How to Redeploy ASIM for Microsoft Sentinel

I’ve not personally experienced the scenario, but have heard from others who have, but it’s possible that Advanced Security Information Model (ASIM) needs to be redeployed or removed.

When ASIM is deployed, a number of KQL functions are installed. These KQL functions provide the parsing intelligence and are important for ASIM to work in normalizing data.

ASIM Parsers

If you’ve not yet caught up to the power and value of ASIM, see the following:

But, as noted, you may need to remove the KQL functions. Fortunately, the ASIM team thought of everything. In the same repo location as the ASIM deployment, there’s a dev folder that contains some ASIM utilities. One of those utilities is designed to remove the deployed functions:

Delete-SentinelFunction – This PowerShell script deletes saved functions from a Log Analytics workspace. It supports wildcards and enable batch cleaning the workspace from unneeded functions, especially when deploying a new function ARM template such as those used by Microsoft Sentinel ASIM.

Once the ASIM functions are removed, you can redeploy them from the original location: Deploy ASIM

A couple other useful utilities exist here, too:

=========================

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]

Author

Leave a Reply