The Advanced Security Information Model (ASIM) Authentication normalization schema reference (Public preview)
The Microsoft Sentinel Authentication schema is used to describe events related to user authentication, sign-in, and sign-out. Authentication events are sent by many reporting devices, usually as part of the event stream alongside other events. For example, Windows sends several authentication events alongside other OS activity events.
Authentication events include both events from systems that focus on authentication such as VPN gateways or domain controllers, and direct authentication to an end system, such as a computer or firewall.
For more information about normalization in Microsoft Sentinel, see Normalization and the Advanced Security Information Model (ASIM).
Important
The Authentication normalization schema is currently in PREVIEW. This feature is provided without a service level agreement, and is not recommended for production workloads.
The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Parsers
Deploy ASIM authentication parsers from the Microsoft Sentinel GitHub repository. For more information about ASIM parsers, see the articles ASIM parsers overview..
Unifying parsers
To use parsers that unify all ASIM out-of-the-box parsers, and ensure that your analysis runs across all the configured sources, use the imAuthentication filtering parser or the ASimAuthentication parameter-less parser.
Source-specific parsers
For the list of authentication parsers Microsoft Sentinel provides refer to the ASIM parsers list:
Add your own normalized parsers
When implementing custom parsers for the Authentication information model, name your KQL functions using the following syntax:
vimAuthentication<vendor><Product>for filtering parsersASimAuthentication<vendor><Product>for parameter-less parsers
For information on adding your custom parsers to the unifying parser, refer to Managing ASIM parsers.
Filtering parser parameters
The im and vim* parsers support filtering parameters. While these parsers are optional, they can improve your query performance.
The following filtering parameters are available:
| Name | Type | Description |
|---|---|---|
| starttime | datetime | Filter only authentication events that ran at or after this time. |
| endtime | datetime | Filter only authentication events that finished running at or before this time. |
| targetusername_has | string | Filter only authentication events that have any of the listed user names. |
For example, to filter only authentication events from the last day to a specific user, use:
imAuthentication (targetusername_has = 'johndoe', starttime = ago(1d), endtime=now())
Tip
To pass a literal list to parameters that expect a dynamic value, explicitly use a dynamic literal. For example: dynamic(['192.168.','10.']).
Normalized content
Normalized authentication analytic rules are unique as they detect attacks across sources. So, for example, if a user logged in to different, unrelated systems, from different countries/regions, Microsoft Sentinel will now detect this threat.
For a full list of analytics rules that use normalized Authentication events, see Authentication schema security content.
Schema overview
The Authentication information model is aligned with the OSSEM logon entity schema.
The fields listed in the table below are specific to Authentication events, but are similar to fields in other schemas and follow similar naming conventions.
Authentication events reference the following entities:
- TargetUser - The user information used to authenticate to the system. The TargetSystem is the primary subject of the authentication event, and the alias User aliases a TargetUser identified.
- TargetApp - The application authenticated to.
- Target - The system on which TargetApp* is running.
- Actor - The user initiating the authentication, if different than TargetUser.
- ActingApp - The application used by the Actor to perform the authentication.
- Src - The system used by the Actor to initiate the authentication.
The relationship between these entities is best demonstrated as follows:
An Actor, running an acting Application, ActingApp, on a source system, Src, attempts to authenticate as a TargetUser to a target application, TargetApp, on a target system, TargetDvc.
Schema details
In the following tables, Type refers to a logical type. For more information, see Logical types.
Common ASIM fields
Important
Fields common to all schemas are described in detail in the ASIM Common Fields article.
