Skip to content

Files

Latest commit

974be9c · May 4, 2022

History

History
126 lines (98 loc) · 15.3 KB

normalization-common-fields.md

File metadata and controls

126 lines (98 loc) · 15.3 KB
title description author ms.topic ms.date ms.author
The Advanced Security Information Model (ASIM) common schema fields reference (preview) | Microsoft Docs
This article describes the Advanced Information Security (ASIM) common schema fields
oshezaf
reference
11/17/2021
ofshezaf

The Advanced Security Information Model (ASIM) common schema fields reference (preview)

Some fields are common to all ASIM schemas. Each schema might add guidelines for using some of the common fields in the context of the specific schema. For example, permitted values for the EventType field might vary per schema, as might the value of the EventSchemaVersion field.

Standard Log Analytics fields

The following fields are generated by Log Analytics, in most cases, for each record. They can be overridden when you create a custom connector.

Field Type Discussion
TimeGenerated datetime The time the event was generated by the reporting device.
_ResourceId String The Azure Resource ID of the reporting device or service, or the log forwarder resource ID for events forwarded by using Syslog, CEF, or WEF. _ResourceId is not generated for sources for that do not have a resource concept, such as Microsoft Defender for Endpoint and will be empty for events from these sources.
Type String The original table from which the record was fetched. This field is useful when the same event can be received through multiple channels to different tables, and have the same EventVendor and EventProduct values.

For example, a Sysmon event can be collected either to the Event table or to the WindowsEvent table.

Note

Log Analytics also adds other fields that are less relevant to security use cases. For more information, see Standard columns in Azure Monitor Logs.

Common ASIM fields

The following fields are defined by ASIM for all schemas:

Event fields

Field Class Type Description
EventMessage Optional String A general message or description, either included in or generated from the record.
EventCount Mandatory Integer The number of events described by the record.

This value is used when the source supports aggregation, and a single record might represent multiple events.

For other sources, set to 1.
EventStartTime Mandatory Date/time The time in which the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field.
EventEndTime Mandatory Date/time The time in which the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field.
EventType Mandatory Enumerated Describes the operation reported by the record. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the EventOriginalType field.
EventSubType Optional Enumerated Describes a subdivision of the operation reported in the EventType field. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the EventOriginalSubType field.
EventResult Mandatory Enumerated One of the following values: Success, Partial, Failure, NA (Not Applicable).

The value might be provided in the source record by using different terms, which should be normalized to these values. Alternatively, the source might provide only the EventResultDetails field, which should be analyzed to derive the EventResult value.

Example: Success
EventResultDetails Recommended Enumerated Reason or details for the result reported in the EventResult field. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the EventOriginalResultDetails field.

Example: NXDOMAIN
EventOriginalUid Optional String A unique ID of the original record, if provided by the source.

Example: 69f37748-ddcd-4331-bf0f-b137f1ea83b
EventOriginalType Optional String The original event type or ID, if provided by the source. For example, this field will be used to store the original Windows event ID. This value is used to derive EventType, which should have only one of the values documented for each schema.

Example: 4624
EventOriginalSubType Optional String The original event subtype or ID, if provided by the source. For example, this field will be used to store the original Windows logon type. This value is used to derive EventSubType, which should have only one of the values documented for each schema.

Example: 2
EventOriginalResultDetails Optional String The original result details provided by the source. This value is used to derive EventResultDetails, which should have only one of the values documented for each schema.
EventSeverity Recommended Enumerated The severity of the event. Valid values are: Informational, Low, Medium, or High.
EventOriginalSeverity Optional String The original severity as provided by the reporting device. This value is used to derive EventSeverity.
EventProduct Mandatory String The product generating the event. The value should be one of the values listed in Vendors and Products.

Example: Sysmon
EventProductVersion Optional String The version of the product generating the event.

Example: 12.1
EventVendor Mandatory String The vendor of the product generating the event. The value should be one of the values listed in Vendors and Products.

Example: Microsoft

EventSchema Mandatory String The schema the event is normalized to. Each schema documents its schema name.
EventSchemaVersion Mandatory String The version of the schema. Each schema documents its current version.
EventReportUrl Optional String A URL provided in the event for a resource that provides more information about the event.

Device fields

The role of the device fields is different for different schemas and event types. For example, for the Network Session schema, device fields provide information about the device which generated the event, while for the Process Event schema, the device fields provide information on the device on which the process is executed. Each schema document specifies the role of the device for the schema.

Field Class Type Description
Dvc Mandatory String A unique identifier of the device on which the event occurred or which reported the event, depending on the schema.

This field might alias the DvcFQDN, DvcId, DvcHostname, or DvcIpAddr fields. For cloud sources, for which there is no apparent device, use the same value as the Event Product field.
DvcIpAddr Recommended IP address The IP address of the device on which the event occurred or which reported the event, depending on the schema.

Example: 45.21.42.12
DvcHostname Recommended Hostname The hostname of the device on which the event occurred or which reported the event, depending on the schema.

Example: ContosoDc
DvcDomain Recommended String The domain of the device on which the event occurred or which reported the event, depending on the schema.

Example: Contoso
DvcDomainType Recommended Enumerated The type of DvcDomain. For a list of allowed values and further information refer to DomainType.

Note: This field is required if the DvcDomain field is used.
DvcFQDN Optional String The hostname of the device on which the event occurred or which reported the event, depending on the schema.

Example: Contoso\DESKTOP-1282V4D

Note: This field supports both traditional FQDN format and Windows domain\hostname format. The DvcDomainType field reflects the format used.
DvcDescription Optional String A descriptive text associated with the device. For example: Primary Domain Controller.
DvcId Optional String The unique ID of the device on which the event occurred or which reported the event, depending on the schema.

Example: 41502da5-21b7-48ec-81c9-baeea8d7d669
DvcIdType Optional Enumerated The type of DvcId. For a list of allowed values and further information refer to DvcIdType.
- MDEid

If multiple IDs are available, use the first one from the list, and store the others by using the field names DvcAzureResourceId and DvcMDEid, respectively.

Note: This field is required if the DvcId field is used.
DvcMacAddr Optional MAC The MAC address of the device on which the event occurred or which reported the event.

Example: 00:1B:44:11:3A:B7
DvcZone Optional String The network on which the event occurred or which reported the event, depending on the schema. The zone is defined by the reporting device.

Example: Dmz
DvcOs Optional String The operating system running on the device on which the event occurred or which reported the event.

Example: Windows
DvcOsVersion Optional String The version of the operating system on the device on which the event occurred or which reported the event.

Example: 10
DvcAction Optional String For reporting security systems, the action taken by the system, if applicable.

Example: Blocked
DvcOriginalAction Optional String The original DvcAction as provided by the reporting device.
DvcInterface Optional String The network interface on which data was captured. This field is typically relevant to network related activity which is captured by an intermediate or tap device.
DvcSubscriptionId Optional String The cloud platform subscription ID the device belongs to. DvcSubscriptionId map to a subscription ID on Azure and to an account ID on AWS.

Other fields

Field Class Type Description
AdditionalFields Optional Dynamic If your source provides additional information worth preserving, either keep it with the original field names or create the dynamic AdditionalFields field, and add to it the extra information as key/value pairs.
ASimMatchingIpAddr Recommended String When a parser uses the ipaddr_has_any_prefix filtering parameters, this field is set with the one of the values SrcIpAddr, DstIpAddr, or Both to reflect the matching fields or fields.
ASimMatchingHostname Recommended String When a parser uses the hostname_has_any filtering parameters, this field is set with the one of the values SrcHostname, DstHostname, or Both to reflect the matching fields or fields.

Vendors and products

To maintain consistency, the list of allowed vendors and products is set as part of ASIM, and may not directly correspond to the value sent by the source, when available.

The currently supported list of vendors and products used in the EventVendor and EventProduct fields respectively is:

Vendor Products
AWS - CloudTrail
- VPC
Cisco - ASA
- Umbrella
Corelight Zeek
GCP Cloud DNS
Infoblox NIOS
Microsoft - AAD
- Azure Firewall
- Azure File Storage
- Azure NSG flows
- DNS Server
- Microsoft 365 Defender for Endpoint
- Microsoft Defender for IoT
- Security Events
- Sharepoint 365
- Sysmon
- Sysmon for Linux
- VMConnection
- Windows Firewall
- WireData
Okta - Okta
- Auth0
Palo Alto - PanOS
- CDL
PostgreSQL PostgreSQL
Squid Squid Proxy
Vectra AI Vectra Steam
WatchGuard Fireware
Zscaler - ZIA DNS
- ZIA Firewall
- ZIA Proxy

If you are developing a parser for a vendor or a product which are not listed here, contact the Microsoft Sentinel team to allocate a new allowed vendor and product designators.

Next steps

For more information, see: