| title | description | author | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|
The Advanced Security Information Model (ASIM) common schema fields reference (preview) | Microsoft Docs |
This article describes the Advanced Information Security (ASIM) common schema fields |
oshezaf |
reference |
11/17/2021 |
ofshezaf |
Some fields are common to all ASIM schemas. Each schema might add guidelines for using some of the common fields in the context of the specific schema. For example, permitted values for the EventType field might vary per schema, as might the value of the EventSchemaVersion field.
The following fields are generated by Log Analytics, in most cases, for each record. They can be overridden when you create a custom connector.
| Field | Type | Discussion |
|---|---|---|
| TimeGenerated | datetime | The time the event was generated by the reporting device. |
| _ResourceId | String | The Azure Resource ID of the reporting device or service, or the log forwarder resource ID for events forwarded by using Syslog, CEF, or WEF. _ResourceId is not generated for sources for that do not have a resource concept, such as Microsoft Defender for Endpoint and will be empty for events from these sources. |
| Type | String | The original table from which the record was fetched. This field is useful when the same event can be received through multiple channels to different tables, and have the same EventVendor and EventProduct values. For example, a Sysmon event can be collected either to the Event table or to the WindowsEvent table. |
Note
Log Analytics also adds other fields that are less relevant to security use cases. For more information, see Standard columns in Azure Monitor Logs.
The following fields are defined by ASIM for all schemas:
| Field | Class | Type | Description |
|---|---|---|---|
| EventMessage | Optional | String | A general message or description, either included in or generated from the record. |
| EventCount | Mandatory | Integer | The number of events described by the record. This value is used when the source supports aggregation, and a single record might represent multiple events. For other sources, set to 1. |
| EventStartTime | Mandatory | Date/time | The time in which the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field. |
| EventEndTime | Mandatory | Date/time | The time in which the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field. |
| EventType | Mandatory | Enumerated | Describes the operation reported by the record. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the EventOriginalType field. |
| EventSubType | Optional | Enumerated | Describes a subdivision of the operation reported in the EventType field. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the EventOriginalSubType field. |
| EventResult | Mandatory | Enumerated | One of the following values: Success, Partial, Failure, NA (Not Applicable). The value might be provided in the source record by using different terms, which should be normalized to these values. Alternatively, the source might provide only the EventResultDetails field, which should be analyzed to derive the EventResult value. Example: Success |
| EventResultDetails | Recommended | Enumerated | Reason or details for the result reported in the EventResult field. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the EventOriginalResultDetails field. Example: NXDOMAIN |
| EventOriginalUid | Optional | String | A unique ID of the original record, if provided by the source. Example: 69f37748-ddcd-4331-bf0f-b137f1ea83b |
| EventOriginalType | Optional | String | The original event type or ID, if provided by the source. For example, this field will be used to store the original Windows event ID. This value is used to derive EventType, which should have only one of the values documented for each schema. Example: 4624 |
| EventOriginalSubType | Optional | String | The original event subtype or ID, if provided by the source. For example, this field will be used to store the original Windows logon type. This value is used to derive EventSubType, which should have only one of the values documented for each schema. Example: 2 |
| EventOriginalResultDetails | Optional | String | The original result details provided by the source. This value is used to derive EventResultDetails, which should have only one of the values documented for each schema. |
| EventSeverity | Recommended | Enumerated | The severity of the event. Valid values are: Informational, Low, Medium, or High. |
| EventOriginalSeverity | Optional | String | The original severity as provided by the reporting device. This value is used to derive EventSeverity. |
| EventProduct | Mandatory | String | The product generating the event. The value should be one of the values listed in Vendors and Products. Example: Sysmon |
| EventProductVersion | Optional | String | The version of the product generating the event. Example: 12.1 |
| EventVendor | Mandatory | String | The vendor of the product generating the event. The value should be one of the values listed in Vendors and Products. Example: Microsoft |
| EventSchema | Mandatory | String | The schema the event is normalized to. Each schema documents its schema name. |
| EventSchemaVersion | Mandatory | String | The version of the schema. Each schema documents its current version. |
| EventReportUrl | Optional | String | A URL provided in the event for a resource that provides more information about the event. |
The role of the device fields is different for different schemas and event types. For example, for the Network Session schema, device fields provide information about the device which generated the event, while for the Process Event schema, the device fields provide information on the device on which the process is executed. Each schema document specifies the role of the device for the schema.
| Field | Class | Type | Description |
|---|---|---|---|
| Dvc | Mandatory | String | A unique identifier of the device on which the event occurred or which reported the event, depending on the schema. This field might alias the DvcFQDN, DvcId, DvcHostname, or DvcIpAddr fields. For cloud sources, for which there is no apparent device, use the same value as the Event Product field. |
| DvcIpAddr | Recommended | IP address | The IP address of the device on which the event occurred or which reported the event, depending on the schema. Example: 45.21.42.12 |
| DvcHostname | Recommended | Hostname | The hostname of the device on which the event occurred or which reported the event, depending on the schema. Example: ContosoDc |
| DvcDomain | Recommended | String | The domain of the device on which the event occurred or which reported the event, depending on the schema. Example: Contoso |
| DvcDomainType | Recommended | Enumerated | The type of DvcDomain. For a list of allowed values and further information refer to DomainType. Note: This field is required if the DvcDomain field is used. |
| DvcFQDN | Optional | String | The hostname of the device on which the event occurred or which reported the event, depending on the schema. Example: Contoso\DESKTOP-1282V4DNote: This field supports both traditional FQDN format and Windows domain\hostname format. The DvcDomainType field reflects the format used. |
| DvcDescription | Optional | String | A descriptive text associated with the device. For example: Primary Domain Controller. |
| DvcId | Optional | String | The unique ID of the device on which the event occurred or which reported the event, depending on the schema. Example: 41502da5-21b7-48ec-81c9-baeea8d7d669 |
| DvcIdType | Optional | Enumerated | The type of DvcId. For a list of allowed values and further information refer to DvcIdType. - MDEidIf multiple IDs are available, use the first one from the list, and store the others by using the field names DvcAzureResourceId and DvcMDEid, respectively. Note: This field is required if the DvcId field is used. |
| DvcMacAddr | Optional | MAC | The MAC address of the device on which the event occurred or which reported the event. Example: 00:1B:44:11:3A:B7 |
| DvcZone | Optional | String | The network on which the event occurred or which reported the event, depending on the schema. The zone is defined by the reporting device. Example: Dmz |
| DvcOs | Optional | String | The operating system running on the device on which the event occurred or which reported the event. Example: Windows |
| DvcOsVersion | Optional | String | The version of the operating system on the device on which the event occurred or which reported the event. Example: 10 |
| DvcAction | Optional | String | For reporting security systems, the action taken by the system, if applicable. Example: Blocked |
| DvcOriginalAction | Optional | String | The original DvcAction as provided by the reporting device. |
| DvcInterface | Optional | String | The network interface on which data was captured. This field is typically relevant to network related activity which is captured by an intermediate or tap device. |
| DvcSubscriptionId | Optional | String | The cloud platform subscription ID the device belongs to. DvcSubscriptionId map to a subscription ID on Azure and to an account ID on AWS. |
To maintain consistency, the list of allowed vendors and products is set as part of ASIM, and may not directly correspond to the value sent by the source, when available.
The currently supported list of vendors and products used in the EventVendor and EventProduct fields respectively is:
| Vendor | Products |
|---|---|
| AWS | - CloudTrail - VPC |
| Cisco | - ASA - Umbrella |
| Corelight | Zeek |
| GCP | Cloud DNS |
| Infoblox | NIOS |
| Microsoft | - AAD - Azure Firewall - Azure File Storage - Azure NSG flows - DNS Server - Microsoft 365 Defender for Endpoint - Microsoft Defender for IoT - Security Events - Sharepoint 365 - Sysmon - Sysmon for Linux - VMConnection - Windows Firewall - WireData |
| Okta | - Okta - Auth0 |
| Palo Alto | - PanOS - CDL |
| PostgreSQL | PostgreSQL |
| Squid | Squid Proxy |
| Vectra AI | Vectra Steam |
| WatchGuard | Fireware |
| Zscaler | - ZIA DNS - ZIA Firewall - ZIA Proxy |
If you are developing a parser for a vendor or a product which are not listed here, contact the Microsoft Sentinel team to allocate a new allowed vendor and product designators.
For more information, see: