| title | description | author | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|
The Advanced Security Information Model (ASIM) Network Session normalization schema reference (Public preview) | Microsoft Docs |
This article displays the Microsoft Sentinel Network Session normalization schema. |
oshezaf |
reference |
11/17/2021 |
ofshezaf |
The Advanced Security Information Model (ASIM) Network Session normalization schema reference (Public preview)
The Microsoft Sentinel Network Session normalization schema represents an IP network activity, such as network connections and network sessions. Such events are reported, for example, by operating systems, routers, firewalls, and intrusion prevention systems.
The network normalization schema can represent any type of an IP network session but is designed to provide support for common source types, such as Netflow, firewalls, and intrusion prevention systems.
For more information about normalization in Microsoft Sentinel, see Normalization and the Advanced Security Information Model (ASIM).
This article describes version 0.2.x of the network normalization schema. Version 0.1 was released before ASIM was available and doesn't align with ASIM in several places. For more information, see Differences between network normalization schema versions.
Important
The network normalization schema is currently in preview. This feature is provided without a service level agreement. We don't recommend it for production workloads.
The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
For more information about ASIM parsers, see the ASIM parsers overview.
To use parsers that unify all ASIM out-of-the-box parsers, and ensure that your analysis runs across all the configured sources, use the _Im_NetworkSession filtering parser or the _ASim_NetworkSession parameter-less parser.
You can also use workspace-deployed ImNetworkSession and ASimNetworkSession parsers by deploying them from the Microsoft Sentinel GitHub repository.
For more information, see built-in ASIM parsers and workspace-deployed parsers.
For the list of the Network Session parsers Microsoft Sentinel provides out-of-the-box refer to the ASIM parsers list
When developing custom parsers for the Network Session information model, name your KQL functions using the following syntax:
vimNetworkSession<vendor><Product>for parametrized parsersASimNetworkSession<vendor><Product>for regular parsers
Refer to the article Managing ASIM parsers to learn how to add your custom parsers to the network session unifying parsers.
The im and vim* parsers support filtering parameters. While these parsers are optional, they can improve your query performance.
The following filtering parameters are available:
| Name | Type | Description |
|---|---|---|
| starttime | datetime | Filter only network sessions that started at or after this time. |
| endtime | datetime | Filter only network sessions that started running at or before this time. |
| srcipaddr_has_any_prefix | dynamic | Filter only network sessions for which the source IP address field prefix is in one of the listed values. Prefixes should end with a ., for example: 10.0.. The length of the list is limited to 10,000 items. |
| dstipaddr_has_any_prefix | dynamic | Filter only network sessions for which the destination IP address field prefix is in one of the listed values. Prefixes should end with a ., for example: 10.0.. The length of the list is limited to 10,000 items. |
| ipaddr_has_any_prefix | dynamic | Filter only network sessions for which the destination IP address field or source IP address field prefix is in one of the listed values. Prefixes should end with a ., for example: 10.0.. The length of the list is limited to 10,000 items.The field ASimMatchingIpAddr is set with the one of the values SrcIpAddr, DstIpAddr, or Both to reflect the matching fields or fields. |
| dstportnum | Int | Filter only network sessions with the specified destination port number. |
| hostname_has_any | dynamic | Filter only network sessions for which the destination hostname field has any of the values listed. The length of the list is limited to 10,000 items. The field ASimMatchingHostname is set with the one of the values SrcHostname, DstHostname, or Both to reflect the matching fields or fields. |
| dvcaction | dynamic | Filter only network sessions for which the Device Action field is any of the values listed. |
| eventresult | String | Filter only network sessions with a specific EventResult value. |
For example, to filter only network sessions for a specified list of domain names, use:
let torProxies=dynamic(["tor2web.org", "tor2web.com", "torlink.co"]);
_Im_NetworkSession (hostname_has_any = torProxies)Tip
To pass a literal list to parameters that expect a dynamic value, explicitly use a dynamic literal. For example: dynamic(['192.168.','10.']).
The Network Session information model is aligned with the OSSEM Network entity schema.
Network session events use the descriptors Src and Dst to denote the roles of the devices and related users and applications involved in the session. So, for example, the source device hostname and IP address are named SrcHostname and SrcIpAddr. Note that other ASIM schemas typically use Target instead of Dst.
For events reported by an endpoint and for which the event type is EndpointNetworkSession, the descriptors Local and Remote denote the endpoint itself and the device at the other end of the network session respectively.
The descriptor Dvc is used for the reporting device, which is the local system for sessions reported by an endpoint, and the intermediary device or network tap for other network session events.
Important
Fields common to all schemas are described in detail in the ASIM Common Fields article.
The following list mentions fields that have specific guidelines for Network Session events:
| Field | Class | Type | Description |
|---|---|---|---|
| EventCount | Mandatory | Integer | Netflow sources support aggregation, and the EventCount field should be set to the value of the Netflow FLOWS field. For other sources, the value is typically set to 1. |
| EventType | Mandatory | Enumerated | Describes the operation reported by the record. For Network Session records, the allowed values are: - EndpointNetworkSession: for sessions reported by endpoint systems, including clients and servers. For such systems, the schema supports the remote and local alias fields. - NetworkSession: for sessions reported by intermediary systems and network taps. - Flow: for NetFlow type aggregated flows which group multiple similar sessions together. For such records, EventSubType should be left empty. |
| EventSubType | Optional | String | Additional description of the event type, if applicable. For Network Session records, supported values include: - Start- End |
| EventResult | Mandatory | Enumerated | If the source device does not provide an event result, EventResult should be based on the value of DvcAction. If DvcAction is Deny, Drop, Drop ICMP, Reset, Reset Source, or Reset Destination, EventResult should be Failure. Otherwise, EventResult should be Success. |
| EventSchema | Mandatory | String | The name of the schema documented here is NetworkSession. |
| EventSchemaVersion | Mandatory | String | The version of the schema. The version of the schema documented here is 0.2.3. |
| DvcAction | Optional | Enumerated | The action taken on the network session. Supported values are: - Allow- Deny- Drop- Drop ICMP- Reset- Reset Source- Reset Destination- Encrypt- Decrypt- VPNrouteNote: The value might be provided in the source record by using different terms, which should be normalized to these values. The original value should be stored in the DvcOriginalAction field. Example: drop |
| EventSeverity | Optional | Enumerated | If the source device does not provide an event severity, EventSeverity should be based on the value of DvcAction. If DvcAction is Deny, Drop, Drop ICMP, Reset, Reset Source, or Reset Destination, EventSeverity should be Low. Otherwise, EventSeverity should be Informational. |
| DvcInterface | The DvcInterface field should alias either the DvcInboundInterface or the DvcOutboundInterface fields. | ||
| Dvc fields | For Network Session events, device fields refer to the system reporting the Network Session event. |
Fields that appear in the table below are common to all ASIM schemas. Any guideline specified above overrides the general guidelines for the field. For example, a field might be optional in general, but mandatory for a specific schema. For further details on each field, refer to the ASIM Common Fields article.
| Class | Fields |
|---|---|
| Mandatory | - EventCount - EventStartTime - EventEndTime - EventType - EventResult - EventProduct - EventVendor - EventSchema - EventSchemaVersion - Dvc |
| Recommended | - EventResultDetails - EventSeverity - DvcIpAddr - DvcHostname - DvcDomain - DvcDomainType - DvcFQDN - DvcId - DvcIdType - DvcAction |
| Optional | - EventMessage - EventSubType - EventOriginalUid - EventOriginalType - EventOriginalSubType - EventOriginalResultDetails - EventOriginalSeverity - EventProductVersion - EventReportUrl - DvcMacAddr - DvcOs - DvcOsVersion - DvcOriginalAction - DvcInterface - AdditionalFields - DvcDescription |
| Field | Class | Type | Description |
|---|---|---|---|
| NetworkApplicationProtocol | Optional | String | The application layer protocol used by the connection or session. If the DstPortNumber value is provided, we recommend that you include NetworkApplicationProtocol too. If the value isn't available from the source, derive the value from the DstPortNumber value. Example: FTP |
| NetworkProtocol | Optional | Enumerated | The IP protocol used by the connection or session as listed in IANA protocol assignment, which is typically TCP, UDP, or ICMP.Example: TCP |
| NetworkProtocolVersion | Optional | Enumerated | The version of NetworkProtocol. When using it to distinguish between IP version, use the values IPv4 and IPv6. |
| NetworkDirection | Optional | Enumerated | The direction of the connection or session: - For the EventType NetworkSession, NetworkDirection represents the direction relative to the organization or cloud environment boundary. Supported values are Inbound, Outbound, Local (to the organization), External (to the organization) or NA (Not Applicable).- For the EventType EndpointNetworkSession, NetworkDirection represents the direction relative to the endpoint. Supported values are Inbound, Outbound, Local (to the system), Listen or NA (Not Applicable). The Listen value indicates that a device has started accepting network connections but isn't actually, necessarily, connected. |
| NetworkDuration | Optional | Integer | The amount of time, in milliseconds, for the completion of the network session or connection. Example: 1500 |
| Duration | Alias | Alias to NetworkDuration. | |
| NetworkIcmpCode | Optional | Integer | For an ICMP message, the ICMP message type numeric value as described in RFC 2780 for IPv4 network connections, or in RFC 4443 for IPv6 network connections. If a NetworkIcmpType value is provided, this field is mandatory. If the value isn't available from the source, derive the value from the NetworkIcmpType field instead. Example: 34 |
| NetworkIcmpType | Optional | String | For an ICMP message, the ICMP message type text representation, as described in RFC 2780 for IPv4 network connections, or in RFC 4443 for IPv6 network connections. Example: Destination Unreachable |
| NetworkConnectionHistory | Optional | String | TCP flags and other potential IP header information. |
| DstBytes | Recommended | Long | The number of bytes sent from the destination to the source for the connection or session. If the event is aggregated, DstBytes should be the sum over all aggregated sessions. Example: 32455 |
| SrcBytes | Recommended | Long | The number of bytes sent from the source to the destination for the connection or session. If the event is aggregated, SrcBytes should be the sum over all aggregated sessions. Example: 46536 |
| NetworkBytes | Optional | Long | Number of bytes sent in both directions. If both BytesReceived and BytesSent exist, BytesTotal should equal their sum. If the event is aggregated, NetworkBytes should be the sum over all aggregated sessions. Example: 78991 |
| DstPackets | Optional | Long | The number of packets sent from the destination to the source for the connection or session. The meaning of a packet is defined by the reporting device. If the event is aggregated, DstPackets should be the sum over all aggregated sessions. Example: 446 |
| SrcPackets | Optional | Long | The number of packets sent from the source to the destination for the connection or session. The meaning of a packet is defined by the reporting device. If the event is aggregated, SrcPackets should be the sum over all aggregated sessions. Example: 6478 |
| NetworkPackets | Optional | Long | The number of packets sent in both directions. If both PacketsReceived and PacketsSent exist, BytesTotal should equal their sum. The meaning of a packet is defined by the reporting device. If the event is aggregated, NetworkPackets should be the sum over all aggregated sessions. Example: 6924 |
| NetworkSessionId | Optional | string | The session identifier as reported by the reporting device. Example: 172\_12\_53\_32\_4322\_\_123\_64\_207\_1\_80 |
| SessionId | Alias | String | Alias to NetworkSessionId. |
| Field | Class | Type | Description |
|---|---|---|---|
| Dst | Recommended | Alias | A unique identifier of the server receiving the DNS request. This field might alias the DstDvcId, DstHostname, or DstIpAddr fields. Example: 192.168.12.1 |
| DstIpAddr | Recommended | IP address | The IP address of the connection or session destination. If the session uses network address translation, this is the publicly visible address, and not the original address of the source which is stored in DstNatIpAddr Example: 2001:db8::ff00:42:8329Note: This value is mandatory if DstHostname is specified. |
| DstPortNumber | Optional | Integer | The destination IP port. Example: 443 |
| DstHostname | Recommended | Hostname | The destination device hostname, excluding domain information. If no device name is available, store the relevant IP address in this field. Example: DESKTOP-1282V4D |
| DstDomain | Recommended | String | The domain of the destination device. Example: Contoso |
| DstDomainType | Recommended | Enumerated | The type of DstDomain. For a list of allowed values and further information refer to DomainType in the Schema Overview article. Required if DstDomain is used. |
| DstFQDN | Optional | String | The destination device hostname, including domain information when available. Example: Contoso\DESKTOP-1282V4D Note: This field supports both traditional FQDN format and Windows domain\hostname format. The DstDomainType reflects the format used. |
| DstDvcId | Optional | String | The ID of the destination device. If multiple IDs are available, use the most important one, and store the others in the fields DstDvc<DvcIdType>. Example: ac7e9755-8eae-4ffc-8a02-50ed7a2216c3 |
| DstDvcIdType | Optional | Enumerated | The type of DstDvcId. For a list of allowed values and further information refer to DvcIdType in the Schema Overview article. Required if DstDeviceId is used. |
| DstDeviceType | Optional | Enumerated | The type of the destination device. For a list of allowed values and further information refer to DeviceType in the Schema Overview article. |
| DstZone | Optional | String | The network zone of the destination, as defined by the reporting device. Example: Dmz |
| DstInterfaceName | Optional | String | The network interface used for the connection or session by the destination device. Example: Microsoft Hyper-V Network Adapter |
| DstInterfaceGuid | Optional | String | The GUID of the network interface used on the destination device. Example: 46ad544b-eaf0-47ef-827c-266030f545a6 |
| DstMacAddr | Optional | String | The MAC address of the network interface used for the connection or session by the destination device. Example: 06:10:9f:eb:8f:14 |
| DstVlanId | Optional | String | The VLAN ID related to the destination device. Example: 130 |
| OuterVlanId | Optional | Alias | Alias to DstVlanId. In many cases, the VLAN can't be determined as a source or a destination but is characterized as inner or outer. This alias to signifies that DstVlanId should be used when the VLAN is characterized as outer. |
| DstSubscriptionId | Optional | String | The cloud platform subscription ID the destination device belongs to. DstSubscriptionId map to a subscription ID on Azure and to an account ID on AWS. |
| DstGeoCountry | Optional | Country | The country associated with the destination IP address. For more information, see Logical types. Example: USA |
| DstGeoRegion | Optional | Region | The region, or state, within a country associated with the destination IP address. For more information, see Logical types. Example: Vermont |
| DstGeoCity | Optional | City | The city associated with the destination IP address. For more information, see Logical types. Example: Burlington |
| DstGeoLatitude | Optional | Latitude | The latitude of the geographical coordinate associated with the destination IP address. For more information, see Logical types. Example: 44.475833 |
| DstGeoLongitude | Optional | Longitude | The longitude of the geographical coordinate associated with the destination IP address. For more information, see Logical types. Example: 73.211944 |
| Field | Class | Type | Description |
|---|---|---|---|
| DstUserId | Optional | String | A machine-readable, alphanumeric, unique representation of the destination user. For the supported format for different ID types, refer to the User entity. Example: S-1-12 |
| DstUserIdType | Optional | UserIdType | The type of the ID stored in the DstUserId field. For a list of allowed values and further information refer to UserIdType in the Schema Overview article. |
| DstUsername | Optional | String | The destination username, including domain information when available. For the supported format for different ID types, refer to the User entity. Use the simple form only if domain information isn't available. Store the Username type in the DstUsernameType field. If other username formats are available, store them in the fields DstUsername<UsernameType>.Example: AlbertE |
| User | Alias | Alias to DstUsername. | |
| DstUsernameType | Optional | UsernameType | Specifies the type of the username stored in the DstUsername field. For a list of allowed values and further information refer to UsernameType in the Schema Overview article. Example: Windows |
| DstUserType | Optional | UserType | The type of destination user. For a list of allowed values and further information refer to UserType in the Schema Overview article. Note: The value might be provided in the source record by using different terms, which should be normalized to these values. Store the original value in the DstOriginalUserType field. |
| DstOriginalUserType | Optional | String | The original destination user type, if provided by the source. |
| Field | Class | Type | Description |
|---|---|---|---|
| DstAppName | Optional | String | The name of the destination application. Example: Facebook |
| DstAppId | Optional | String | The ID of the destination application, as reported by the reporting device. Example: 124 |
| DstAppType | Optional | AppType | The type of the destination application. For a list of allowed values and further information refer to AppType in the Schema Overview article. This field is mandatory if DstAppName or DstAppId are used. |
| Field | Class | Type | Description |
|---|---|---|---|
| Src | Recommended | Alias | A unique identifier of the source device. This field might alias the SrcDvcId, SrcHostname, or SrcIpAddr fields. Example: 192.168.12.1 |
| SrcIpAddr | Recommended | IP address | The IP address from which the connection or session originated. This value is mandatory if SrcHostname is specified. If the session uses network address translation, this is the publicly visible address, and not the original address of the source which is stored in SrcNatIpAddr Example: 77.138.103.108 |
| SrcPortNumber | Optional | Integer | The IP port from which the connection originated. Might not be relevant for a session comprising multiple connections. Example: 2335 |
| SrcHostname | Recommended | Hostname | The source device hostname, excluding domain information. If no device name is available, store the relevant IP address in this field. Example: DESKTOP-1282V4D |
| SrcDomain | Recommended | String | The domain of the source device. Example: Contoso |
