The Advanced Security Information Model (ASIM) common schema fields reference (preview)
Some fields are common to all ASIM schemas. Each schema might add guidelines for using some of the common fields in the context of the specific schema. For example, permitted values for the EventType field might vary per schema, as might the value of the EventSchemaVersion field.
Standard Log Analytics fields
The following fields are generated by Log Analytics, in most cases, for each record. They can be overridden when you create a custom connector.
| Field | Type | Discussion |
|---|---|---|
| TimeGenerated | datetime | The time the event was generated by the reporting device. |
| Type | String | The original table from which the record was fetched. This field is useful when the same event can be received through multiple channels to different tables, and have the same EventVendor and EventProduct values. For example, a Sysmon event can be collected either to the Event table or to the WindowsEvent table. |
Note
Log Analytics also adds other fields that are less relevant to security use cases. For more information, see Standard columns in Azure Monitor Logs.
Common ASIM fields
The following fields are defined by ASIM for all schemas:
Event fields
| Field | Class | Type | Description |
|---|---|---|---|
| EventMessage | Optional | String | A general message or description, either included in or generated from the record. |
| EventCount | Mandatory | Integer | The number of events described by the record. This value is used when the source supports aggregation, and a single record might represent multiple events. For other sources, set to 1. |
| EventStartTime | Mandatory | Date/time | The time in which the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field. |
| EventEndTime | Mandatory | Date/time | The time in which the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field. |
| EventType | Mandatory | Enumerated | Describes the operation reported by the record. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the EventOriginalType field. |
| EventSubType | Optional | Enumerated | Describes a subdivision of the operation reported in the EventType field. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the EventOriginalSubType field. |
| EventResult | Mandatory | Enumerated | One of the following values: Success, Partial, Failure, NA (Not Applicable). The value might be provided in the source record by using different terms, which should be normalized to these values. Alternatively, the source might provide only the EventResultDetails field, which should be analyzed to derive the EventResult value. Example: Success |
| EventResultDetails | Recommended | Enumerated | Reason or details for the result reported in the EventResult field. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the EventOriginalResultDetails field. Example: NXDOMAIN |
| EventUid | Recommended | String | The unique ID of the record, as assigned by Microsoft Sentinel. This field is typically mapped to the _ItemId Log Analytics field. |
| EventOriginalUid | Optional | String | A unique ID of the original record, if provided by the source. Example: 69f37748-ddcd-4331-bf0f-b137f1ea83b |
| EventOriginalType | Optional | String | The original event type or ID, if provided by the source. For example, this field is used to store the original Windows event ID. This value is used to derive EventType, which should have only one of the values documented for each schema. Example: 4624 |
| EventOriginalSubType | Optional | String | The original event subtype or ID, if provided by the source. For example, this field is used to store the original Windows logon type. This value is used to derive EventSubType, which should have only one of the values documented for each schema. Example: 2 |
| EventOriginalResultDetails | Optional | String | The original result details provided by the source. This value is used to derive EventResultDetails, which should have only one of the values documented for each schema. |
| EventSeverity | Recommended | Enumerated | The severity of the event. Valid values are: Informational, Low, Medium, or High. |
| EventOriginalSeverity | Optional | String | The original severity as provided by the reporting device. This value is used to derive EventSeverity. |
| EventProduct | Mandatory | String | The product generating the event. The value should be one of the values listed in Vendors and Products. Example: Sysmon |
| EventProductVersion | Optional | String | The version of the product generating the event. Example: 12.1 |
| EventVendor | Mandatory | String | The vendor of the product generating the event. The value should be one of the values listed in Vendors and Products. Example: Microsoft |
| EventSchema | Mandatory | String | The schema the event is normalized to. Each schema documents its schema name. |
| EventSchemaVersion | Mandatory | String | The version of the schema. Each schema documents its current version. |
| EventReportUrl | Optional | String | A URL provided in the event for a resource that provides more information about the event. |
| EventOwner | Optional | String | The owner of the event, which is usually the department or subsidiary in which it was generated. |
Device fields
The role of the device fields is different for different schemas and event types. For example:
- For the Network Session events, device fields usually provide information about the device that generated the event
- For the Process events, the device fields provide information on the device on that the process is executed.
Each schema document specifies the role of the device for the schema.
| Field | Class | Type | Description |
|---|---|---|---|
| Dvc | Alias | String | A unique identifier of the device on which the event occurred or which reported the event, depending on the schema. This field might alias the DvcFQDN, DvcId, DvcHostname, or DvcIpAddr fields. For cloud sources, for which there is no apparent device, use the same value as the Event Product field. |
| DvcIpAddr | Recommended | IP address | The IP address of the device on which the event occurred or which reported the event, depending on the schema. Example: 45.21.42.12 |
| DvcHostname | Recommended | Hostname | The hostname of the device on which the event occurred or which reported the event, depending on the schema. Example: ContosoDc |
| DvcDomain | Recommended | String | The domain of the device on which the event occurred or which reported the event, depending on the schema. Example: Contoso |
| DvcDomainType | Conditional | Enumerated | The type of DvcDomain. For a list of allowed values and further information, refer to DomainType. Note: This field is required if the DvcDomain field is used. |
| DvcFQDN | Optional | String | The hostname of the device on which the event occurred or which reported the event, depending on the schema. Example: Contoso\DESKTOP-1282V4DNote: This field supports both traditional FQDN format and Windows domain\hostname format. The DvcDomainType field reflects the format used. |
| DvcDescription | Optional | String | A descriptive text associated with the device. For example: Primary Domain Controller. |
| DvcId | Optional | String | The unique ID of the device on which the event occurred or which reported the event, depending on the schema. Example: 41502da5-21b7-48ec-81c9-baeea8d7d669 |
| DvcIdType | Conditional | Enumerated | The type of DvcId. For a list of allowed values and further information, refer to DvcIdType. - MDEidIf multiple IDs are available, use the first one from the list, and store the others by using the field names DvcAzureResourceId and DvcMDEid, respectively. Note: This field is required if the DvcId field is used. |
| DvcMacAddr | Optional | MAC | The MAC address of the device on which the event occurred or which reported the event. Example: 00:1B:44:11:3A:B7 |
| DvcZone | Optional | String | The network on which the event occurred or which reported the event, depending on the schema. The zone is defined by the reporting device. Example: Dmz |
| DvcOs | Optional | String | The operating system running on the device on which the event occurred or which reported the event. Example: Windows |
| DvcOsVersion | Optional | String | The version of the operating system on the device on which the event occurred or which reported the event. Example: 10 |
| DvcAction | Recommended | String | For reporting security systems, the action taken by the system, if applicable. Example: Blocked |
| DvcOriginalAction | Optional | String | The original DvcAction as provided by the reporting device. |
| DvcInterface | Optional | String | The network interface on which data was captured. This field is typically relevant to network related activity, which is captured by an intermediate or tap device. |
| DvcScopeId | Optional | String | The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure. |
| DvcScope | Optional | String | The cloud platform scope the device belongs to. DvcScope map to a subscription ID on Azure. |
Other fields
Schema updates
- The
EventOwnerfield has been added to the common fields on Dec 1, 2022, and therefore to all of the schemas. - The
EventUidfield has been added to the common fields on Dec 26, 2022, and therefore to all of the schemas.
Vendors and products
To maintain consistency, the list of allowed vendors and products is set as part of ASIM, and may not directly correspond to the value sent by the source, when available.
The currently supported list of vendors and products used in the EventVendor and EventProduct fields respectively is:
| Vendor | Products |
|---|---|
Cisco |
ASA |
Microsoft |
- Microsoft Entra ID - Azure- Azure Firewall- Azure Blob Storage- Azure File Storage- Azure Queue Storage- Azure Table Storage - DNS Server- Security Events- SharePoint- OneDrive- Sysmon- Sysmon for Linux- Windows Firewall |
Linux |
- su- sudo |
Palo Alto |
- PanOS- CDL |
Zscaler |
- ZIA DNS- ZIA Firewall- ZIA Proxy |
If you are developing a parser for a vendor or a product,s which are not listed here, contact the Microsoft Sentinel team to allocate a new allowed vendor and product designators.
Next steps
For more information, see: