The Advanced Security Information Model (ASIM) Authentication normalization schema reference (Public preview)

The Microsoft Sentinel Authentication schema is used to describe events related to user authentication, sign-in, and sign-out. Authentication events are sent by many reporting devices, usually as part of the event stream alongside other events. For example, Windows sends several authentication events alongside other OS activity events.

Authentication events include both events from systems that focus on authentication such as VPN gateways or domain controllers, and direct authentication to an end system, such as a computer or firewall.

For more information about normalization in Microsoft Sentinel, see Normalization and the Advanced Security Information Model (ASIM).

Important

The Authentication normalization schema is currently in PREVIEW. This feature is provided without a service level agreement, and is not recommended for production workloads.

The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Parsers

Deploy ASIM authentication parsers from the Microsoft Sentinel GitHub repository. For more information about ASIM parsers, see the articles ASIM parsers overview..

Unifying parsers

To use parsers that unify all ASIM out-of-the-box parsers, and ensure that your analysis runs across all the configured sources, use the imAuthentication filtering parser or the ASimAuthentication parameter-less parser.

Source-specific parsers

For the list of authentication parsers Microsoft Sentinel provides refer to the ASIM parsers list:

Add your own normalized parsers

When implementing custom parsers for the Authentication information model, name your KQL functions using the following syntax:

  • vimAuthentication<vendor><Product> for filtering parsers
  • ASimAuthentication<vendor><Product> for parameter-less parsers

For information on adding your custom parsers to the unifying parser, refer to Managing ASIM parsers.

Filtering parser parameters

The im and vim* parsers support filtering parameters. While these parsers are optional, they can improve your query performance.

The following filtering parameters are available:

Name Type Description
starttime datetime Filter only authentication events that ran at or after this time.
endtime datetime Filter only authentication events that finished running at or before this time.
targetusername_has string Filter only authentication events that have any of the listed user names.

For example, to filter only authentication events from the last day to a specific user, use:

imAuthentication (targetusername_has = 'johndoe', starttime = ago(1d), endtime=now())

Tip

To pass a literal list to parameters that expect a dynamic value, explicitly use a dynamic literal. For example: dynamic(['192.168.','10.']).

Normalized content

Normalized authentication analytic rules are unique as they detect attacks across sources. So, for example, if a user logged in to different, unrelated systems, from different countries/regions, Microsoft Sentinel will now detect this threat.

For a full list of analytics rules that use normalized Authentication events, see Authentication schema security content.

Schema overview

The Authentication information model is aligned with the OSSEM logon entity schema.

The fields listed in the table below are specific to Authentication events, but are similar to fields in other schemas and follow similar naming conventions.

Authentication events reference the following entities:

  • TargetUser - The user information used to authenticate to the system. The TargetSystem is the primary subject of the authentication event, and the alias User aliases a TargetUser identified.
  • TargetApp - The application authenticated to.
  • Target - The system on which TargetApp* is running.
  • Actor - The user initiating the authentication, if different than TargetUser.
  • ActingApp - The application used by the Actor to perform the authentication.
  • Src - The system used by the Actor to initiate the authentication.

The relationship between these entities is best demonstrated as follows:

An Actor, running an acting Application, ActingApp, on a source system, Src, attempts to authenticate as a TargetUser to a target application, TargetApp, on a target system, TargetDvc.

Schema details

In the following tables, Type refers to a logical type. For more information, see Logical types.

Common ASIM fields

Important

Fields common to all schemas are described in detail in the ASIM Common Fields article.

Common fields with specific guidelines

The following list mentions fields that have specific guidelines for authentication events:

Field Class Type Description
EventType Mandatory Enumerated Describes the operation reported by the record.

For Authentication records, supported values include:
- Logon
- Logoff
- Elevate
EventResultDetails Recommended String The details associated with the event result. This field is typically populated when the result is a failure.

Allowed values include:
- No such user or password. This value should be used also when the original event reports that there is no such user, without reference to a password.
- No such user
- Incorrect password
- Incorrect key
- Account expired
- Password expired
- User locked
- User disabled
- Logon violates policy. This value should be used when the original event reports, for example: MFA required, logon outside of working hours, conditional access restrictions, or too frequent attempts.
- Session expired
- Other

The value may be provided in the source record using different terms, which should be normalized to these values. The original value should be stored in the field EventOriginalResultDetails
EventSubType Optional String The sign-in type. Allowed values include:
- System
- Interactive
- RemoteInteractive
- Service
- RemoteService
- Remote - Use when the type of remote sign-in is unknown.
- AssumeRole - Typically used when the event type is Elevate.

The value may be provided in the source record using different terms, which should be normalized to these values. The original value should be stored in the field EventOriginalSubType.
EventSchemaVersion Mandatory String The version of the schema. The version of the schema documented here is 0.1.3
EventSchema Mandatory String The name of the schema documented here is Authentication.
Dvc fields - - For authentication events, device fields refer to the system reporting the event.

All common fields

Fields that appear in the table below are common to all ASIM schemas. Any guideline specified above overrides the general guidelines for the field. For example, a field might be optional in general, but mandatory for a specific schema. For further details on each field, refer to the ASIM Common Fields article.

Class Fields
Mandatory - EventCount
- EventStartTime
- EventEndTime
- EventType
- EventResult
- EventProduct
- EventVendor
- EventSchema
- EventSchemaVersion
- Dvc
Recommended - EventResultDetails
- EventSeverity
- EventUid
- DvcIpAddr
- DvcHostname
- DvcDomain
- DvcDomainType
- DvcFQDN
- DvcId
- DvcIdType
- DvcAction
Optional - EventMessage
- EventSubType
- EventOriginalUid
- EventOriginalType
- EventOriginalSubType
- EventOriginalResultDetails
- EventOriginalSeverity
- EventProductVersion
- EventReportUrl
- EventOwner
- DvcZone
- DvcMacAddr
- DvcOs
- DvcOsVersion
- DvcOriginalAction
- DvcInterface
- AdditionalFields
- DvcDescription
- DvcScopeId
- DvcScope

Authentication-specific fields

Field Class Type Description
LogonMethod Optional String The method used to perform authentication.

Examples: Username & Password, PKI
LogonProtocol Optional String The protocol used to perform authentication.

Example: NTLM

Actor fields

Field Class Type Description
ActorUserId Optional String A machine-readable, alphanumeric, unique representation of the Actor. For more information, and for alternative fields for additional IDs, see The User entity.

Example: S-1-12-1-4141952679-1282074057-627758481-2916039507
ActorScope Optional String The scope, such as Microsoft Entra tenant, in which ActorUserId and ActorUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article.
ActorScopeId Optional String The scope ID, such as Microsoft Entra Directory ID, in which ActorUserId and ActorUsername are defined. for more information and list of allowed values, see UserScopeId in the Schema Overview article.
ActorUserIdType Conditional UserIdType The type of the ID stored in the ActorUserId field. For more information and list of allowed values, see UserIdType in the Schema Overview article.
ActorUsername Optional Username The Actor’s username, including domain information when available. For more information, see The User entity.

Example: AlbertE
ActorUsernameType Conditional UsernameType Specifies the type of the user name stored in the ActorUsername field. For more information, and list of allowed values, see UsernameType in the Schema Overview article.

Example: Windows
ActorUserType Optional UserType The type of the Actor. For more information, and list of allowed values, see UserType in the Schema Overview article.

For example: Guest
ActorOriginalUserType Optional UserType The user type as reported by the reporting device.
ActorSessionId Optional String The unique ID of the sign-in session of the Actor.

Example: 102pTUgC3p8RIqHvzxLCHnFlg

Acting Application fields

Field Class Type Description
ActingAppId Optional String The ID of the application authorizing on behalf of the actor, including a process, browser, or service.

For example: 0x12ae8
ActingAppName Optional String The name of the application authorizing on behalf of the actor, including a process, browser, or service.

For example: C:\Windows\System32\svchost.exe
ActingAppType Optional AppType The type of acting application. For more information, and allowed list of values, see AppType in the Schema Overview article.
HttpUserAgent Optional String When authentication is performed over HTTP or HTTPS, this field's value is the user_agent HTTP header provided by the acting application when performing the authentication.

For example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1

Target user fields

Field Class Type Description
TargetUserId Optional UserId A machine-readable, alphanumeric, unique representation of the target user. For more information, and for alternative fields for additional IDs, see The User entity.

Example: 00urjk4znu3BcncfY0h7
TargetUserScope Optional String The scope, such as Microsoft Entra tenant, in which TargetUserId and TargetUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article.
TargetUserScopeId Optional String The scope ID, such as Microsoft Entra Directory ID, in which TargetUserId and TargetUsername are defined. for more information and list of allowed values, see UserScopeId in the Schema Overview article.
TargetUserIdType Conditional UserIdType The type of the user ID stored in the TargetUserId field. For more information and list of allowed values, see UserIdType in the Schema Overview article.

Example: SID
TargetUsername Optional Username The target user username, including domain information when available. For more information, see The User entity.

Example: MarieC
TargetUsernameType Conditional UsernameType Specifies the type of the username stored in the TargetUsername field. For more information and list of allowed values, see UsernameType in the Schema Overview article.
TargetUserType Optional UserType The type of the Target user. For more information, and list of allowed values, see UserType in the Schema Overview article.

For example: Member
TargetSessionId Optional String The sign-in session identifier of the TargetUser on the source device.
TargetOriginalUserType Optional UserType The user type as reported by the reporting device.
User Alias Username Alias to the TargetUsername or to the TargetUserId if TargetUsername is not defined.

Example: CONTOSO\dadmin

Source system fields

Field Class Type Description
Src Recommended String A unique identifier of the source device.

This field may alias the SrcDvcId, SrcHostname, or SrcIpAddr fields.

Example: 192.168.12.1
SrcDvcId Optional String The ID of the source device. If multiple IDs are available, use the most important one, and store the others in the fields SrcDvc<DvcIdType>.

Example: ac7e9755-8eae-4ffc-8a02-50ed7a2216c3
SrcDvcScopeId Optional String The cloud platform scope ID the device belongs to. SrcDvcScopeId map to a subscription ID on Azure.
SrcDvcScope Optional String The cloud platform scope the device belongs to. SrcDvcScope map to a subscription ID on Azure.
SrcDvcIdType Conditional DvcIdType The type of SrcDvcId. For a list of allowed values and further information refer to DvcIdType in the Schema Overview article.

Note: This field is required if SrcDvcId is used.
SrcDeviceType Optional DeviceType The type of the source device. For a list of allowed values and further information refer to DeviceType in the Schema Overview article.
SrcHostname Recommended Hostname The source device hostname, excluding domain information. If no device name is available, store the relevant IP address in this field.

Example: DESKTOP-1282V4D
SrcDomain Recommended String The domain of the source device.

Example: Contoso
SrcDomainType Conditional DomainType The type of SrcDomain. For a list of allowed values and further information refer to DomainType in the Schema Overview article.

Required if SrcDomain is used.
SrcFQDN Optional String The source device hostname, including domain information when available.

Note: This field supports both traditional FQDN format and Windows domain\hostname format. The SrcDomainType field reflects the format used.

Example: Contoso\DESKTOP-1282V4D
SrcDescription Optional String A descriptive text associated with the device. For example: Primary Domain Controller.
SrcIpAddr Optional IP Address The IP address of the source device.

Example: 2.2.2.2
SrcPortNumber Optional Integer The IP port from which the connection originated.

Example: 2335
SrcDvcOs Optional String The OS of the source device.

Example: Windows 10
IpAddr Alias Alias to SrcIpAddr
SrcIsp Optional String The Internet Service Provider (ISP) used by the source device to connect to the internet.

Example: corpconnect
SrcGeoCountry Optional Country Example: Canada

For more information, see Logical types.
SrcGeoCity Optional City Example: Montreal

For more information, see Logical types.
SrcGeoRegion Optional Region Example: Quebec

For more information, see Logical types.
SrcGeoLongtitude Optional Longitude Example: -73.614830

For more information, see Logical types.
SrcGeoLatitude Optional Latitude Example: 45.505918

For more information, see Logical types.
SrcRiskLevel Optional Integer The risk level associated with the source. The value should be adjusted to a range of 0 to 100, with 0 for benign and 100 for a high risk.

Example: 90
SrcOriginalRiskLevel Optional Integer The risk level associated with the source, as reported by the reporting device.

Example: Suspicious

Target application fields

Field Class Type Description
TargetAppId Optional String The ID of the application to which the authorization is required, often assigned by the reporting device.

Example: 89162
TargetAppName Optional String The name of the application to which the authorization is required, including a service, a URL, or a SaaS application.

Example: Saleforce
TargetAppType Optional AppType The type of the application authorizing on behalf of the Actor. For more information, and allowed list of values, see AppType in the Schema Overview article.
TargetUrl Optional URL The URL associated with the target application.
LogonTarget Alias Alias to either TargetAppName, TargetUrl, or TargetHostname, whichever field best describes the authentication target.

Target system fields

Field Class Type Description
Dst Alias String A unique identifier of the authentication target.

This field may alias the TargerDvcId, TargetHostname, TargetIpAddr, TargetAppId, or TargetAppName fields.

Example: 192.168.12.1
TargetHostname Recommended Hostname The target device hostname, excluding domain information.

Example: DESKTOP-1282V4D
TargetDomain Recommended String The domain of the target device.

Example: Contoso
TargetDomainType Conditional Enumerated The type of TargetDomain. For a list of allowed values and further information refer to DomainType in the Schema Overview article.

Required if TargetDomain is used.
TargetFQDN Optional String The target device hostname, including domain information when available.

Example: Contoso\DESKTOP-1282V4D

Note: This field supports both traditional FQDN format and Windows domain\hostname format. The TargetDomainType reflects the format used.
TargetDescription Optional String A descriptive text associated with the device. For example: Primary Domain Controller.
TargetDvcId Optional String The ID of the target device. If multiple IDs are available, use the most important one, and store the others in the fields TargetDvc<DvcIdType>.

Example: ac7e9755-8eae-4ffc-8a02-50ed7a2216c3
TargetDvcScopeId Optional String The cloud platform scope ID the device belongs to. TargetDvcScopeId map to a subscription ID on Azure.
TargerDvcScope Optional String The cloud platform scope the device belongs to. TargetDvcScope map to a subscription ID on Azure.
TargetDvcIdType Conditional Enumerated The type of TargetDvcId. For a list of allowed values and further information refer to DvcIdType in the Schema Overview article.

Required if TargetDeviceId is used.
TargetDeviceType Optional Enumerated The type of the target device. For a list of allowed values and further information refer to DeviceType in the Schema Overview article.
TargetIpAddr Optional IP Address The IP address of the target device.

Example: 2.2.2.2
TargetDvcOs Optional String The OS of the target device.

Example: Windows 10
TargetPortNumber Optional Integer The port of the target device.
TargetGeoCountry Optional Country The country associated with the target IP address.
TargetGeoRegion Optional Region The region associated with the target IP address.
TargetGeoCity Optional City The city associated with the target IP address.
TargetGeoLatitude Optional Latitude The latitude of the geographical coordinate associated with the target IP address.

Example: 44.475833
TargetGeoLongitude Optional Longitude The longitude of the geographical coordinate associated with the target IP address.

Example: 73.211944
TargetRiskLevel Optional Integer The risk level associated with the target. The value should be adjusted to a range of 0 to 100, with 0 for benign and 100 for a high risk.

Example: 90
TargetOriginalRiskLevel Optional Integer The risk level associated with the target, as reported by the reporting device.

Example: Suspicious

Inspection fields

The following fields are used to represent that inspection performed by a security system.

Field Class Type Description
RuleName Optional String The name or ID of the rule by associated with the inspection results.
RuleNumber Optional Integer The number of the rule associated with the inspection results.
Rule Alias String Either the value of RuleName or the value of RuleNumber. If the value of RuleNumber is used, the type should be converted to string.
ThreatId Optional String The ID of the threat or malware identified in the audit activity.
ThreatName Optional String The name of the threat or malware identified in the audit activity.
ThreatCategory Optional String The category of the threat or malware identified in audit file activity.
ThreatRiskLevel Optional Integer The risk level associated with the identified threat. The level should be a number between 0 and 100.

Note: The value might be provided in the source record by using a different scale, which should be normalized to this scale. The original value should be stored in ThreatRiskLevelOriginal.
ThreatOriginalRiskLevel Optional String The risk level as reported by the reporting device.
ThreatConfidence Optional Integer The confidence level of the threat identified, normalized to a value between 0 and a 100.
ThreatOriginalConfidence Optional String The original confidence level of the threat identified, as reported by the reporting device.
ThreatIsActive Optional Boolean True if the threat identified is considered an active threat.
ThreatFirstReportedTime Optional datetime The first time the IP address or domain were identified as a threat.
ThreatLastReportedTime Optional datetime The last time the IP address or domain were identified as a threat.
ThreatIpAddr Optional IP Address An IP address for which a threat was identified. The field ThreatField contains the name of the field ThreatIpAddr represents.
ThreatField Optional Enumerated The field for which a threat was identified. The value is either SrcIpAddr or TargetIpAddr.

Schema updates

These are the changes in version 0.1.1 of the schema:

  • Updated user and device entity fields to align with other schemas.
  • Renamed TargetDvc and SrcDvc to Target and Src respectively to align with current ASIM guidelines. The renamed fields will be implemented as aliases until July 1st 2022. Those fields include: SrcDvcHostname, SrcDvcHostnameType, SrcDvcType, SrcDvcIpAddr, TargetDvcHostname, TargetDvcHostnameType, TargetDvcType, TargetDvcIpAddr, and TargetDvc.
  • Added the aliases Src and Dst.
  • Added the fields SrcDvcIdType, SrcDeviceType, TargetDvcIdType, and TargetDeviceType, and EventSchema.

These are the changes in version 0.1.2 of the schema:

  • Added the fields ActorScope, TargetUserScope, SrcDvcScopeId, SrcDvcScope, TargetDvcScopeId, TargetDvcScope, DvcScopeId, and DvcScope.

These are the changes in version 0.1.3 of the schema:

  • Added the fields SrcPortNumber, ActorOriginalUserType, ActorScopeId, TargetOriginalUserType, TargetUserScopeId, SrcDescription, SrcRiskLevel, SrcOriginalRiskLevel, and TargetDescription.
  • Added inspection fields
  • Added target system geo-location fields.

Next steps

For more information, see: