Redigera

Dela via


ASimFileEventLogs

The Advanced Security Information Model (ASIM) File Event normalization schema describes file activity such as creating, modifying, or deleting files or documents.

Table attributes

Attribute Value
Resource types microsoft.securityinsights/asimtables
Categories Security
Solutions SecurityInsights
Basic log No
Ingestion-time transformation Yes
Sample Queries -

Columns

Column Type Description
ActingProcessCommandLine string The command line used to run the acting process.
ActingProcessGuid string A generated unique identifier (GUID) of the acting process.
ActingProcessId string The process ID (PID) of the acting process.
ActingProcessName string The name of the acting process.
ActorOriginalUserType string The original actor user type as provided by the reporting device.
ActorScope string The scope, such as Azure AD tenant, in which ActorUserId and ActorUsername are defined.
ActorScopeId string The scope ID, such as Azure AD Directory ID, in which ActorUserId and ActorUsername are defined.
ActorSessionId string The unique ID of the login session of the Actor.
ActorUserAadId string The Azure Active Directory ID of the actor.
ActorUserId string A machine-readable, alphanumeric, unique representation of the actor.
ActorUserIdType string The type of the ID stored in the ActorUserId field.
ActorUsername string The Actor username, including domain information when available.
ActorUsernameType string Specifies the type of the user name stored in the ActorUsername field.
ActorUserSid string The Windows user ID (SIDs) of the actor.
ActorUserType string The type of actor.
AdditionalFields dynamic Additional information, represented using key/value pairs provided by the source which do not map to ASim.
_BilledSize real The record size in bytes
DvcAction string The action taken on the web session.
DvcDescription string A descriptive text associated with the device.
DvcDomain string The domain of the device reporting the event.
DvcDomainType string The type of DvcDomain. Valid values include 'Windows' and 'FQDN'.
DvcFQDN string The hostname of the device on which the event occurred or which reported the event.
DvcHostname string The hostname of the device reporting the event.
DvcId string The unique ID of the device on which the event occurred or which reported the event.
DvcIdType string The type of DvcId.
DvcInterface string The original DvcAction as provided by the reporting device.
DvcIpAddr string The IP address of the device reporting the event.
DvcMacAddr string The MAC address of the device on which the event occurred or which reported the event.
DvcOriginalAction string The original DvcAction as provided by the reporting device.
DvcOs string The operating system running on the device on which the event occurred or which reported the event.
DvcOsVersion string The version of the operating system on the device on which the event occurred or which reported the event.
DvcScope string The cloud platform scope the device belongs to. DvcScope map to a subscription name on Azure and to an account ID on AWS.
DvcScopeId string The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS.
DvcZone string The network on which the event occurred or which reported the event, depending on the schema.
EventCount int This value is used when the source supports aggregation, and a single record may represent multiple events.
EventEndTime datetime The time in which the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field.
EventMessage string A general message or description.
EventOriginalResultDetails string The original result details provided by the source. This value is used to derive EventResultDetails, which should have only one of the values documented for each schema.
EventOriginalSeverity string The original severity as provided by the reporting device. This value is used to derive EventSeverity.
EventOriginalSubType string The original event subtype or ID, if provided by the source. For example, this field will be used to store the original Windows logon type. This value is used to derive EventSubType, which should have only one of the values documented for each schema.
EventOriginalType string The original event type or ID, if provided by the source.
EventOriginalUid string A unique ID of the original record, if provided by the source.
EventOwner string The owner of the event, which is usually the department or subsidiary in which it was generated.
EventProduct string The product generating the event.
EventProductVersion string The version of the product generating the event.
EventReportUrl string A URL provided in the event for a resource that provides more information about the event.
EventResult string The outcome of the event, represented by one of the following values: Success, Partial, Failure, NA (Not Applicable). The value may not be provided directly by the sources, in which case it is derived from other event fields, for example, the EventResultDetails field.
EventResultDetails string The HTTP status code.
EventSchema string The schema the event is normalized to. Each schema documents its schema name.
EventSchemaVersion string The version of the schema.
EventSeverity string The severity of the event. Valid values are: Informational, Low, Medium, or High.
EventStartTime datetime The time in which the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field.
EventSubType string Additional description of the event type, if applicable.
EventType string The operation reported by the record.
EventVendor string The vendor of the product generating the event.
HashType string The type of hash stored in the Hash alias field.
HttpUserAgent string When the operation is initiated using HTTP or HTTPS, the HTTP user agent header.
_IsBillable string Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
NetworkApplicationProtocol string When the operation is initiated by a remote system, the application layer protocol used by the connection or session.
_ResourceId string A unique identifier for the resource that the record is associated with
RuleName string The name or ID of the rule by associated with the inspection results.
RuleNumber int The number of the rule associated with the inspection results.
SourceSystem string The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
SrcDescription string A descriptive text associated with the device.
SrcDeviceType string The type of the source device.
SrcDomain string The domain of the source device.
SrcDomainType string The type of SrcDomain.
SrcDvcId string The ID of the source device.
SrcDvcIdType string The type of SrcDvcId.
SrcDvcScope string The cloud platform scope the device belongs to.
SrcDvcScopeId string The cloud platform scope ID the device belongs to.
SrcFileCreationTime datetime The time at which the source file was created.
SrcFileDirectory string The source file folder or location.
SrcFileExtension string The source file extension.
SrcFileMD5 string The MD5 hash of the source file.
SrcFileMimeType string The Mime or Media type of the source file.
SrcFileName string The name of the source file, without a path or a location, but with an extension if relevant.
SrcFilePath string The full, normalized path of the source file, including the folder or location, the file name, and the extension.
SrcFilePathType string The type of SrcFilePath.
SrcFileSHA1 string The SHA-1 hash of the source file.
SrcFileSHA256 string The SHA-256 hash of the source file.
SrcFileSHA512 string The SHA-512 hash of the source file.
SrcFileSize long The size of the source file in bytes.
SrcFQDN string The source device hostname, including domain information when available.
SrcGeoCity string The city associated with the source IP address.
SrcGeoCountry string The country associated with the source IP address.
SrcGeoLatitude real The latitude of the geographical coordinate associated with the source IP address.
SrcGeoLongitude real The longitude of the geographical coordinate associated with the source IP address.
SrcGeoRegion string The region within a country associated with the source IP address.
SrcHostname string The source device hostname, excluding domain information. If no device name is available, store the relevant IP address in this field.
SrcIpAddr string When the operation is initiated by a remote system, the IP address of this system.
SrcMacAddr string The MAC address of the source device.
SrcOriginalRiskLevel string The risk level associated with the source. As reported by the reporting device or enriched.
SrcPortNumber int When the operation is initiated by a remote system, the port number from which the connection was initiated.
SrcRiskLevel int The risk level associated with the source.
_SubscriptionId string A unique identifier for the subscription that the record is associated with
TargetAppId string The ID of the destination application, as reported by the reporting device.
TargetAppName string The name of the destination application.
TargetAppType string The type of the destination application.
TargetFileCreationTime datetime The time at which the target file was created.
TargetFileDirectory string The target file folder or location.
TargetFileExtension string The target file extension.
TargetFileMD5 string The MD5 hash of the target file.
TargetFileMimeType string The Mime or Media type of the target file.
TargetFileName string The name of the target file, without a path or a location, but with an extension if relevant.
TargetFilePath string The full, normalized path of the target file, including the folder or location, the file name, and the extension.
TargetFilePathType string The type of TargetFilePath.
TargetFileSHA1 string The SHA-1 hash of the target file.
TargetFileSHA256 string The SHA-256 hash of the target file.
TargetFileSHA512 string The SHA-512 hash of the source file.
TargetFileSize long The size of the target file in bytes.
TargetOriginalAppType string The target application type as reported by the reporting device.
TargetUrl string When the operation is initiated using HTTP or HTTPS, the URL used.
TenantId string The Log Analytics workspace ID
ThreatCategory string The category of the threat or malware identified in the file activity.
ThreatConfidence int The confidence level of the threat identified, normalized to a value between 0 and a 100.
ThreatField string The field for which a threat was identified. The value is either SrcFilePath or DstFilePath.
ThreatFilePath string A file path for which a threat was identified. The field ThreatField contains the name of the field ThreatFilePath represents.
ThreatFirstReportedTime datetime The first time the IP address or domain were identified as a threat.
ThreatId string The ID of the threat or malware identified in the file activity.
ThreatIsActive bool True ID the threat identified is considered an active threat.
ThreatLastReportedTime datetime The last time the IP address or domain were identified as a threat.
ThreatName string The name of the threat or malware identified in the file activity.
ThreatOriginalConfidence string The original confidence level of the threat identified, as reported by the reporting device.
ThreatOriginalRiskLevel string The risk level as reported by the reporting device.
ThreatRiskLevel int The risk level associated with the identified threat. The level should be a number between 0 and 100.
TimeGenerated datetime The timestamp reflecting the time in which the event was generated.
Type string The name of the table