How to deploy the SonicWall ASIM Parsers into your Sentinel workspace?

This article covers how to deploy the SonicWall ASIM parsers into your Microsoft Sentinel workspace. While the parsers are built into every Microsoft Sentinel workspace for broader use and unification of NetworkSession or WebSession events across multiple vendors, deploying the SonicWall parsers into the workspace enables the Workbooks, Analytic Rules, Hunting Queries, etc. to function using the workspace function names, rather than the built-in function names.

Instructions

To install/deploy each parser into your Microsoft Sentinel workspace:

1. Visit each of the following pages:
   
   
   • ASimNetworkSessionSonicWallFirewall
   • vimNetworkSessionSonicWallFirewall
   • ASimWebSessionSonicWallFirewall
   • vimWebSessionSonicWallFirewall
     
     
2. Click the blue “Deploy to Azure” button on each page to begin deploying the parser.
3. Select the appropriate Azure subscription, resource group where Microsoft Sentinel is deployed, region, and Sentinel workspace name. Click the “Review + create” button to view the summary and terms. Click the “Create button” on the summary and terms page.
4. Verify the parser functions are available in your Microsoft Sentinel workspace. In Microsoft Sentinel, navigate to the “General” > “Logs” page.
   • Select the “Functions” tab and search “sonicwall”.
   • Expand the “Workspace functions”. Each deployed parser function will appear in the “Workspace functions” and can be used for queries throughout the Sentinel workspace.
     
     
     

You may need to refresh your browser window or exit and re-enter your Microsoft Sentinel workspace to refresh the list of workspace functions.