I’ve not personally experienced the scenario, but have heard from others who have, but it’s possible that Advanced Security Information Model (ASIM) needs to be redeployed or removed.
When ASIM is deployed, a number of KQL functions are installed. These KQL functions provide the parsing intelligence and are important for ASIM to work in normalizing data.
If you’ve not yet caught up to the power and value of ASIM, see the following:
- Normalization and the Advanced Security Information Model (ASIM)
- Advanced Security Information Model (ASIM) overview
- Advanced Security Information Model (ASIM) schemas
- Advanced Security Information Model (ASIM) content
But, as noted, you may need to remove the KQL functions. Fortunately, the ASIM team thought of everything. In the same repo location as the ASIM deployment, there’s a dev folder that contains some ASIM utilities. One of those utilities is designed to remove the deployed functions:
Delete-SentinelFunction – This PowerShell script deletes saved functions from a Log Analytics workspace. It supports wildcards and enable batch cleaning the workspace from unneeded functions, especially when deploying a new function ARM template such as those used by Microsoft Sentinel ASIM.
Once the ASIM functions are removed, you can redeploy them from the original location: Deploy ASIM
A couple other useful utilities exist here, too:
- ASIM tester – See: Testing parsers
- KqlFuncYaml2Arm – The KqlFuncYaml2Arm script generated deployable ARM templates from KQL function YAML files.
=========================
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Learn KQL with the Must Learn KQL series and book]