| SrcDomainType | Recommended | DomainType | The type of SrcDomain. For a list of allowed values and further information refer to DomainType in the Schema Overview article. Required if SrcDomain is used. |
| SrcFQDN | Optional | String | The source device hostname, including domain information when available. Note: This field supports both traditional FQDN format and Windows domain\hostname format. The SrcDomainType field reflects the format used. Example: Contoso\DESKTOP-1282V4D |
| SrcDvcId | Optional | String | The ID of the source device. If multiple IDs are available, use the most important one, and store the others in the fields SrcDvc<DvcIdType>.Example: ac7e9755-8eae-4ffc-8a02-50ed7a2216c3 |
| SrcDvcIdType | Optional | DvcIdType | The type of SrcDvcId. For a list of allowed values and further information refer to DvcIdType in the Schema Overview article. Note: This field is required if SrcDvcId is used. |
| SrcDeviceType | Optional | DeviceType | The type of the source device. For a list of allowed values and further information refer to DeviceType in the Schema Overview article. |
| SrcZone | Optional | String | The network zone of the source, as defined by the reporting device. Example: Internet |
| SrcInterfaceName | Optional | String | The network interface used for the connection or session by the source device. Example: eth01 |
| SrcInterfaceGuid | Optional | String | The GUID of the network interface used on the source device. Example: 46ad544b-eaf0-47ef-827c-266030f545a6 |
| SrcMacAddr | Optional | String | The MAC address of the network interface from which the connection or session originated. Example: 06:10:9f:eb:8f:14 |
| SrcVlanId | Optional | String | The VLAN ID related to the source device. Example: 130 |
| InnerVlanId | Optional | Alias | Alias to SrcVlanId. In many cases, the VLAN can't be determined as a source or a destination but is characterized as inner or outer. This alias to signifies that SrcVlanId should be used when the VLAN is characterized as inner. |
| SrcSubscriptionId | Optional | String | The cloud platform subscription ID the source device belongs to. SrcSubscriptionId map to a subscription ID on Azure and to an account ID on AWS. |
| SrcGeoCountry | Optional | Country | The country associated with the source IP address. Example: USA |
| SrcGeoRegion | Optional | Region | The region within a country associated with the source IP address. Example: Vermont |
| SrcGeoCity | Optional | City | The city associated with the source IP address. Example: Burlington |
| SrcGeoLatitude | Optional | Latitude | The latitude of the geographical coordinate associated with the source IP address. Example: 44.475833 |
| SrcGeoLongitude | Optional | Longitude | The longitude of the geographical coordinate associated with the source IP address. Example: 73.211944 |
| Field | Class | Type | Description |
|---|---|---|---|
| SrcUserId | Optional | String | A machine-readable, alphanumeric, unique representation of the source user. For the supported format for different ID types, refer to the User entity. Example: S-1-12 |
| SrcUserIdType | Optional | UserIdType | The type of the ID stored in the SrcUserId field. For a list of allowed values and further information refer to UserIdType in the Schema Overview article. |
| SrcUsername | Optional | String | The source username, including domain information when available. For the supported format for different ID types, refer to the User entity. Use the simple form only if domain information isn't available. Store the Username type in the SrcUsernameType field. If other username formats are available, store them in the fields SrcUsername<UsernameType>.Example: AlbertE |
| SrcUsernameType | Optional | UsernameType | Specifies the type of the username stored in the SrcUsername field. For a list of allowed values and further information refer to UsernameType in the Schema Overview article. Example: Windows |
| SrcUserType | Optional | UserType | The type of source user. For a list of allowed values and further information refer to UserType in the Schema Overview article. Note: The value might be provided in the source record by using different terms, which should be normalized to these values. Store the original value in the SrcOriginalUserType field. |
| SrcOriginalUserType | Optional | String | The original destination user type, if provided by the reporting device. |
| Field | Class | Type | Description |
|---|---|---|---|
| SrcAppName | Optional | String | The name of the source application. Example: filezilla.exe |
| SrcAppId | Optional | String | The ID of the source application, as reported by the reporting device. Example: 124 |
| SrcAppType | Optional | AppType | The type of the source application. For a list of allowed values and further information refer to AppType in the Schema Overview article. This field is mandatory if SrcAppName or SrcAppId are used. |
All the source and destination fields listed above, can be optionally aliased by fields with the same name and the descriptors Local and Remote. This is typically helpful for events reported by an endpoint and for which the event type is EndpointNetworkSession.
For such events the descriptors Local and Remote denote the endpoint itself and the device at the other end of the network session respectively. For inbound connections, the local system is the destination, Local fields are aliases to the Dst fields, and 'Remote' fields are aliases to Src fields. Conversely, for outbound connections, the local system is the source, Local fields are aliases to the Src fields, and Remote fields are aliases to Dst fields.
For example, for an inbound event, the field LocalIpAddr is an alias to DstIpAddr and the field RemoteIpAddr is an alias to SrcIpAddr.
| Field | Class | Type | Description |
|---|---|---|---|
| Hostname | Alias | - If the event type is NetworkSession, Hostname is an alias to DstHostname.- If the event type is EndpointNetworkSession, Hostname is an alias to RemoteHostname, which can alias either DstHostname or SrcHostName, depending on NetworkDirection |
|
| IpAddr | Alias | - If the event type is NetworkSession, Hostname is an alias to SrcIpAddr.- If the event type is EndpointNetworkSession, Hostname is an alias to LocalIpAddr, which can alias either SrcIpAddr or DstIpAddr, depending on NetworkDirection. |
The following fields are useful if the record includes information about an intermediary device, such as a firewall or a proxy, which relays the network session.
Intermediary systems often use address translation and therefore the original address and the address observed externally are not the same. In such cases, the primary address fields such as SrcIPAddr and DstIpAddr represent the addresses observed externally, while the NAT address fields, SrcNatIpAddr and DstNatIpAddr represent the internal address of the original device before translation.
The following fields are used to represent that inspection which a security device such as a firewall, an IPS, or a web security gateway performed:
| Field | Class | Type | Description |
|---|---|---|---|
| NetworkRuleName | Optional | String | The name or ID of the rule by which DvcAction was decided upon. Example: AnyAnyDrop |
| NetworkRuleNumber | Optional | Integer | The number of the rule by which DvcAction was decided upon. Example: 23 |
| Rule | Mandatory | Alias | Either NetworkRuleName or NetworkRuleNumber. |
| ThreatId | Optional | String | The ID of the threat or malware identified in the network session. Example: Tr.124 |
| ThreatName | Optional | String | The name of the threat or malware identified in the network session. Example: EICAR Test File |
| ThreatCategory | Optional | String | The category of the threat or malware identified in the network session. Example: Trojan |
| ThreatRiskLevel | Optional | Integer | The risk level associated with the session. The level should be a number between 0 and 100. Note: The value might be provided in the source record by using a different scale, which should be normalized to this scale. The original value should be stored in ThreatRiskLevelOriginal. |
| ThreatRiskLevelOriginal | Optional | String | The risk level as reported by the reporting device. |
If the event is reported by one of the endpoints of the network session, it might include information about the process that initiated or terminated the session. In such cases, the ASIM Process Event schema is used to normalize this information.
These are the changes in version 0.2.1 of the schema:
- Added
SrcandDstas aliases to a leading identifier for the source and destination systems. - Added the fields
**NetworkConnectionHistory**,**SrcVlanId**,**DstVlanId**,InnerVlanId, andOuterVlanId.
These are the changes in version 0.2.2 of the schema:
- Added
RemoteandLocalaliases. - Added the event type
EndpointNetworkSession. - Defined
HostnameandIpAddras aliases forRemoteHostnameandLocalIpAddrrespectively when the event type isEndpointNetworkSession. - Defined
DvcInterfaceas an alias toDvcInboundInterfaceorDvcOutboundInterface. - Changed the type of the following fields from Integer to Long:
SrcBytes,DstBytes,NetworkBytes,SrcPackets,DstPackets, andNetworkPackets. - Added the fields
NetworkProtocolVersion,SrcSubscriptionId, andDstSubscriptionId. - Deprecated
DstUserDomainandSrcUserDomain.
Theses are the changes in version 0.2.3 of the schema:
- Added the
ipaddr_has_any_prefixfiltering parameter. - The
hostname_has_anyfiltering parameter now matches either source or destination hostnames. - Added the fields
ASimMatchingHostnameandASimMatchingIpAddr.
For more information, see: