You have a Microsoft Sentinel workspace that contains the following Advanced Security Information Model (ASIM)...

Microsoft Sentinel uses the Advanced Security Information Model (ASIM) to normalize logs into a consistent schema, enabling unified queries, analytics rules, and hunting queries across multiple data sources.

Each ASIM function has a structured parser hierarchy, typically consisting of:

A master (or orchestrator) parser, which aggregates and calls all source-specific parsers.

Source-specific parsers, which map raw data from each data source (like Windows SecurityEvents, Sysmon, or custom logs) to the ASIM schema fields.

In the case of ProcessCreate events:

_Im_ProcessCreate is the master parser. Its role is to call all ProcessCreate parsers, including both built-in and custom ones (for example, imProcessCreate, vimProcessCreate, or other vendor-specific parsers).

Parsers like imProcessCreate (for native sources) and vimProcessCreate (for custom or vendor-specific sources) are source-specific parsers. They are responsible for standardizing and mapping raw fields into the ASIM Process schema, ensuring consistent naming such as ActorProcessName, TargetProcessName, and TargetProcessCommandLine.

“The _Im_ functions are orchestrators that call all source-specific parsers. Each im or vim parser converts native data into the ASIM schema for its respective source.”

Therefore:

To call all ProcessCreate parsers, modify _Im_ProcessCreate.

To standardize fields to the Process schema, modify vimProcessCreate (the new source-specific parser you created).

✅ Final Answers:

Call all the ProcessCreate parsers: _Im_ProcessCreate

Standardize fields to the Process schema: vimProcessCreate