firewall or proxy, or connecting to/from an endpoint device, with a single request.

The added standardization of terminology also allows us to communicate with customers more efficiently, which has led to better end-to-end handling of detected security incidents. Analysts and customers are more in alignment, regardless of the source of the telemetry.

What's Next?

As ASIM coverage expands, so does the power of this approach. We're continuing to build our detection library on this foundation, ensuring our customers benefit from every new parser Microsoft releases.

BlueVoyant is proud to be regularly contributing to this Microsoft innovation. Examples below:

• https://github.com/Azure/Azure-Sentinel/pull/13989
• https://github.com/Azure/Azure-Sentinel/pull/13741
• https://github.com/Azure/Azure-Sentinel/pull/13785