संपादित करें

इसके माध्यम से साझा किया गया


The Advanced Security Information Model (ASIM) DHCP normalization schema reference (Public preview)

The DHCP information model is used to describe events reported by a DHCP server, and is used by Microsoft Sentinel to enable source-agnostic analytics.

For more information, see Normalization and the Advanced Security Information Model (ASIM).

Important

The DHCP normalization schema is currently in PREVIEW. This feature is provided without a service level agreement, and is not recommended for production workloads.

The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Schema overview

The ASIM DHCP schema represents DHCP server activity, including serving requests for DHCP IP address leased from client systems and updating a DNS server with the leases granted.

The most important fields in a DHCP event are SrcIpAddr and SrcHostname, which the DHCP server binds by granting the lease, and are aliased by IpAddr and Hostname fields respectively. The SrcMacAddr field is also important as it represents the client machine used when an IP address is not leased.

A DHCP server may reject a client, either due to the security concerns, or because of network saturation. It may also quarantine a client by leasing to it an IP address that would connect it to a limited network. The EventResult, EventResultDetails and DvcAction fields provide information about the DHCP server response and action.

A lease's duration is stored in the DhcpLeaseDuration field.

Schema details

ASIM is aligned with the Open Source Security Events Metadata (OSSEM) project.

OSSEM does not have a DHCP schema comparable to the ASIM DHCP schema.

Common ASIM fields

Important

Fields common to all schemas are described in detail in the ASIM Common Fields article.

Common Fields with specific guidelines

The following list mentions fields that have specific guidelines for DHCP events:

Field Class Type Description
EventType Mandatory Enumerated Indicate the operation reported by the record.

Possible values are Assign, Renew, Release and DNS Update.

Example: Assign
EventSchemaVersion Mandatory String The version of the schema documented here is 0.1.
EventSchema Mandatory String The name of the schema documented here is DhcpEvent.
Dvc fields - - For DHCP events, device fields refer to the system that reports the DHCP event.

All common fields

Fields that appear in the table below are common to all ASIM schemas. Any guideline specified above overrides the general guidelines for the field. For example, a field might be optional in general, but mandatory for a specific schema. For further details on each field, refer to the ASIM Common Fields article.

Class Fields
Mandatory - EventCount
- EventStartTime
- EventEndTime
- EventType
- EventResult
- EventProduct
- EventVendor
- EventSchema
- EventSchemaVersion
- Dvc
Recommended - EventResultDetails
- EventSeverity
- EventUid
- DvcIpAddr
- DvcHostname
- DvcDomain
- DvcDomainType
- DvcFQDN
- DvcId
- DvcIdType
- DvcAction
Optional - EventMessage
- EventSubType
- EventOriginalUid
- EventOriginalType
- EventOriginalSubType
- EventOriginalResultDetails
- EventOriginalSeverity
- EventProductVersion
- EventReportUrl
- EventOwner
- DvcZone
- DvcMacAddr
- DvcOs
- DvcOsVersion
- DvcOriginalAction
- DvcInterface
- AdditionalFields
- DvcDescription
- DvcScopeId
- DvcScope

DHCP-specific fields

The fields below are specific to DHCP events, but many are similar to fields in other schemas and follow the same naming convention.

Field Class Type Notes
SrcIpAddr Mandatory IP Address The IP address assigned to the client by the DHCP server.

Example: 192.168.12.1
IpAddr Alias Alias for SrcIpAddr
RequestedIpAddr Optional IP Address The IP address requested by the DHCP client, when available.

Example: 192.168.12.3
SrcHostname Mandatory String The hostname of the device requesting the DHCP lease. If no device name is available, store the relevant IP address in this field.

Example: DESKTOP-1282V4D
Hostname Alias Alias for SrcHostname
SrcDomain Recommended String The domain of the source device.

Example: Contoso
SrcDomainType Conditional Enumerated The type of SrcDomain, if known. Possible values include:
- Windows (such as: contoso)
- FQDN (such as: microsoft.com)

Required if SrcDomain is used.
SrcFQDN Optional String The source device hostname, including domain information when available.

Note: This field supports both traditional FQDN format and Windows domain\hostname format. The SrcDomainType field reflects the format used.

Example: Contoso\DESKTOP-1282V4D
SrcDvcId Optional String The ID of the source device as reported in the record.

For example: ac7e9755-8eae-4ffc-8a02-50ed7a2216c3
SrcDvcScopeId Optional String The cloud platform scope ID the device belongs to. SrcDvcScopeId map to a subscription ID on Azure and to an account ID on AWS.
SrcDvcScope Optional String The cloud platform scope the device belongs to. SrcDvcScope map to a subscription ID on Azure and to an account ID on AWS.
SrcDvcIdType Conditional Enumerated The type of SrcDvcId, if known. Possible values include:
- AzureResourceId
- MDEid

If multiple IDs are available, use the first one from the list above, and store the others in the SrcDvcAzureResourceId and SrcDvcMDEid, respectively.

Note: This field is required if SrcDvcId is used.
SrcDeviceType Optional Enumerated The type of the source device. Possible values include:
- Computer
- Mobile Device
- IOT Device
- Other
SrcUserId Optional String A machine-readable, alphanumeric, unique representation of the source user. Format and supported types include:
- SID (Windows): S-1-5-21-1377283216-344919071-3415362939-500
- UID (Linux): 4578
- AADID (Microsoft Entra ID): 9267d02c-5f76-40a9-a9eb-b686f3ca47aa
- OktaId: 00urjk4znu3BcncfY0h7
- AWSId: 72643944673

Store the ID type in the SrcUserIdType field. If other IDs are available, we recommend that you normalize the field names to SrcUserSid, SrcUserUid, SrcUserAadId, SrcUserOktaId and UserAwsId, respectively.

Example: S-1-12
SrcUserIdType Conditional Enumerated The type of the ID stored in the SrcUserId field. Supported values include: SID, UIS, AADID, OktaId, and AWSId.
SrcUsername Optional String The Source username, including domain information when available. Use one of the following formats and in the following order of priority:
- Upn/Email: johndow@contoso.com
- Windows: Contoso\johndow
- DN: CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM
- Simple: johndow. Use the Simple form only if domain information is not available.

Store the Username type in the SrcUsernameType field. If other IDs are available, we recommend that you normalize the field names to SrcUserUpn, SrcUserWindows and SrcUserDn.

For more information, see The User entity.

Example: AlbertE
User Alias Alias for SrcUsername
SrcUsernameType Conditional Enumerated Specifies the type of the username stored in the SrcUsername field. Supported values are: UPN, Windows, DN, and Simple. For more information, see The User entity.

Example: Windows
SrcUserType Optional Enumerated The type of Actor. Allowed values are:
- Regular
- Machine
- Admin
- System
- Application
- Service Principal
- Other

Note: The value may be provided in the source record using different terms, which should be normalized to these values. Store the original value in the EventOriginalUserType field.
SrcOriginalUserType The original source user type, if provided by the source.
SrcMacAddr Mandatory Mac Address The MAC address of the client requesting a DHCP lease.

Note: The Windows DHCP server logs MAC address in a non-standard way, omitting the colons, which should be inserted by the parser.

Example: 06:10:9f:eb:8f:14
DhcpLeaseDuration Optional Integer The length of the lease granted to a client, in seconds.
DhcpSessionId Optional string The session identifier as reported by the reporting device. For the Windows DHCP server, set this to the TransactionID field.

Example: 2099570186
SessionId Alias String Alias to DhcpSessionId
DhcpSessionDuration Optional Integer The amount of time, in milliseconds, for the completion of the DHCP session.

Example: 1500
Duration Alias Alias to DhcpSessionDuration
DhcpSrcDHCId  Optional String The DHCP client ID, as defined by RFC4701
DhcpCircuitId  Optional String The DHCP circuit ID, as defined by RFC3046
DhcpSubscriberId  Optional String The DHCP subscriber ID, as defined by RFC3993
DhcpVendorClassId   Optional String The DHCP Vendor Class Id, as defined by RFC3925.
DhcpVendorClass   Optional String The DHCP Vendor Class, as defined by RFC3925.
DhcpUserClassId   Optional String The DHCP User Class Id, as defined by RFC3004.
DhcpUserClass  Optional String The DHCP User Class, as defined by RFC3004.

Next steps

For more information, see: