The Advanced Security Information Model (ASIM) DHCP normalization schema reference (Public preview)
The DHCP information model is used to describe events reported by a DHCP server, and is used by Microsoft Sentinel to enable source-agnostic analytics.
For more information, see Normalization and the Advanced Security Information Model (ASIM).
Important
The DHCP normalization schema is currently in PREVIEW. This feature is provided without a service level agreement, and is not recommended for production workloads.
The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Schema overview
The ASIM DHCP schema represents DHCP server activity, including serving requests for DHCP IP address leased from client systems and updating a DNS server with the leases granted.
The most important fields in a DHCP event are SrcIpAddr and SrcHostname, which the DHCP server binds by granting the lease, and are aliased by IpAddr and Hostname fields respectively. The SrcMacAddr field is also important as it represents the client machine used when an IP address is not leased.
A DHCP server may reject a client, either due to the security concerns, or because of network saturation. It may also quarantine a client by leasing to it an IP address that would connect it to a limited network. The EventResult, EventResultDetails and DvcAction fields provide information about the DHCP server response and action.
A lease's duration is stored in the DhcpLeaseDuration field.
Schema details
ASIM is aligned with the Open Source Security Events Metadata (OSSEM) project.
OSSEM does not have a DHCP schema comparable to the ASIM DHCP schema.
Common ASIM fields
Important
Fields common to all schemas are described in detail in the ASIM Common Fields article.
Common Fields with specific guidelines
The following list mentions fields that have specific guidelines for DHCP events:
Field | Class | Type | Description |
---|---|---|---|
EventType | Mandatory | Enumerated | Indicate the operation reported by the record. Possible values are Assign , Renew , Release and DNS Update . Example: Assign |
EventSchemaVersion | Mandatory | String | The version of the schema documented here is 0.1. |
EventSchema | Mandatory | String | The name of the schema documented here is DhcpEvent. |
Dvc fields | - | - | For DHCP events, device fields refer to the system that reports the DHCP event. |
All common fields
Fields that appear in the table below are common to all ASIM schemas. Any guideline specified above overrides the general guidelines for the field. For example, a field might be optional in general, but mandatory for a specific schema. For further details on each field, refer to the ASIM Common Fields article.
Class | Fields |
---|---|
Mandatory | - EventCount - EventStartTime - EventEndTime - EventType - EventResult - EventProduct - EventVendor - EventSchema - EventSchemaVersion - Dvc |
Recommended | - EventResultDetails - EventSeverity - EventUid - DvcIpAddr - DvcHostname - DvcDomain - DvcDomainType - DvcFQDN - DvcId - DvcIdType - DvcAction |
Optional | - EventMessage - EventSubType - EventOriginalUid - EventOriginalType - EventOriginalSubType - EventOriginalResultDetails - EventOriginalSeverity - EventProductVersion - EventReportUrl - EventOwner - DvcZone - DvcMacAddr - DvcOs - DvcOsVersion - DvcOriginalAction - DvcInterface - AdditionalFields - DvcDescription - DvcScopeId - DvcScope |
DHCP-specific fields
The fields below are specific to DHCP events, but many are similar to fields in other schemas and follow the same naming convention.
Field | Class | Type | Notes |
---|---|---|---|
SrcIpAddr | Mandatory | IP Address | The IP address assigned to the client by the DHCP server. Example: 192.168.12.1 |
IpAddr | Alias | Alias for SrcIpAddr | |
RequestedIpAddr | Optional | IP Address | The IP address requested by the DHCP client, when available. Example: 192.168.12.3 |
SrcHostname | Mandatory | String | The hostname of the device requesting the DHCP lease. If no device name is available, store the relevant IP address in this field. Example: DESKTOP-1282V4D |
Hostname | Alias | Alias for SrcHostname | |
SrcDomain | Recommended | String | The domain of the source device. Example: Contoso |
SrcDomainType | Conditional | Enumerated | The type of SrcDomain, if known. Possible values include: - Windows (such as: contoso )- FQDN (such as: microsoft.com )Required if SrcDomain is used. |
SrcFQDN | Optional | String | The source device hostname, including domain information when available. Note: This field supports both traditional FQDN format and Windows domain\hostname format. The SrcDomainType field reflects the format used. Example: Contoso\DESKTOP-1282V4D |
SrcDvcId | Optional | String | The ID of the source device as reported in the record. For example: ac7e9755-8eae-4ffc-8a02-50ed7a2216c3 |
SrcDvcScopeId | Optional | String | The cloud platform scope ID the device belongs to. SrcDvcScopeId map to a subscription ID on Azure and to an account ID on AWS. |
SrcDvcScope | Optional | String | The cloud platform scope the device belongs to. SrcDvcScope map to a subscription ID on Azure and to an account ID on AWS. |
SrcDvcIdType | Conditional | Enumerated | The type of SrcDvcId, if known. Possible values include: - AzureResourceId - MDEid If multiple IDs are available, use the first one from the list above, and store the others in the SrcDvcAzureResourceId and SrcDvcMDEid, respectively. Note: This field is required if SrcDvcId is used. |
SrcDeviceType | Optional | Enumerated | The type of the source device. Possible values include: - Computer - Mobile Device - IOT Device - Other |
SrcUserId | Optional | String | A machine-readable, alphanumeric, unique representation of the source user. Format and supported types include: - SID (Windows): S-1-5-21-1377283216-344919071-3415362939-500 - UID (Linux): 4578 - AADID (Microsoft Entra ID): 9267d02c-5f76-40a9-a9eb-b686f3ca47aa - OktaId: 00urjk4znu3BcncfY0h7 - AWSId: 72643944673 Store the ID type in the SrcUserIdType field. If other IDs are available, we recommend that you normalize the field names to SrcUserSid, SrcUserUid, SrcUserAadId, SrcUserOktaId and UserAwsId, respectively. Example: S-1-12 |
SrcUserIdType | Conditional | Enumerated | The type of the ID stored in the SrcUserId field. Supported values include: SID , UIS , AADID , OktaId , and AWSId . |
SrcUsername | Optional | String | The Source username, including domain information when available. Use one of the following formats and in the following order of priority: - Upn/Email: johndow@contoso.com - Windows: Contoso\johndow - DN: CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM - Simple: johndow . Use the Simple form only if domain information is not available.Store the Username type in the SrcUsernameType field. If other IDs are available, we recommend that you normalize the field names to SrcUserUpn, SrcUserWindows and SrcUserDn. For more information, see The User entity. Example: AlbertE |
User | Alias | Alias for SrcUsername | |
SrcUsernameType | Conditional | Enumerated | Specifies the type of the username stored in the SrcUsername field. Supported values are: UPN , Windows , DN , and Simple . For more information, see The User entity.Example: Windows |
SrcUserType | Optional | Enumerated | The type of Actor. Allowed values are: - Regular - Machine - Admin - System - Application - Service Principal - Other Note: The value may be provided in the source record using different terms, which should be normalized to these values. Store the original value in the EventOriginalUserType field. |
SrcOriginalUserType | The original source user type, if provided by the source. | ||
SrcMacAddr | Mandatory | Mac Address | The MAC address of the client requesting a DHCP lease. Note: The Windows DHCP server logs MAC address in a non-standard way, omitting the colons, which should be inserted by the parser. Example: 06:10:9f:eb:8f:14 |
DhcpLeaseDuration | Optional | Integer | The length of the lease granted to a client, in seconds. |
DhcpSessionId | Optional | string | The session identifier as reported by the reporting device. For the Windows DHCP server, set this to the TransactionID field. Example: 2099570186 |
SessionId | Alias | String | Alias to DhcpSessionId |
DhcpSessionDuration | Optional | Integer | The amount of time, in milliseconds, for the completion of the DHCP session. Example: 1500 |
Duration | Alias | Alias to DhcpSessionDuration | |
DhcpSrcDHCId | Optional | String | The DHCP client ID, as defined by RFC4701 |
DhcpCircuitId | Optional | String | The DHCP circuit ID, as defined by RFC3046 |
DhcpSubscriberId | Optional | String | The DHCP subscriber ID, as defined by RFC3993 |
DhcpVendorClassId | Optional | String | The DHCP Vendor Class Id, as defined by RFC3925. |
DhcpVendorClass | Optional | String | The DHCP Vendor Class, as defined by RFC3925. |
DhcpUserClassId | Optional | String | The DHCP User Class Id, as defined by RFC3004. |
DhcpUserClass | Optional | String | The DHCP User Class, as defined by RFC3004. |
Next steps
For more information, see: