Hey TravelMore, very good question and quite tricky as well, so IM means Source Agnostic for example the im source agnostic parser name would be imDns, then vim is Source Specific, for example vimDnsAzureFirewall or vimDnsGcp (so these are all the parses contained inside the imDns parse) I hope that answers your question :)

@@CraigCloudITPro ahh that makes sense and a sensible way of differentiating. Cheers Craig!

Hi Olaf, Thank you for your kind words! I’m glad my videos have been helpful to you in your SC-200 course and exam preparation. To clarify your understanding of parsers in Microsoft Sentinel: • Im: Built-in UNIFYING parser. • Im: Built-in WORKSPACE DEPLOYED parser. • Im_: Built-in SOURCE-SPECIFIC parser. • vim: WORKSPACE-DEPLOYED SOURCE SPECIFIC parser. When to use ASIM parsers: • Use ASim when you need a built-in unifying parser for a specific schema across different sources. This helps in normalizing data from various sources into a common schema. • Use ASim for workspace-deployed parsers that are customized for your specific environment and use cases. These are useful when you have specific log sources that require customized parsing rules. These ASIM parsers are especially valuable when dealing with complex environments with multiple data sources, as they help in unifying and simplifying the analysis process. I hope this helps! Let me know if you have any more questions.

@MultiRam73 thank you so much for your kind words :)