Proposed Pull Request Change

📄 Document Links

View on GitHub View on Microsoft Learn

--- title: The Advanced Security Information Model (ASIM) common schema fields reference | Microsoft Docs description: This article describes the Advanced Information Security (ASIM) common schema fields author: oshezaf ms.topic: reference ms.date: 11/17/2021 ms.author: ofshezaf #Customer intent: As a security analyst, I want to understand the common schema fields in the Advanced Security Information Model (ASIM) so that I can accurately interpret and normalize event data across different sources. --- # The Advanced Security Information Model (ASIM) common schema fields reference Some fields are common to all ASIM schemas. Each schema might add guidelines for using some of the common fields in the context of the specific schema. For example, permitted values for the **EventType** field might vary per schema, as might the value of the **EventSchemaVersion** field. ## Standard Log Analytics fields The following fields are generated by Log Analytics, in most cases, for each record. They can be overridden when you [create a custom connector](create-custom-connector.md). | Field | Type | Discussion | | ------------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------- | | <a name="timegenerated"></a>**TimeGenerated** | Date/Time | The time the event was generated by the reporting device.| | **Type** | String | The original table from which the record was fetched. This field is useful when the same event can be received through multiple channels to different tables, and have the same [EventVendor](#eventvendor) and [EventProduct](#eventproduct) values.<br><br>For example, a Sysmon event can be collected either to the `Event` table or to the `WindowsEvent` table. | > [!NOTE] > Log Analytics also adds other fields that are less relevant to security use cases. For more information, see [Standard columns in Azure Monitor Logs](/azure/azure-monitor/logs/log-standard-columns). > ## Common ASIM fields The following fields are defined by ASIM for all schemas: ### Event fields | Field | Class | Type | Description | |---------------------|-------------|------------|--------------------| | <a name="eventmessage"></a>**EventMessage** | Optional | String | A general message or description, either included in or generated from the record. | | <a name="eventcount"></a>**EventCount** | Mandatory | Integer | The number of events described by the record. <br><br>This value is used when the source supports aggregation, and a single record might represent multiple events. <br><br>For other sources, set to `1`. | | <a name="eventstarttime"></a>**EventStartTime** | Mandatory | Date/time | The time in which the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the [TimeGenerated](#timegenerated) field. | | <a name="eventendtime"></a>**EventEndTime** | Mandatory | Date/time | The time in which the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the [TimeGenerated](#timegenerated) field. | | <a name="eventtype"></a>**EventType** | Mandatory | Enumerated | Describes the operation reported by the record. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the [EventOriginalType](#eventoriginaltype) field. | | <a name="eventsubtype"></a>**EventSubType** | Optional | Enumerated | Describes a subdivision of the operation reported in the [EventType](#eventtype) field. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the [EventOriginalSubType](#eventoriginalsubtype) field. | | <a name="eventresult"></a>**EventResult** | Mandatory | Enumerated | One of the following values: **Success**, **Partial**, **Failure**, **NA** (Not Applicable).<br> <br>The value might be provided in the source record by using different terms, which should be normalized to these values. Alternatively, the source might provide only the [EventResultDetails](#eventresultdetails) field, which should be analyzed to derive the EventResult value.<br><br>Example: `Success`| | <a name="eventresultdetails"></a>**EventResultDetails** | Recommended | Enumerated | Reason or details for the result reported in the [EventResult](#eventresult) field. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the [EventOriginalResultDetails](#eventoriginalresultdetails) field.<br><br>Example: `NXDOMAIN`| | <a name="eventuid"></a>**EventUid** | Recommended | String | The unique ID of the record, as assigned by Microsoft Sentinel. This field is typically mapped to the `_ItemId` Log Analytics field. | | <a name="eventoriginaluid"></a>**EventOriginalUid** | Optional | String | A unique ID of the original record, if provided by the source.<br><br>Example: `69f37748-ddcd-4331-bf0f-b137f1ea83b`| | <a name="eventoriginaltype"></a>**EventOriginalType** | Optional | String | The original event type or ID, if provided by the source. For example, this field is used to store the original Windows event ID. This value is used to derive [EventType](#eventtype), which should have only one of the values documented for each schema.<br><br>Example: `4624`| | <a name="eventoriginalsubtype"></a>**EventOriginalSubType** | Optional | String | The original event subtype or ID, if provided by the source. For example, this field is used to store the original Windows logon type. This value is used to derive [EventSubType](#eventsubtype), which should have only one of the values documented for each schema.<br><br>Example: `2`| | <a name="eventoriginalresultdetails"></a>**EventOriginalResultDetails** | Optional | String | The original result details provided by the source. This value is used to derive [EventResultDetails](#eventresultdetails), which should have only one of the values documented for each schema. | | <a name="eventseverity"></a>**EventSeverity** | Recommended | Enumerated | The severity of the event. Valid values are: `Informational`, `Low`, `Medium`, or `High`. | | <a name="eventoriginalseverity"></a>**EventOriginalSeverity** | Optional | String | The original severity as provided by the reporting device. This value is used to derive [EventSeverity](#eventseverity). | | <a name="eventproduct"></a>**EventProduct** | Mandatory | String | The product generating the event. The value should be one of the values listed in [Vendors and Products](#vendors-and-products).<br><br>Example: `Sysmon` | | <a name="eventproductversion"></a>**EventProductVersion** | Optional | String | The version of the product generating the event. <br><br>Example: `12.1` | | <a name="eventvendor"></a>**EventVendor** | Mandatory | String | The vendor of the product generating the event. The value should be one of the values listed in [Vendors and Products](#vendors-and-products).<br><br>Example: `Microsoft` <br><br> | | <a name="eventschema"></a>**EventSchema** | Mandatory | Enumerated | The schema the event is normalized to. Each schema documents its schema name. | | <a name="eventschemaversion"></a>**EventSchemaVersion** | Mandatory | SchemaVersion (String) | The version of the schema. Each schema documents its current version. | | <a name="eventreporturl"></a>**EventReportUrl** | Optional | URL (String) | A URL provided in the event for a resource that provides more information about the event.| | <a name="eventowner"></a>**EventOwner** | Optional | String | The owner of the event, which is usually the department or subsidiary in which it was generated. | ### Device fields The role of the device fields is different for different schemas and event types. For example: - For the Network Session events, device fields usually provide information about the device that generated the event - For the Process events, the device fields provide information on the device on that the process is executed. Each schema document specifies the role of the device for the schema. | Field | Class | Type | Description | |---------------------|-------------|------------|--------------------| | <a name="dvc"></a>**Dvc** | Alias | String | A unique identifier of the device on which the event occurred or which reported the event, depending on the schema. <br><br>This field might alias the [DvcFQDN](#dvcfqdn), [DvcId](#dvcid), [DvcHostname](#dvchostname), or [DvcIpAddr](#dvcipaddr) fields. For cloud sources, for which there is no apparent device, use the same value as the [Event Product](#eventproduct) field. | | <a name ="dvcipaddr"></a>**DvcIpAddr** | Recommended | IP address | The IP address of the device on which the event occurred or which reported the event, depending on the schema. <br><br>Example: `45.21.42.12` | | <a name ="dvchostname"></a>**DvcHostname** | Recommended | Hostname | The hostname of the device on which the event occurred or which reported the event, depending on the schema. <br><br>Example: `ContosoDc` | | <a name="dvcdomain"></a>**DvcDomain** | Recommended | Domain (String) | The domain of the device on which the event occurred or which reported the event, depending on the schema.<br><br>Example: `Contoso` | | <a name="dvcdomaintype"></a>**DvcDomainType** | Conditional | Enumerated | The type of [DvcDomain](#dvcdomain). For a list of allowed values and further information, refer to [DomainType](normalization-entity-device.md#domaintype).<br><br>**Note**: This field is required if the [DvcDomain](#dvcdomain) field is used. | | <a name="dvcfqdn"></a>**DvcFQDN** | Optional | FQDN (String) | The hostname of the device on which the event occurred or which reported the event, depending on the schema. <br><br> Example: `Contoso\DESKTOP-1282V4D`<br><br>**Note**: This field supports both traditional FQDN format and Windows domain\hostname format. The [DvcDomainType](#dvcdomaintype) field reflects the format used. | | <a name = "dvcdescription"></a>**DvcDescription** | Optional | String | A descriptive text associated with the device. For example: `Primary Domain Controller`. | | <a name ="dvcid"></a>**DvcId** | Optional | String | The unique ID of the device on which the event occurred or which reported the event, depending on the schema. <br><br>Example: `41502da5-21b7-48ec-81c9-baeea8d7d669` | | <a name="dvcidtype"></a>**DvcIdType** | Conditional | Enumerated | The type of [DvcId](#dvcid). For a list of allowed values and further information, refer to [DvcIdType](#dvcidtype).<br>- `MDEid`<br><br>If multiple IDs are available, use the first one from the list, and store the others by using the field names **DvcAzureResourceId** and **DvcMDEid**, respectively.<br><br>**Note**: This field is required if the [DvcId](#dvcid) field is used. | | <a name="dvcmacaddr"></a>**DvcMacAddr** | Optional | MAC address | The MAC address of the device on which the event occurred or which reported the event. <br><br>Example: `00:1B:44:11:3A:B7` | | <a name="dvczone"></a>**DvcZone** | Optional | String | The network on which the event occurred or which reported the event, depending on the schema. The zone is defined by the reporting device.<br><br>Example: `Dmz` | | <a name="dvcos"></a>**DvcOs** | Optional | String | The operating system running on the device on which the event occurred or which reported the event. <br><br>Example: `Windows` | | <a name="dvcosversion"></a>**DvcOsVersion** | Optional | String | The version of the operating system on the device on which the event occurred or which reported the event. <br><br>Example: `10` | | <a name="dvcaction"></a>**DvcAction** | Optional | String | For reporting security systems, the action taken by the system, if applicable. <br><br>Example: `Blocked` | | <a name="dvcoriginalaction"></a>**DvcOriginalAction** | Optional | String | The original [DvcAction](#dvcaction) as provided by the reporting device. | | <a name="dvcinterface"></a>**DvcInterface** | Optional | String | The network interface on which data was captured. This field is typically relevant to network related activity, which is captured by an intermediate or tap device. | | <a name="dvcscopeid"></a>**DvcScopeId** | Optional | String | The cloud platform scope ID the device belongs to. **DvcScopeId** map to a subscription ID on Azure and to an account ID on AWS. | | <a name="dvcscope"></a>**DvcScope** | Optional | String | The cloud platform scope the device belongs to. **DvcScope** map to a subscription ID on Azure and to an account ID on AWS. | ### Other fields | Field | Class | Type | Description | |---------------------|-------------|------------|--------------------| | <a name="additionalfields"></a>**AdditionalFields** | Optional | Dynamic | If your source provides additional information worth preserving, either keep it with the original field names or create the dynamic **AdditionalFields** field, and add to it the extra information as key/value pairs. | ### Schema updates - The `EventOwner` field has been added to the common fields on Dec 1, 2022, and therefore to all of the schemas. - The `EventUid` field has been added to the common fields on Dec 26, 2022, and therefore to all of the schemas. ## Vendors and products To maintain consistency, the list of allowed vendors and products is set as part of ASIM, and may not directly correspond to the value sent by the source, when available. The currently supported list of vendors and products used in the [EventVendor](#eventvendor) and [EventProduct](#eventproduct) fields respectively is: | Vendor | Products | | ------ | -------- | | `AWS` | - `CloudTrail`<br> - `VPC` | | `Cisco` | - `ASA`<br> - `Umbrella`<br> - `IOS`<br> - `Meraki` | | `Corelight` | `Zeek` | | `Cynerio` | `Cynerio` | | `Dataminr` | `Dataminr Pulse` | | `GCP` | `Cloud DNS` | | `Infoblox` | `NIOS` | | `Microsoft` | - Microsoft Entra ID<br> - `Azure`<br> - `Azure Firewall`<br> - `Azure Blob Storage`<br> - `Azure File Storage`<br> - `Azure NSG flows`<br> - `Azure Queue Storage`<br> - `Azure Table Storage` <br> - `DNS Server`<br> - `Microsoft Defender XDR for Endpoint`<br> - `Microsoft Defender for IoT`<br> - `Security Events`<br>- `SharePoint`<br>- `OneDrive`<br>- `Sysmon`<br> - `Sysmon for Linu`x<br> - `VMConnection`<br> - `Windows Firewall`<br> - `WireData` | `Linux` | - `su`<br> - `sudo`| | `Okta` | - `Okta`<br> - `Auth0` | | `OpenBSD` | `OpenSSH` | | `Palo Alto` | - `PanOS`<br> - `CDL` | | `PostgreSQL` | `PostgreSQL` | | `Squid` | `Squid Proxy`| | `Vectra AI` | `Vectra Steam` | | `WatchGuard` | `Fireware` | | `Zscaler` | - `ZIA DNS`<br> - `ZIA Firewall`<br> - `ZIA Proxy` | If you're developing a parser for a vendor or product not listed here, contact the [Microsoft Sentinel](mailto:azuresentinel@microsoft.com) team to allocate new allowed vendor and product designators. ## Next steps For more information, see: - Watch the [ASIM Webinar](https://www.youtube.com/watch?v=WoGD-JeC7ng) or review the [slides](https://1drv.ms/b/s!AnEPjr8tHcNmjDY1cro08Fk3KUj-?e=murYHG) - [Advanced Security Information Model (ASIM) overview](normalization.md) - [Advanced Security Information Model (ASIM) schemas](normalization-about-schemas.md) - [Advanced Security Information Model (ASIM) parsers](normalization-parsers-overview.md) - [Advanced Security Information Model (ASIM) content](normalization-content.md)