Common fields with specific guidelines
The following list mentions fields that have specific guidelines for authentication events:
| Field | Class | Type | Description |
|---|---|---|---|
| EventType | Mandatory | Enumerated | Describes the operation reported by the record. For Authentication records, supported values include: - Logon - Logoff- Elevate |
| EventResultDetails | Recommended | String | The details associated with the event result. This field is typically populated when the result is a failure. Allowed values include: - No such user or password. This value should be used also when the original event reports that there is no such user, without reference to a password.- No such user- Incorrect password- Incorrect key- Account expired- Password expired- User locked- User disabled- Logon violates policy. This value should be used when the original event reports, for example: MFA required, logon outside of working hours, conditional access restrictions, or too frequent attempts.- Session expired- OtherThe value may be provided in the source record using different terms, which should be normalized to these values. The original value should be stored in the field EventOriginalResultDetails |
| EventSubType | Optional | String | The sign-in type. Allowed values include: - System- Interactive- RemoteInteractive- Service- RemoteService- Remote - Use when the type of remote sign-in is unknown.- AssumeRole - Typically used when the event type is Elevate. The value may be provided in the source record using different terms, which should be normalized to these values. The original value should be stored in the field EventOriginalSubType. |
| EventSchemaVersion | Mandatory | String | The version of the schema. The version of the schema documented here is 0.1.3 |
| EventSchema | Mandatory | String | The name of the schema documented here is Authentication. |
| Dvc fields | - | - | For authentication events, device fields refer to the system reporting the event. |
All common fields
Fields that appear in the table below are common to all ASIM schemas. Any guideline specified above overrides the general guidelines for the field. For example, a field might be optional in general, but mandatory for a specific schema. For further details on each field, refer to the ASIM Common Fields article.
| Class | Fields |
|---|---|
| Mandatory | - EventCount - EventStartTime - EventEndTime - EventType - EventResult - EventProduct - EventVendor - EventSchema - EventSchemaVersion - Dvc |
| Recommended | - EventResultDetails - EventSeverity - EventUid - DvcIpAddr - DvcHostname - DvcDomain - DvcDomainType - DvcFQDN - DvcId - DvcIdType - DvcAction |
| Optional | - EventMessage - EventSubType - EventOriginalUid - EventOriginalType - EventOriginalSubType - EventOriginalResultDetails - EventOriginalSeverity - EventProductVersion - EventReportUrl - EventOwner - DvcZone - DvcMacAddr - DvcOs - DvcOsVersion - DvcOriginalAction - DvcInterface - AdditionalFields - DvcDescription - DvcScopeId - DvcScope |
Authentication-specific fields
| Field | Class | Type | Description |
|---|---|---|---|
| LogonMethod | Optional | String | The method used to perform authentication. Examples: Username & Password, PKI |
| LogonProtocol | Optional | String | The protocol used to perform authentication. Example: NTLM |
Actor fields
| Field | Class | Type | Description |
|---|---|---|---|
| ActorUserId | Optional | String | A machine-readable, alphanumeric, unique representation of the Actor. For more information, and for alternative fields for additional IDs, see The User entity. Example: S-1-12-1-4141952679-1282074057-627758481-2916039507 |
| ActorScope | Optional | String | The scope, such as Microsoft Entra tenant, in which ActorUserId and ActorUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article. |
| ActorScopeId | Optional | String | The scope ID, such as Microsoft Entra Directory ID, in which ActorUserId and ActorUsername are defined. for more information and list of allowed values, see UserScopeId in the Schema Overview article. |
| ActorUserIdType | Conditional | UserIdType | The type of the ID stored in the ActorUserId field. For more information and list of allowed values, see UserIdType in the Schema Overview article. |
| ActorUsername | Optional | Username | The Actor’s username, including domain information when available. For more information, see The User entity. Example: AlbertE |
| ActorUsernameType | Conditional | UsernameType | Specifies the type of the user name stored in the ActorUsername field. For more information, and list of allowed values, see UsernameType in the Schema Overview article. Example: Windows |
| ActorUserType | Optional | UserType | The type of the Actor. For more information, and list of allowed values, see UserType in the Schema Overview article. For example: Guest |
| ActorOriginalUserType | Optional | UserType | The user type as reported by the reporting device. |
| ActorSessionId | Optional | String | The unique ID of the sign-in session of the Actor. Example: 102pTUgC3p8RIqHvzxLCHnFlg |
Acting Application fields
| Field | Class | Type | Description |
|---|---|---|---|
| ActingAppId | Optional | String | The ID of the application authorizing on behalf of the actor, including a process, browser, or service. For example: 0x12ae8 |
| ActingAppName | Optional | String | The name of the application authorizing on behalf of the actor, including a process, browser, or service. For example: C:\Windows\System32\svchost.exe |
| ActingAppType | Optional | AppType | The type of acting application. For more information, and allowed list of values, see AppType in the Schema Overview article. |
| HttpUserAgent | Optional | String | When authentication is performed over HTTP or HTTPS, this field's value is the user_agent HTTP header provided by the acting application when performing the authentication. For example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 |
Target user fields
| Field | Class | Type | Description |
|---|---|---|---|
| TargetUserId | Optional | UserId | A machine-readable, alphanumeric, unique representation of the target user. For more information, and for alternative fields for additional IDs, see The User entity. Example: 00urjk4znu3BcncfY0h7 |
| TargetUserScope | Optional | String | The scope, such as Microsoft Entra tenant, in which TargetUserId and TargetUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article. |
| TargetUserScopeId | Optional | String | The scope ID, such as Microsoft Entra Directory ID, in which TargetUserId and TargetUsername are defined. for more information and list of allowed values, see UserScopeId in the Schema Overview article. |
| TargetUserIdType | Conditional | UserIdType | The type of the user ID stored in the TargetUserId field. For more information and list of allowed values, see UserIdType in the Schema Overview article. Example: SID |
| TargetUsername | Optional | Username | The target user username, including domain information when available. For more information, see The User entity. Example: MarieC |
| TargetUsernameType | Conditional | UsernameType | Specifies the type of the username stored in the TargetUsername field. For more information and list of allowed values, see UsernameType in the Schema Overview article. |
| TargetUserType | Optional | UserType | The type of the Target user. For more information, and list of allowed values, see UserType in the Schema Overview article. For example: Member |
| TargetSessionId | Optional | String | The sign-in session identifier of the TargetUser on the source device. |
| TargetOriginalUserType | Optional | UserType | The user type as reported by the reporting device. |
| User | Alias | Username | Alias to the TargetUsername or to the TargetUserId if TargetUsername is not defined. Example: CONTOSO\dadmin |
Source system fields
| Field | Class | Type | Description |
|---|---|---|---|
| Src | Recommended | String | A unique identifier of the source device. This field may alias the SrcDvcId, SrcHostname, or SrcIpAddr fields. Example: 192.168.12.1 |
| SrcDvcId | Optional | String | The ID of the source device. If multiple IDs are available, use the most important one, and store the others in the fields SrcDvc<DvcIdType>.Example: ac7e9755-8eae-4ffc-8a02-50ed7a2216c3 |
| SrcDvcScopeId | Optional | String | The cloud platform scope ID the device belongs to. SrcDvcScopeId map to a subscription ID on Azure and to an account ID on AWS. |
| SrcDvcScope | Optional | String | The cloud platform scope the device belongs to. SrcDvcScope map to a subscription ID on Azure and to an account ID on AWS. |
| SrcDvcIdType | Conditional | DvcIdType | The type of SrcDvcId. For a list of allowed values and further information refer to DvcIdType in the Schema Overview article. Note: This field is required if SrcDvcId is used. |
| SrcDeviceType | Optional | DeviceType | The type of the source device. For a list of allowed values and further information refer to DeviceType in the Schema Overview article. |
| SrcHostname | Recommended | Hostname | The source device hostname, excluding domain information. If no device name is available, store the relevant IP address in this field. Example: DESKTOP-1282V4D |
| SrcDomain | Recommended | String | The domain of the source device. Example: Contoso |
| SrcDomainType | Conditional | DomainType | The type of SrcDomain. For a list of allowed values and further information refer to DomainType in the Schema Overview article. Required if SrcDomain is used. |
| SrcFQDN | Optional | String | The source device hostname, including domain information when available. Note: This field supports both traditional FQDN format and Windows domain\hostname format. The SrcDomainType field reflects the format used. Example: Contoso\DESKTOP-1282V4D |
| SrcDescription | Optional | String | A descriptive text associated with the device. For example: Primary Domain Controller. |
| SrcIpAddr | Optional | IP Address | The IP address of the source device. Example: 2.2.2.2 |
| SrcPortNumber | Optional | Integer | The IP port from which the connection originated. Example: 2335 |
| SrcDvcOs | Optional | String | The OS of the source device. Example: Windows 10 |
| IpAddr | Alias | Alias to SrcIpAddr | |
| SrcIsp | Optional | String | The Internet Service Provider (ISP) used by the source device to connect to the internet. Example: corpconnect |
| SrcGeoCountry | Optional | Country | Example: Canada For more information, see Logical types. |
| SrcGeoCity | Optional | City | Example: Montreal For more information, see Logical types. |
| SrcGeoRegion | Optional | Region | Example: Quebec For more information, see Logical types. |
| SrcGeoLongtitude | Optional | Longitude | Example: -73.614830 For more information, see Logical types. |
| SrcGeoLatitude | Optional | Latitude | Example: 45.505918 For more information, see Logical types. |
| SrcRiskLevel | Optional | Integer | The risk level associated with the source. The value should be adjusted to a range of 0 to 100, with 0 for benign and 100 for a high risk.Example: 90 |
| SrcOriginalRiskLevel | Optional | Integer | The risk level associated with the source, as reported by the reporting device. Example: Suspicious |
Target application fields
| Field | Class | Type | Description |
|---|---|---|---|
| TargetAppId | Optional | String | The ID of the application to which the authorization is required, often assigned by the reporting device. Example: 89162 |
| TargetAppName | Optional | String | The name of the application to which the authorization is required, including a service, a URL, or a SaaS application. Example: Saleforce |
| TargetAppType | Optional | AppType | The type of the application authorizing on behalf of the Actor. For more information, and allowed list of values, see AppType in the Schema Overview article. |
| TargetUrl | Optional | URL | The URL associated with the target application. Example: https://console.aws.amazon.com/console/home?fromtb=true&hashArgs=%23&isauthcode=true&nc2=h_ct&src=header-signin&state=hashArgsFromTB_us-east-1_7596bc16c83d260b |
| LogonTarget | Alias | Alias to either TargetAppName, TargetUrl, or TargetHostname, whichever field best describes the authentication target. |
Target system fields
| Field | Class | Type | Description |
|---|---|---|---|
| Dst | Alias | String | A unique identifier of the authentication target. This field may alias the TargerDvcId, TargetHostname, TargetIpAddr, TargetAppId, or TargetAppName fields. Example: 192.168.12.1 |
| TargetHostname | Recommended | Hostname | The target device hostname, excluding domain information. Example: DESKTOP-1282V4D |
| TargetDomain | Recommended | String | The domain of the target device. Example: Contoso |
| TargetDomainType | Conditional | Enumerated | The type of TargetDomain. For a list of allowed values and further information refer to DomainType in the Schema Overview article. Required if TargetDomain is used. |
| TargetFQDN | Optional | String | The target device hostname, including domain information when available. Example: Contoso\DESKTOP-1282V4D Note: This field supports both traditional FQDN format and Windows domain\hostname format. The TargetDomainType reflects the format used. |
| TargetDescription | Optional | String | A descriptive text associated with the device. For example: Primary Domain Controller. |
| TargetDvcId | Optional | String | The ID of the target device. If multiple IDs are available, use the most important one, and store the others in the fields TargetDvc<DvcIdType>. Example: ac7e9755-8eae-4ffc-8a02-50ed7a2216c3 |
| TargetDvcScopeId | Optional | String | The cloud platform scope ID the device belongs to. TargetDvcScopeId map to a subscription ID on Azure and to an account ID on AWS. |
| TargerDvcScope | Optional | String | The cloud platform scope the device belongs to. TargetDvcScope map to a subscription ID on Azure and to an account ID on AWS. |
| TargetDvcIdType | Conditional | Enumerated | The type of TargetDvcId. For a list of allowed values and further information refer to DvcIdType in the Schema Overview article. Required if TargetDeviceId is used. |
| TargetDeviceType | Optional | Enumerated | The type of the target device. For a list of allowed values and further information refer to DeviceType in the Schema Overview article. |
| TargetIpAddr | Optional | IP Address | The IP address of the target device. Example: 2.2.2.2 |
| TargetDvcOs | Optional | String | The OS of the target device. Example: Windows 10 |
| TargetPortNumber | Optional | Integer | The port of the target device. |
| TargetGeoCountry | Optional | Country | The country associated with the target IP address. Example: USA |
| TargetGeoRegion | Optional | Region | The region associated with the target IP address. Example: Vermont |
| TargetGeoCity | Optional | City | The city associated with the target IP address. Example: Burlington |
| TargetGeoLatitude | Optional | Latitude | The latitude of the geographical coordinate associated with the target IP address. Example: 44.475833 |
| TargetGeoLongitude | Optional | Longitude | The longitude of the geographical coordinate associated with the target IP address. Example: 73.211944 |
| TargetRiskLevel | Optional | Integer | The risk level associated with the target. The value should be adjusted to a range of 0 to 100, with 0 for benign and 100 for a high risk.Example: 90 |
| TargetOriginalRiskLevel | Optional | Integer | The risk level associated with the target, as reported by the reporting device. Example: Suspicious |
Inspection fields
The following fields are used to represent that inspection performed by a security system.
| Field | Class | Type | Description |
|---|---|---|---|
| RuleName | Optional | String | The name or ID of the rule by associated with the inspection results. |
| RuleNumber | Optional | Integer | The number of the rule associated with the inspection results. |
| Rule | Alias | String | Either the value of RuleName or the value of RuleNumber. If the value of RuleNumber is used, the type should be converted to string. |
| ThreatId | Optional | String | The ID of the threat or malware identified in the audit activity. |
| ThreatName | Optional | String | The name of the threat or malware identified in the audit activity. |
| ThreatCategory | Optional | String | The category of the threat or malware identified in audit file activity. |
| ThreatRiskLevel | Optional | Integer | The risk level associated with the identified threat. The level should be a number between 0 and 100. Note: The value might be provided in the source record by using a different scale, which should be normalized to this scale. The original value should be stored in ThreatRiskLevelOriginal. |
| ThreatOriginalRiskLevel | Optional | String | The risk level as reported by the reporting device. |
| ThreatConfidence | Optional | Integer | The confidence level of the threat identified, normalized to a value between 0 and a 100. |
| ThreatOriginalConfidence | Optional | String | The original confidence level of the threat identified, as reported by the reporting device. |
| ThreatIsActive | Optional | Boolean | True if the threat identified is considered an active threat. |
| ThreatFirstReportedTime | Optional | datetime | The first time the IP address or domain were identified as a threat. |
| ThreatLastReportedTime | Optional | datetime | The last time the IP address or domain were identified as a threat. |
| ThreatIpAddr | Optional | IP Address | An IP address for which a threat was identified. The field ThreatField contains the name of the field ThreatIpAddr represents. |
| ThreatField | Optional | Enumerated | The field for which a threat was identified. The value is either SrcIpAddr or TargetIpAddr. |
Schema updates
These are the changes in version 0.1.1 of the schema:
- Updated user and device entity fields to align with other schemas.
- Renamed
TargetDvcandSrcDvctoTargetandSrcrespectively to align with current ASIM guidelines. The renamed fields will be implemented as aliases until July 1st 2022. Those fields include:SrcDvcHostname,SrcDvcHostnameType,SrcDvcType,SrcDvcIpAddr,TargetDvcHostname,TargetDvcHostnameType,TargetDvcType,TargetDvcIpAddr, andTargetDvc. - Added the aliases
SrcandDst. - Added the fields
SrcDvcIdType,SrcDeviceType,TargetDvcIdType, andTargetDeviceType, andEventSchema.
These are the changes in version 0.1.2 of the schema:
- Added the fields
ActorScope,TargetUserScope,SrcDvcScopeId,SrcDvcScope,TargetDvcScopeId,TargetDvcScope,DvcScopeId, andDvcScope.
These are the changes in version 0.1.3 of the schema:
- Added the fields
SrcPortNumber,ActorOriginalUserType,ActorScopeId,TargetOriginalUserType,TargetUserScopeId,SrcDescription,SrcRiskLevel,SrcOriginalRiskLevel, andTargetDescription. - Added inspection fields
- Added target system geo-location fields.
Next steps
For more information, see: