Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Devices, or hosts, are the common terms used for the systems that take part in the event. The Dvc prefix is used to designate the primary device on which the event occurs. Some events, such as network sessions, have source and destination devices, designated by the prefix Src and Dst. In such a case, the Dvc prefix is used for the device reporting the event, which might be the source, destination, or a monitoring device.
The device aliases
| Field | Class | Type | Description |
|---|---|---|---|
| Dvc, Src, Dst | Mandatory | String | The Dvc, 'Src', or 'Dst' fields are used as a unique identifier of the device. It is set to the best available identified for the device. These fields can alias the FQDN, DvcId, Hostname, or IpAddr fields. For cloud sources, for which there is no apparent device, use the same value as the Event Product field. |
The device name
Reported device names may include a hostname only, or a fully qualified domain name (FQDN), which includes a hostname and a domain name. The FQDN might be expressed using several formats. The following fields enable supporting the different variants in which the device name might be provided.
| Field | Class | Type | Description |
|---|---|---|---|
| Hostname | Recommended | Hostname | The short hostname of the device. |
| Domain | Recommended | String | The domain of the device on which the event occurred, without the hostname. |
| DomainType | Recommended | Enumerated | The type of Domain. Supported values include FQDN and Windows. This field is required if the Domain field is used. |
| FQDN | Optional | String | The FQDN of the device including both Hostname and Domain . This field supports both traditional FQDN format and Windows domain\hostname format. The DomainType field reflects the format used. |
For example:
| Field | Value for input appserver.contoso.com |
value for input appserver |
|---|---|---|
| Hostname | appserver |
appserver |
| Domain | contoso.con |
<empty> |
| DomainType | FQDN |
<empty> |
| FQDN | appserver.contoso.com |
<empty> |
When the value provided by the source is an FQDN the parser should calculate the four values. This is true also when the value may be either and FQDN or a short hostname. Use the ASIM helper functions _ASIM_ResolveFQDN, _ASIM_ResolveSrcFQDN, _ASIM_ResolveDstFQDN, and _ASIM_ResolveDvcFQDN to easily set all four fields based on a single input value. For more information, see ASIM helper functions.
The device ID and Scope
| Field | Class | Type | Description |
|---|---|---|---|
| DvcId | Optional | String | The unique ID of the device. For example: 41502da5-21b7-48ec-81c9-baeea8d7d669 |
| ScopeId | Optional | String | The cloud platform scope ID the device belongs to. Scope map to a subscription ID on Azure. |
| Scope | Optional | String | The cloud platform scope the device belongs to. Scope map to a subscription on Azure. |
| DvcIdType | Optional | Enumerated | The type of DvcId. Typically this field also identifies the type of Scope and ScopeId. This field is required if the DvcId field is used. |
| DvcAzureResourceId, DvcMDEid, DvcMD4IoTid, DvcVMConnectionId, DvcVectraId | Optional | String | Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId. |
Fields names should prepend a role prefix such as Src or Dst, but should not prepend a second Dvc prefix if used in that role.
The allowed values for a device ID type are:
| Type | Description |
|---|---|
| MDEid | The system ID assigned by Microsoft Defender for Endpoint. |
| AzureResourceId | The Azure resource ID. |
| MD4IoTid | The Microsoft Defender for IoT resource ID. |
| VMConnectionId | The Azure Monitor VM Insights solution resource ID. |
| VectraId | A Vectra AI assigned resource ID. |
| Other | An ID type not listed. |
Other device fields
| Field | Class | Type | Description |
|---|---|---|---|
| IpAddr | Recommended | IP address | The IP address of the device. Example: 45.21.42.12 |
| DvcDescription | Optional | String | A descriptive text associated with the device. For example: Primary Domain Controller. |
| MacAddr | Optional | MAC | The MAC address of the device on which the event occurred or which reported the event. Example: 00:1B:44:11:3A:B7 |
| Zone | Optional | String | The network on which the event occurred or which reported the event, depending on the schema. The reporting device defines the zone. Example: Dmz |
| DvcOs | Optional | String | The operating system running on the device on which the event occurred or which reported the event. Example: Windows |
| DvcOsVersion | Optional | String | The version of the operating system on the device on which the event occurred or which reported the event. Example: 10 |
| DvcAction | Optional | String | For reporting security systems, the action taken by the system, if applicable. Example: Blocked |
| DvcOriginalAction | Optional | String | The original DvcAction as provided by the reporting device. |
| Interface | Optional | String | The network interface on which data was captured. This field is typically relevant to network related activity captured by an intermediate or tap device. |
Fields named in the list with the Dvc prefix should prepend a role prefix such as Src or Dst, but should not prepend a second Dvc prefix if used in that role.