Breyta

Deila með


The Advanced Security Information Model (ASIM) common schema fields reference (preview)

Some fields are common to all ASIM schemas. Each schema might add guidelines for using some of the common fields in the context of the specific schema. For example, permitted values for the EventType field might vary per schema, as might the value of the EventSchemaVersion field.

Standard Log Analytics fields

The following fields are generated by Log Analytics, in most cases, for each record. They can be overridden when you create a custom connector.

Field Type Discussion
TimeGenerated datetime The time the event was generated by the reporting device.
Type String The original table from which the record was fetched. This field is useful when the same event can be received through multiple channels to different tables, and have the same EventVendor and EventProduct values.

For example, a Sysmon event can be collected either to the Event table or to the WindowsEvent table.

Note

Log Analytics also adds other fields that are less relevant to security use cases. For more information, see Standard columns in Azure Monitor Logs.

Common ASIM fields

The following fields are defined by ASIM for all schemas:

Event fields

Field Class Type Description
EventMessage Optional String A general message or description, either included in or generated from the record.
EventCount Mandatory Integer The number of events described by the record.

This value is used when the source supports aggregation, and a single record might represent multiple events.

For other sources, set to 1.
EventStartTime Mandatory Date/time The time in which the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field.
EventEndTime Mandatory Date/time The time in which the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field.
EventType Mandatory Enumerated Describes the operation reported by the record. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the EventOriginalType field.
EventSubType Optional Enumerated Describes a subdivision of the operation reported in the EventType field. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the EventOriginalSubType field.
EventResult Mandatory Enumerated One of the following values: Success, Partial, Failure, NA (Not Applicable).

The value might be provided in the source record by using different terms, which should be normalized to these values. Alternatively, the source might provide only the EventResultDetails field, which should be analyzed to derive the EventResult value.

Example: Success
EventResultDetails Recommended Enumerated Reason or details for the result reported in the EventResult field. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the EventOriginalResultDetails field.

Example: NXDOMAIN
EventUid Recommended String The unique ID of the record, as assigned by Microsoft Sentinel. This field is typically mapped to the _ItemId Log Analytics field.
EventOriginalUid Optional String A unique ID of the original record, if provided by the source.

Example: 69f37748-ddcd-4331-bf0f-b137f1ea83b
EventOriginalType Optional String The original event type or ID, if provided by the source. For example, this field is used to store the original Windows event ID. This value is used to derive EventType, which should have only one of the values documented for each schema.

Example: 4624
EventOriginalSubType Optional String The original event subtype or ID, if provided by the source. For example, this field is used to store the original Windows logon type. This value is used to derive EventSubType, which should have only one of the values documented for each schema.

Example: 2
EventOriginalResultDetails Optional String The original result details provided by the source. This value is used to derive EventResultDetails, which should have only one of the values documented for each schema.
EventSeverity Recommended Enumerated The severity of the event. Valid values are: Informational, Low, Medium, or High.
EventOriginalSeverity Optional String The original severity as provided by the reporting device. This value is used to derive EventSeverity.
EventProduct Mandatory String The product generating the event. The value should be one of the values listed in Vendors and Products.

Example: Sysmon
EventProductVersion Optional String The version of the product generating the event.

Example: 12.1
EventVendor Mandatory String The vendor of the product generating the event. The value should be one of the values listed in Vendors and Products.

Example: Microsoft

EventSchema Mandatory String The schema the event is normalized to. Each schema documents its schema name.
EventSchemaVersion Mandatory String The version of the schema. Each schema documents its current version.
EventReportUrl Optional String A URL provided in the event for a resource that provides more information about the event.
EventOwner Optional String The owner of the event, which is usually the department or subsidiary in which it was generated.

Device fields

The role of the device fields is different for different schemas and event types. For example:

  • For the Network Session events, device fields usually provide information about the device that generated the event
  • For the Process events, the device fields provide information on the device on that the process is executed.

Each schema document specifies the role of the device for the schema.

Field Class Type Description
Dvc Alias String A unique identifier of the device on which the event occurred or which reported the event, depending on the schema.

This field might alias the DvcFQDN, DvcId, DvcHostname, or DvcIpAddr fields. For cloud sources, for which there is no apparent device, use the same value as the Event Product field.
DvcIpAddr Recommended IP address The IP address of the device on which the event occurred or which reported the event, depending on the schema.

Example: 45.21.42.12
DvcHostname Recommended Hostname The hostname of the device on which the event occurred or which reported the event, depending on the schema.

Example: ContosoDc
DvcDomain Recommended String The domain of the device on which the event occurred or which reported the event, depending on the schema.

Example: Contoso
DvcDomainType Conditional Enumerated The type of DvcDomain. For a list of allowed values and further information, refer to DomainType.

Note: This field is required if the DvcDomain field is used.
DvcFQDN Optional String The hostname of the device on which the event occurred or which reported the event, depending on the schema.

Example: Contoso\DESKTOP-1282V4D

Note: This field supports both traditional FQDN format and Windows domain\hostname format. The DvcDomainType field reflects the format used.
DvcDescription Optional String A descriptive text associated with the device. For example: Primary Domain Controller.
DvcId Optional String The unique ID of the device on which the event occurred or which reported the event, depending on the schema.

Example: 41502da5-21b7-48ec-81c9-baeea8d7d669
DvcIdType Conditional Enumerated The type of DvcId. For a list of allowed values and further information, refer to DvcIdType.
- MDEid

If multiple IDs are available, use the first one from the list, and store the others by using the field names DvcAzureResourceId and DvcMDEid, respectively.

Note: This field is required if the DvcId field is used.
DvcMacAddr Optional MAC The MAC address of the device on which the event occurred or which reported the event.

Example: 00:1B:44:11:3A:B7
DvcZone Optional String The network on which the event occurred or which reported the event, depending on the schema. The zone is defined by the reporting device.

Example: Dmz
DvcOs Optional String The operating system running on the device on which the event occurred or which reported the event.

Example: Windows
DvcOsVersion Optional String The version of the operating system on the device on which the event occurred or which reported the event.

Example: 10
DvcAction Recommended String For reporting security systems, the action taken by the system, if applicable.

Example: Blocked
DvcOriginalAction Optional String The original DvcAction as provided by the reporting device.
DvcInterface Optional String The network interface on which data was captured. This field is typically relevant to network related activity, which is captured by an intermediate or tap device.
DvcScopeId Optional String The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS.
DvcScope Optional String The cloud platform scope the device belongs to. DvcScope map to a subscription ID on Azure and to an account ID on AWS.

Other fields

Field Class Type Description
AdditionalFields Optional Dynamic If your source provides additional information worth preserving, either keep it with the original field names or create the dynamic AdditionalFields field, and add to it the extra information as key/value pairs.
ASimMatchingIpAddr Recommended String When a parser uses the ipaddr_has_any_prefix filtering parameters, this field is set with the one of the values SrcIpAddr, DstIpAddr, or Both to reflect the matching fields or fields.
ASimMatchingHostname Recommended String When a parser uses the hostname_has_any filtering parameters, this field is set with the one of the values SrcHostname, DstHostname, or Both to reflect the matching fields or fields.

Schema updates

  • The EventOwner field has been added to the common fields on Dec 1, 2022, and therefore to all of the schemas.
  • The EventUid field has been added to the common fields on Dec 26, 2022, and therefore to all of the schemas.

Vendors and products

To maintain consistency, the list of allowed vendors and products is set as part of ASIM, and may not directly correspond to the value sent by the source, when available.

The currently supported list of vendors and products used in the EventVendor and EventProduct fields respectively is:

Vendor Products
AWS - CloudTrail
- VPC
Cisco - ASA
- Umbrella
- IOS
- Meraki
Corelight Zeek
Cynerio Cynerio
Dataminr Dataminr Pulse
GCP Cloud DNS
Infoblox NIOS
Microsoft - Microsoft Entra ID
- Azure
- Azure Firewall
- Azure Blob Storage
- Azure File Storage
- Azure NSG flows
- Azure Queue Storage
- Azure Table Storage
- DNS Server
- Microsoft Defender XDR for Endpoint
- Microsoft Defender for IoT
- Security Events
- SharePoint
- OneDrive
- Sysmon
- Sysmon for Linux
- VMConnection
- Windows Firewall
- WireData
Linux - su
- sudo
Okta - Okta
- Auth0
OpenBSD OpenSSH
Palo Alto - PanOS
- CDL
PostgreSQL PostgreSQL
Squid Squid Proxy
Vectra AI Vectra Steam
WatchGuard Fireware
Zscaler - ZIA DNS
- ZIA Firewall
- ZIA Proxy

If you are developing a parser for a vendor or a product,s which are not listed here, contact the Microsoft Sentinel team to allocate a new allowed vendor and product designators.

Next steps

For more information, see: