संपादित करें

इसके माध्यम से साझा किया गया


Microsoft Sentinel user management normalization schema reference (preview)

The Microsoft Sentinel user management normalization schema is used to describe user management activities, such as creating a user or a group, changing user attribute, or adding a user to a group. Such events are reported, for example, by operating systems, directory services, identity management systems, and any other system reporting on its local user management activity.

For more information about normalization in Microsoft Sentinel, see Normalization and the Advanced Security Information Model (ASIM).

Important

The user management normalization schema is currently in preview. This feature is provided without a service level agreement. We don't recommend it for production workloads.

The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Schema overview

The ASIM user management schema describes user management activities. The activities typically include the following entities:

  • Actor - the user performing the management activity.
  • Acting Process - the process used by the actor to perform the management activity.
  • Src - when the activity is performed over the network, the source device from which the activity was initiated.
  • Target User - the user who's account is managed.
  • Group the target user is added or removed from, or being modified.

Some activities, such as UserCreated, GroupCreated, UserModified, and GroupModified*, set or update user properties. The property set or updated is documented in the following fields:

Schema details

Common ASIM fields

Important

Fields common to all schemas are described in detail in the ASIM Common Fields article.

Common fields with specific guidelines

The following list mentions fields that have specific guidelines for process activity events:

Field Class Type Description
EventType Mandatory Enumerated Describes the operation reported by the record.

For User Management activity, the supported values are:
- UserCreated
- UserDeleted
- UserModified
- UserLocked
- UserUnlocked
- UserDisabled
- UserEnabled
- PasswordChanged
- PasswordReset
- GroupCreated
- GroupDeleted
- GroupModified
- UserAddedToGroup
- UserRemovedFromGroup
- GroupEnumerated
- UserRead
- GroupRead
EventSubType Optional Enumerated The following sub-types are supported:
- UserRead: Password, Hash
- UserCreated, GroupCreated, UserModified, GroupModified. For more information, see UpdatedPropertyName
EventResult Mandatory Enumerated While failure is possible, most systems report only successful user management events. The expected value for successful events is Success.
EventResultDetails Recommended Enumerated The valid values are NotAuthorized and Other.
EventSeverity Mandatory Enumerated While any valid severity value is allowed, the severity of user management events is typically Informational.
EventSchema Mandatory String The name of the schema documented here is UserManagement.
EventSchemaVersion Mandatory String The version of the schema. The version of the schema documented here is 0.1.1.
Dvc fields For user management events, device fields refer to the system reporting the event. This is usually the system on which the user is managed.

All common fields

Fields that appear in the table below are common to all ASIM schemas. Any guideline specified above overrides the general guidelines for the field. For example, a field might be optional in general, but mandatory for a specific schema. For further details on each field, refer to the ASIM Common Fields article.

Class Fields
Mandatory - EventCount
- EventStartTime
- EventEndTime
- EventType
- EventResult
- EventProduct
- EventVendor
- EventSchema
- EventSchemaVersion
- Dvc
Recommended - EventResultDetails
- EventSeverity
- EventUid
- DvcIpAddr
- DvcHostname
- DvcDomain
- DvcDomainType
- DvcFQDN
- DvcId
- DvcIdType
- DvcAction
Optional - EventMessage
- EventSubType
- EventOriginalUid
- EventOriginalType
- EventOriginalSubType
- EventOriginalResultDetails
- EventOriginalSeverity
- EventProductVersion
- EventReportUrl
- EventOwner
- DvcZone
- DvcMacAddr
- DvcOs
- DvcOsVersion
- DvcOriginalAction
- DvcInterface
- AdditionalFields
- DvcDescription
- DvcScopeId
- DvcScope

Updated property fields

Field Class Type Description
UpdatedPropertyName Alias Alias to EventSubType when the Event Type is UserCreated, GroupCreated, UserModified, or GroupModified.

Supported values are:
- MultipleProperties: Used when the activity updates multiple properties
- Previous<PropertyName>, where <PropertyName> is one of the supported values for UpdatedPropertyName.
- New<PropertyName>, where <PropertyName> is one of the supported values for UpdatedPropertyName.
PreviousPropertyValue Optional String The previous value that was stored in the specified property.
NewPropertyValue Optional String The new value stored in the specified property.

Target user fields

Field Class Type Description
TargetUserId Optional String A machine-readable, alphanumeric, unique representation of the target user.

Supported formats and types include:
- SID (Windows): S-1-5-21-1377283216-344919071-3415362939-500
- UID (Linux): 4578
- AADID (Microsoft Entra ID): 9267d02c-5f76-40a9-a9eb-b686f3ca47aa
- OktaId: 00urjk4znu3BcncfY0h7
- AWSId: 72643944673

Store the ID type in the TargetUserIdType field. If other IDs are available, we recommend that you normalize the field names to TargetUserSid, TargetUserUid, TargetUserAADID, TargetUserOktaId, and TargetUserAwsId, respectively. For more information, see The User entity.

Example: S-1-12
TargetUserIdType Optional Enumerated The type of the ID stored in the TargetUserId field.

Supported values are SID, UID, AADID, OktaId, and AWSId.
TargetUsername Optional String The target username, including domain information when available.

Use one of the following formats and in the following order of priority:
- Upn/Email: johndow@contoso.com
- Windows: Contoso\johndow
- DN: CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM
- Simple: johndow. Use the Simple form only if domain information isn't available.

Store the Username type in the TargetUsernameType field. If other IDs are available, we recommend that you normalize the field names to TargetUserUpn, TargetUserWindows, and TargetUserDn. For more information, see The User entity.

Example: AlbertE
TargetUsernameType Optional Enumerated Specifies the type of the username stored in the TargetUsername field. Supported values include UPN, Windows, DN, and Simple. For more information, see The User entity.

Example: Windows
TargetUserType Optional Enumerated The type of target user. Supported values include:
- Regular
- Machine
- Admin
- System
- Application
- Service Principal
- Other

Note: The value might be provided in the source record by using different terms, which should be normalized to these values. Store the original value in the TargetOriginalUserType field.
TargetOriginalUserType Optional String The original destination user type, if provided by the source.

Actor fields

Field Class Type Description
ActorUserId Optional String A machine-readable, alphanumeric, unique representation of the Actor.

Supported formats and types include:
- SID (Windows): S-1-5-21-1377283216-344919071-3415362939-500
- UID (Linux): 4578
- AADID (Microsoft Entra ID): 9267d02c-5f76-40a9-a9eb-b686f3ca47aa
- OktaId: 00urjk4znu3BcncfY0h7
- AWSId: 72643944673

Store the ID type in the ActorUserIdType field. If other IDs are available, we recommend that you normalize the field names to ActorUserSid, ActorUserUid, ActorUserAadId, ActorUserOktaId, and ActorAwsId, respectively. For more information, see The User entity.

Example: S-1-12
ActorUserIdType Optional Enumerated The type of the ID stored in the ActorUserId field. Supported values include SID, UID, AADID, OktaId, and AWSId.
ActorUsername Mandatory String The Actor username, including domain information when available.

Use one of the following formats and in the following order of priority:
- Upn/Email: johndow@contoso.com
- Windows: Contoso\johndow
- DN: CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM
- Simple: johndow. Use the Simple form only if domain information isn't available.

Store the Username type in the ActorUsernameType field. If other IDs are available, we recommend that you normalize the field names to ActorUserUpn, ActorUserWindows, and ActorUserDn.

For more information, see The User entity.

Example: AlbertE
User Alias Alias to ActorUsername.
ActorUsernameType Mandatory Enumerated Specifies the type of the username stored in the ActorUsername field. Supported values are UPN, Windows, DN, and Simple. For more information, see The User entity.

Example: Windows
ActorUserType Optional Enumerated The type of the Actor. Allowed values are:
- Regular
- Machine
- Admin
- System
- Application
- Service Principal
- Other

Note: The value might be provided in the source record by using different terms, which should be normalized to these values. Store the original value in the ActorOriginalUserType field.
ActorOriginalUserType The original actor user type, if provided by the source.
ActorSessionId Optional String The unique ID of the login session of the Actor.

Example: 999

Note: The type is defined as string to support varying systems, but on Windows this value must be numeric.

If you are using a Windows machine and used a different type, make sure to convert the values. For example, if you used a hexadecimal value, convert it to a decimal value.

Group fields

Field Class Type Description
GroupId Optional String A machine-readable, alphanumeric, unique representation of the group, for activities involving a group.

Supported formats and types include:
- SID (Windows): S-1-5-21-1377283216-344919071-3415362939-500
- UID (Linux): 4578

Store the ID type in the GroupIdType field. If other IDs are available, we recommend that you normalize the field names to GroupSid or GroupUid, respectively. For more information, see The User entity.

Example: S-1-12
GroupIdType Optional Enumerated The type of the ID stored in the GroupId field.

Supported values are SID, and UID.
GroupName Optional String The group name, including domain information when available, for activities involving a group.

Use one of the following formats and in the following order of priority:
- Upn/Email: grp@contoso.com
- Windows: Contoso\grp
- DN: CN=grp,OU=Sales,DC=Fabrikam,DC=COM
- Simple: grp. Use the Simple form only if domain information isn't available.

Store the group name type in the GroupNameType field. If other IDs are available, we recommend that you normalize the field names to GroupUpn, GorupNameWindows, and GroupDn.

Example: Contoso\Finance
GroupNameType Optional Enumerated Specifies the type of the group name stored in the GroupName field. Supported values include UPN, Windows, DN, and Simple.

Example: Windows
GroupType Optional Enumerated The type of the group, for activities involving a group. Supported values include:
- Local Distribution
- Local Security Enabled
- Global Distribution
- Global Security Enabled
- Universal Distribution
- Universal Security Enabled
- Other

Note: The value might be provided in the source record by using different terms, which should be normalized to these values. Store the original value in the GroupOriginalType field.
GroupOriginalType Optional String The original group type, if provided by the source.

Source fields

Field Class Type Description
Src Recommended String A unique identifier of the source device.

This field might alias the SrcDvcId, SrcHostname, or SrcIpAddr fields.

Example: 192.168.12.1
SrcIpAddr Recommended IP address The IP address of the source device. This value is mandatory if SrcHostname is specified.

Example: 77.138.103.108
IpAddr Alias Alias to SrcIpAddr.
SrcHostname Recommended String The source device hostname, excluding domain information.

Example: DESKTOP-1282V4D
SrcDomain Recommended String The domain of the source device.

Example: Contoso
SrcDomainType Recommended Enumerated The type of SrcDomain, if known. Possible values include:
- Windows (such as contoso)
- FQDN (such as microsoft.com)

Required if SrcDomain is used.
SrcFQDN Optional String The source device hostname, including domain information when available.

Note: This field supports both traditional FQDN format and Windows domain\hostname format. The SrcDomainType field reflects the format used.

Example: Contoso\DESKTOP-1282V4D
SrcDvcId Optional String The ID of the source device as reported in the record.

Example: ac7e9755-8eae-4ffc-8a02-50ed7a2216c3
SrcDvcScopeId Optional String The cloud platform scope ID the device belongs to. SrcDvcScopeId map to a subscription ID on Azure and to an account ID on AWS.
SrcDvcScope Optional String The cloud platform scope the device belongs to. SrcDvcScope map to a subscription ID on Azure and to an account ID on AWS.
SrcDvcIdType Optional Enumerated The type of SrcDvcId, if known. Possible values include:
- AzureResourceId
- MDEid

If multiple IDs are available, use the first one from the preceding list, and store the others in SrcDvcAzureResourceId and SrcDvcMDEid, respectively.

Note: This field is required if SrcDvcId is used.
SrcDeviceType Optional Enumerated The type of the source device. Possible values include:
- Computer
- Mobile Device
- IOT Device
- Other
SrcGeoCountry Optional Country The country associated with the source IP address.

Example: USA
SrcGeoRegion Optional Region The region associated with the source IP address.

Example: Vermont
SrcGeoCity Optional City The city associated with the source IP address.

Example: Burlington
SrcGeoLatitude Optional Latitude The latitude of the geographical coordinate associated with the source IP address.

Example: 44.475833
SrcGeoLongitude Optional Longitude The longitude of the geographical coordinate associated with the source IP address.

Example: 73.211944

Acting Application

Field Class Type Description
ActingAppId Optional String The ID of the application used by the actor to perform the activity, including a process, browser, or service.

For example: 0x12ae8
ActingAppName Optional String The name of the application used by the actor to perform the activity, including a process, browser, or service.

For example: C:\Windows\System32\svchost.exe
ActingAppType Optional Enumerated The type of acting application. Supported values include:
- Process
- Browser
- Resource
- Other
HttpUserAgent Optional String When authentication is performed over HTTP or HTTPS, this field's value is the user_agent HTTP header provided by the acting application when performing the authentication.

For example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1

Additional fields and aliases

Field Class Type Description
Hostname Alias Alias to DvcHostname.

Next steps

For more information, see: