Microsoft Sentinel user management normalization schema reference (preview)
The Microsoft Sentinel user management normalization schema is used to describe user management activities, such as creating a user or a group, changing user attribute, or adding a user to a group. Such events are reported, for example, by operating systems, directory services, identity management systems, and any other system reporting on its local user management activity.
For more information about normalization in Microsoft Sentinel, see Normalization and the Advanced Security Information Model (ASIM).
Important
The user management normalization schema is currently in preview. This feature is provided without a service level agreement. We don't recommend it for production workloads.
The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Schema overview
The ASIM user management schema describes user management activities. The activities typically include the following entities:
- Actor - the user performing the management activity.
- Acting Process - the process used by the actor to perform the management activity.
- Src - when the activity is performed over the network, the source device from which the activity was initiated.
- Target User - the user who's account is managed.
- Group the target user is added or removed from, or being modified.
Some activities, such as UserCreated, GroupCreated, UserModified, and GroupModified*, set or update user properties. The property set or updated is documented in the following fields:
- EventSubType - the name of the value that was set or updated. UpdatedPropertyName is an alias to EventSubType when EventSubType refers to one of the relevant event types.
- PreviousPropertyValue - the previous value of the property.
- NewPropertyValue - the updated value of the property.
Schema details
Common ASIM fields
Important
Fields common to all schemas are described in detail in the ASIM Common Fields article.
Common fields with specific guidelines
The following list mentions fields that have specific guidelines for process activity events:
| Field | Class | Type | Description |
|---|---|---|---|
| EventType | Mandatory | Enumerated | Describes the operation reported by the record. For User Management activity, the supported values are: - UserCreated- UserDeleted- UserModified- UserLocked- UserUnlocked- UserDisabled- UserEnabled- PasswordChanged- PasswordReset- GroupCreated- GroupDeleted- GroupModified- UserAddedToGroup- UserRemovedFromGroup- GroupEnumerated- UserRead- GroupRead |
| EventSubType | Optional | Enumerated | The following sub-types are supported: - UserRead: Password, Hash- UserCreated, GroupCreated, UserModified, GroupModified. For more information, see UpdatedPropertyName |
| EventResult | Mandatory | Enumerated | While failure is possible, most systems report only successful user management events. The expected value for successful events is Success. |
| EventResultDetails | Recommended | Enumerated | The valid values are NotAuthorized and Other. |
| EventSeverity | Mandatory | Enumerated | While any valid severity value is allowed, the severity of user management events is typically Informational. |
| EventSchema | Mandatory | String | The name of the schema documented here is UserManagement. |
| EventSchemaVersion | Mandatory | String | The version of the schema. The version of the schema documented here is 0.1.1. |
| Dvc fields | For user management events, device fields refer to the system reporting the event. This is usually the system on which the user is managed. |
All common fields
Fields that appear in the table below are common to all ASIM schemas. Any guideline specified above overrides the general guidelines for the field. For example, a field might be optional in general, but mandatory for a specific schema. For further details on each field, refer to the ASIM Common Fields article.
| Class | Fields |
|---|---|
| Mandatory | - EventCount - EventStartTime - EventEndTime - EventType - EventResult - EventProduct - EventVendor - EventSchema - EventSchemaVersion - Dvc |
| Recommended | - EventResultDetails - EventSeverity - EventUid - DvcIpAddr - DvcHostname - DvcDomain - DvcDomainType - DvcFQDN - DvcId - DvcIdType - DvcAction |
| Optional | - EventMessage - EventSubType - EventOriginalUid - EventOriginalType - EventOriginalSubType - EventOriginalResultDetails - EventOriginalSeverity - EventProductVersion - EventReportUrl - EventOwner - DvcZone - DvcMacAddr - DvcOs - DvcOsVersion - DvcOriginalAction - DvcInterface - AdditionalFields - DvcDescription - DvcScopeId - DvcScope |
Updated property fields
| Field | Class | Type | Description |
|---|---|---|---|
| UpdatedPropertyName | Alias | Alias to EventSubType when the Event Type is UserCreated, GroupCreated, UserModified, or GroupModified.Supported values are: - MultipleProperties: Used when the activity updates multiple properties- Previous<PropertyName>, where <PropertyName> is one of the supported values for UpdatedPropertyName. - New<PropertyName>, where <PropertyName> is one of the supported values for UpdatedPropertyName. |
|
| PreviousPropertyValue | Optional | String | The previous value that was stored in the specified property. |
| NewPropertyValue | Optional | String | The new value stored in the specified property. |
Target user fields
| Field | Class | Type | Description |
|---|---|---|---|
| TargetUserId | Optional | String | A machine-readable, alphanumeric, unique representation of the target user. Supported formats and types include: - SID (Windows): S-1-5-21-1377283216-344919071-3415362939-500- UID (Linux): 4578- AADID (Microsoft Entra ID): 9267d02c-5f76-40a9-a9eb-b686f3ca47aa- OktaId: 00urjk4znu3BcncfY0h7- AWSId: 72643944673Store the ID type in the TargetUserIdType field. If other IDs are available, we recommend that you normalize the field names to TargetUserSid, TargetUserUid, TargetUserAADID, TargetUserOktaId, and TargetUserAwsId, respectively. For more information, see The User entity. Example: S-1-12 |
| TargetUserIdType | Optional | Enumerated | The type of the ID stored in the TargetUserId field. Supported values are SID, UID, AADID, OktaId, and AWSId. |
| TargetUsername | Optional | String | The target username, including domain information when available. Use one of the following formats and in the following order of priority: - Upn/Email: johndow@contoso.com- Windows: Contoso\johndow- DN: CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM- Simple: johndow. Use the Simple form only if domain information isn't available.Store the Username type in the TargetUsernameType field. If other IDs are available, we recommend that you normalize the field names to TargetUserUpn, TargetUserWindows, and TargetUserDn. For more information, see The User entity. Example: AlbertE |
| TargetUsernameType | Optional | Enumerated | Specifies the type of the username stored in the TargetUsername field. Supported values include UPN, Windows, DN, and Simple. For more information, see The User entity.Example: Windows |
| TargetUserType | Optional | Enumerated | The type of target user. Supported values include: - Regular- Machine- Admin- System- Application- Service Principal- OtherNote: The value might be provided in the source record by using different terms, which should be normalized to these values. Store the original value in the TargetOriginalUserType field. |
| TargetOriginalUserType | Optional | String | The original destination user type, if provided by the source. |
Actor fields
| Field | Class | Type | Description |
|---|---|---|---|
| ActorUserId | Optional | String | A machine-readable, alphanumeric, unique representation of the Actor. Supported formats and types include: - SID (Windows): S-1-5-21-1377283216-344919071-3415362939-500- UID (Linux): 4578- AADID (Microsoft Entra ID): 9267d02c-5f76-40a9-a9eb-b686f3ca47aa- OktaId: 00urjk4znu3BcncfY0h7- AWSId: 72643944673Store the ID type in the ActorUserIdType field. If other IDs are available, we recommend that you normalize the field names to ActorUserSid, ActorUserUid, ActorUserAadId, ActorUserOktaId, and ActorAwsId, respectively. For more information, see The User entity. Example: S-1-12 |
| ActorUserIdType | Optional | Enumerated | The type of the ID stored in the ActorUserId field. Supported values include SID, UID, AADID, OktaId, and AWSId. |
| ActorUsername | Mandatory | String | The Actor username, including domain information when available. Use one of the following formats and in the following order of priority: - Upn/Email: johndow@contoso.com- Windows: Contoso\johndow- DN: CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM- Simple: johndow. Use the Simple form only if domain information isn't available.Store the Username type in the ActorUsernameType field. If other IDs are available, we recommend that you normalize the field names to ActorUserUpn, ActorUserWindows, and ActorUserDn. For more information, see The User entity. Example: AlbertE |
| User | Alias | Alias to ActorUsername. | |
| ActorUsernameType | Mandatory | Enumerated | Specifies the type of the username stored in the ActorUsername field. Supported values are UPN, Windows, DN, and Simple. For more information, see The User entity.Example: Windows |
| ActorUserType | Optional | Enumerated | The type of the Actor. Allowed values are: - Regular- Machine- Admin- System- Application- Service Principal- OtherNote: The value might be provided in the source record by using different terms, which should be normalized to these values. Store the original value in the ActorOriginalUserType field. |
| ActorOriginalUserType | The original actor user type, if provided by the source. | ||
| ActorSessionId | Optional | String | The unique ID of the login session of the Actor. Example: 999Note: The type is defined as string to support varying systems, but on Windows this value must be numeric. If you are using a Windows machine and used a different type, make sure to convert the values. For example, if you used a hexadecimal value, convert it to a decimal value. |
Group fields
| Field | Class | Type | Description |
|---|---|---|---|
| GroupId | Optional | String | A machine-readable, alphanumeric, unique representation of the group, for activities involving a group. Supported formats and types include: - SID (Windows): S-1-5-21-1377283216-344919071-3415362939-500- UID (Linux): 4578Store the ID type in the GroupIdType field. If other IDs are available, we recommend that you normalize the field names to GroupSid or GroupUid, respectively. For more information, see The User entity. Example: S-1-12 |
| GroupIdType | Optional | Enumerated | The type of the ID stored in the GroupId field. Supported values are SID, and UID. |
| GroupName | Optional | String | The group name, including domain information when available, for activities involving a group. Use one of the following formats and in the following order of priority: - Upn/Email: grp@contoso.com- Windows: Contoso\grp- DN: CN=grp,OU=Sales,DC=Fabrikam,DC=COM- Simple: grp. Use the Simple form only if domain information isn't available.Store the group name type in the GroupNameType field. If other IDs are available, we recommend that you normalize the field names to GroupUpn, GorupNameWindows, and GroupDn. Example: Contoso\Finance |
| GroupNameType | Optional | Enumerated | Specifies the type of the group name stored in the GroupName field. Supported values include UPN, Windows, DN, and Simple.Example: Windows |
| GroupType | Optional | Enumerated | The type of the group, for activities involving a group. Supported values include: - Local Distribution- Local Security Enabled- Global Distribution- Global Security Enabled- Universal Distribution- Universal Security Enabled- OtherNote: The value might be provided in the source record by using different terms, which should be normalized to these values. Store the original value in the GroupOriginalType field. |
| GroupOriginalType | Optional | String | The original group type, if provided by the source. |
Source fields
| Field | Class | Type | Description |
|---|---|---|---|
| Src | Recommended | String | A unique identifier of the source device. This field might alias the SrcDvcId, SrcHostname, or SrcIpAddr fields. Example: 192.168.12.1 |
| SrcIpAddr | Recommended | IP address | The IP address of the source device. This value is mandatory if SrcHostname is specified. Example: 77.138.103.108 |
| IpAddr | Alias | Alias to SrcIpAddr. | |
| SrcHostname | Recommended | String | The source device hostname, excluding domain information. Example: DESKTOP-1282V4D |
| SrcDomain | Recommended | String | The domain of the source device. Example: Contoso |
| SrcDomainType | Recommended | Enumerated | The type of SrcDomain, if known. Possible values include: - Windows (such as contoso)- FQDN (such as microsoft.com)Required if SrcDomain is used. |
| SrcFQDN | Optional | String | The source device hostname, including domain information when available. Note: This field supports both traditional FQDN format and Windows domain\hostname format. The SrcDomainType field reflects the format used. Example: Contoso\DESKTOP-1282V4D |
| SrcDvcId | Optional | String | The ID of the source device as reported in the record. Example: ac7e9755-8eae-4ffc-8a02-50ed7a2216c3 |
| SrcDvcScopeId | Optional | String | The cloud platform scope ID the device belongs to. SrcDvcScopeId map to a subscription ID on Azure and to an account ID on AWS. |
| SrcDvcScope | Optional | String | The cloud platform scope the device belongs to. SrcDvcScope map to a subscription ID on Azure and to an account ID on AWS. |
| SrcDvcIdType | Optional | Enumerated | The type of SrcDvcId, if known. Possible values include: - AzureResourceId- MDEidIf multiple IDs are available, use the first one from the preceding list, and store the others in SrcDvcAzureResourceId and SrcDvcMDEid, respectively. Note: This field is required if SrcDvcId is used. |
| SrcDeviceType | Optional | Enumerated | The type of the source device. Possible values include: - Computer- Mobile Device- IOT Device- Other |
| SrcGeoCountry | Optional | Country | The country associated with the source IP address. Example: USA |
| SrcGeoRegion | Optional | Region | The region associated with the source IP address. Example: Vermont |
| SrcGeoCity | Optional | City | The city associated with the source IP address. Example: Burlington |
| SrcGeoLatitude | Optional | Latitude | The latitude of the geographical coordinate associated with the source IP address. Example: 44.475833 |
| SrcGeoLongitude | Optional | Longitude | The longitude of the geographical coordinate associated with the source IP address. Example: 73.211944 |
Acting Application
| Field | Class | Type | Description |
|---|---|---|---|
| ActingAppId | Optional | String | The ID of the application used by the actor to perform the activity, including a process, browser, or service. For example: 0x12ae8 |
| ActingAppName | Optional | String | The name of the application used by the actor to perform the activity, including a process, browser, or service. For example: C:\Windows\System32\svchost.exe |
| ActingAppType | Optional | Enumerated | The type of acting application. Supported values include: - Process - Browser - Resource - Other |
| HttpUserAgent | Optional | String | When authentication is performed over HTTP or HTTPS, this field's value is the user_agent HTTP header provided by the acting application when performing the authentication. For example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 |
Additional fields and aliases
| Field | Class | Type | Description |
|---|---|---|---|
| Hostname | Alias | Alias to DvcHostname. |
Next steps
For more information, see: