The Advanced Security Information Model (ASIM) Network Session normalization schema reference (Public preview)
The Microsoft Sentinel Network Session normalization schema represents an IP network activity, such as network connections and network sessions. Such events are reported, for example, by operating systems, routers, firewalls, and intrusion prevention systems.
The network normalization schema can represent any type of an IP network session but is designed to provide support for common source types, such as Netflow, firewalls, and intrusion prevention systems.
For more information about normalization in Microsoft Sentinel, see Normalization and the Advanced Security Information Model (ASIM).
This article describes version 0.2.x of the network normalization schema. Version 0.1 was released before ASIM was available and doesn't align with ASIM in several places. For more information, see Differences between network normalization schema versions.
Important
The network normalization schema is currently in preview. This feature is provided without a service level agreement. We don't recommend it for production workloads.
The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Parsers
For more information about ASIM parsers, see the ASIM parsers overview.
Unifying parsers
To use parsers that unify all ASIM out-of-the-box parsers, and ensure that your analysis runs across all the configured sources, use the _Im_NetworkSession
filtering parser or the _ASim_NetworkSession
parameter-less parser.
You can also use workspace-deployed ImNetworkSession
and ASimNetworkSession
parsers by deploying them from the Microsoft Sentinel GitHub repository.
For more information, see built-in ASIM parsers and workspace-deployed parsers.
Out-of-the-box, source-specific parsers
For the list of the Network Session parsers Microsoft Sentinel provides out-of-the-box refer to the ASIM parsers list
Add your own normalized parsers
When developing custom parsers for the Network Session information model, name your KQL functions using the following syntax:
vimNetworkSession<vendor><Product>
for parametrized parsersASimNetworkSession<vendor><Product>
for regular parsers
Refer to the article Managing ASIM parsers to learn how to add your custom parsers to the network session unifying parsers.
Filtering parser parameters
The Network Session parsers support filtering parameters. While these parameters are optional, they can improve your query performance.
The following filtering parameters are available:
Name | Type | Description |
---|---|---|
starttime | datetime | Filter only network sessions that started at or after this time. |
endtime | datetime | Filter only network sessions that started running at or before this time. |
srcipaddr_has_any_prefix | dynamic | Filter only network sessions for which the source IP address field prefix is in one of the listed values. Prefixes should end with a . , for example: 10.0. . The length of the list is limited to 10,000 items. |
dstipaddr_has_any_prefix | dynamic | Filter only network sessions for which the destination IP address field prefix is in one of the listed values. Prefixes should end with a . , for example: 10.0. . The length of the list is limited to 10,000 items. |
ipaddr_has_any_prefix | dynamic | Filter only network sessions for which the destination IP address field or source IP address field prefix is in one of the listed values. Prefixes should end with a . , for example: 10.0. . The length of the list is limited to 10,000 items.The field ASimMatchingIpAddr is set with the one of the values SrcIpAddr , DstIpAddr , or Both to reflect the matching fields or fields. |
dstportnumber | Int | Filter only network sessions with the specified destination port number. |
hostname_has_any | dynamic/string | Filter only network sessions for which the destination hostname field has any of the values listed. The length of the list is limited to 10,000 items. The field ASimMatchingHostname is set with the one of the values SrcHostname , DstHostname , or Both to reflect the matching fields or fields. |
dvcaction | dynamic/string | Filter only network sessions for which the Device Action field is any of the values listed. |
eventresult | String | Filter only network sessions with a specific EventResult value. |
Some parameter can accept both list of values of type dynamic
or a single string value. To pass a literal list to parameters that expect a dynamic value, explicitly use a dynamic literal. For example: dynamic(['192.168.','10.'])
For example, to filter only network sessions for a specified list of domain names, use:
let torProxies=dynamic(["tor2web.org", "tor2web.com", "torlink.co"]);
_Im_NetworkSession (hostname_has_any = torProxies)
Tip
To pass a literal list to parameters that expect a dynamic value, explicitly use a dynamic literal. For example: dynamic(['192.168.','10.'])
.
Normalized content
For a full list of analytics rules that use normalized DNS events, see Network session security content.
Schema overview
The Network Session information model is aligned with the OSSEM Network entity schema.
The Network Session schema serves several types of similar but distinct scenarios, which share the same fields. Those scenarios are identified by the EventType field:
NetworkSession
- a network session reported by an intermediate device monitoring the network, such as a Firewall, a router, or a network tap.L2NetworkSession
- a network sessions for which only layer 2 information is available. Such events will include MAC addresses but not IP addresses.Flow
- an aggregated event that reports multiple similar network sessions, typically over a predefined time period, such as Netflow events.EndpointNetworkSession
- a network session reported by one of the end points of the session, including clients and servers. For such events, the schema supports theremote
andlocal
alias fields.IDS
- a network session reported as suspicious. Such an event will have some of the inspection fields populated, and may have just one IP address field populated, either the source or the destination.
Typically, a query should either select just a subset of those event types, and may need to address separately unique aspects of the use cases. For example, IDS events do not reflect the entire network volume and should not be taken into account in column based analytics.
Network session events use the descriptors Src
and Dst
to denote the roles of the devices and related users and applications involved in the session. So, for example, the source device hostname and IP address are named SrcHostname
and SrcIpAddr
. Other ASIM schemas typically use Target
instead of Dst
.
For events reported by an endpoint and for which the event type is EndpointNetworkSession
, the descriptors Local
and Remote
denote the endpoint itself and the device at the other end of the network session respectively.
The descriptor Dvc
is used for the reporting device, which is the local system for sessions reported by an endpoint, and the intermediary device or network tap for other network session events.
Schema details
Common ASIM fields
Important
Fields common to all schemas are described in detail in the ASIM Common Fields article.
Common fields with specific guidelines
The following list mentions fields that have specific guidelines for Network Session events:
Field | Class | Type | Description |
---|---|---|---|
EventCount | Mandatory | Integer | Netflow sources support aggregation, and the EventCount field should be set to the value of the Netflow FLOWS field. For other sources, the value is typically set to 1 . |
EventType | Mandatory | Enumerated | Describes the scenario reported by the record. For Network Session records, the allowed values are: - EndpointNetworkSession - NetworkSession - L2NetworkSession - IDS - Flow For more information on event types, refer to the schema overview |
EventSubType | Optional | String | Additional description of the event type, if applicable. For Network Session records, supported values include: - Start - End This is field is not relevant for Flow events. |
EventResult | Mandatory | Enumerated | If the source device does not provide an event result, EventResult should be based on the value of DvcAction. If DvcAction is Deny , Drop , Drop ICMP , Reset , Reset Source , or Reset Destination , EventResult should be Failure . Otherwise, EventResult should be Success . |
EventResultDetails | Recommended | Enumerated | Reason or details for the result reported in the EventResult field. Supported values are: - Failover - Invalid TCP - Invalid Tunnel - Maximum Retry - Reset - Routing issue - Simulation - Terminated - Timeout - Transient error - Unknown - NA. The original, source specific, value is stored in the EventOriginalResultDetails field. |
EventSchema | Mandatory | String | The name of the schema documented here is NetworkSession . |
EventSchemaVersion | Mandatory | String | The version of the schema. The version of the schema documented here is 0.2.6 . |
DvcAction | Recommended | Enumerated | The action taken on the network session. Supported values are: - Allow - Deny - Drop - Drop ICMP - Reset - Reset Source - Reset Destination - Encrypt - Decrypt - VPNroute Note: The value might be provided in the source record by using different terms, which should be normalized to these values. The original value should be stored in the DvcOriginalAction field. Example: drop |
EventSeverity | Optional | Enumerated | If the source device does not provide an event severity, EventSeverity should be based on the value of DvcAction. If DvcAction is Deny , Drop , Drop ICMP , Reset , Reset Source , or Reset Destination , EventSeverity should be Low . Otherwise, EventSeverity should be Informational . |
DvcInterface | The DvcInterface field should alias either the DvcInboundInterface or the DvcOutboundInterface fields. | ||
Dvc fields | For Network Session events, device fields refer to the system reporting the Network Session event. |
All common fields
Fields that appear in the table below are common to all ASIM schemas. Any guideline specified above overrides the general guidelines for the field. For example, a field might be optional in general, but mandatory for a specific schema. For more information on each field, refer to the ASIM Common Fields article.
Class | Fields |
---|---|
Mandatory | - EventCount - EventStartTime - EventEndTime - EventType - EventResult - EventProduct - EventVendor - EventSchema - EventSchemaVersion - Dvc |
Recommended | - EventResultDetails - EventSeverity - EventUid - DvcIpAddr - DvcHostname - DvcDomain - DvcDomainType - DvcFQDN - DvcId - DvcIdType - DvcAction |
Optional | - EventMessage - EventSubType - EventOriginalUid - EventOriginalType - EventOriginalSubType - EventOriginalResultDetails - EventOriginalSeverity - EventProductVersion - EventReportUrl - EventOwner - DvcZone - DvcMacAddr - DvcOs - DvcOsVersion - DvcOriginalAction - DvcInterface - AdditionalFields - DvcDescription - DvcScopeId - DvcScope |
Network session fields
Field | Class | Type | Description |
---|---|---|---|
NetworkApplicationProtocol | Optional | String | The application layer protocol used by the connection or session. The value should be in all uppercase. Example: FTP |
NetworkProtocol | Optional | Enumerated | The IP protocol used by the connection or session as listed in IANA protocol assignment, which is typically TCP , UDP , or ICMP .Example: TCP |
NetworkProtocolVersion | Optional | Enumerated | The version of NetworkProtocol. When using it to distinguish between IP version, use the values IPv4 and IPv6 . |
NetworkDirection | Optional | Enumerated | The direction of the connection or session: - For the EventType NetworkSession , Flow or L2NetworkSession , NetworkDirection represents the direction relative to the organization or cloud environment boundary. Supported values are Inbound , Outbound , Local (to the organization), External (to the organization) or NA (Not Applicable).- For the EventType EndpointNetworkSession , NetworkDirection represents the direction relative to the endpoint. Supported values are Inbound , Outbound , Local (to the system), Listen or NA (Not Applicable). The Listen value indicates that a device has started accepting network connections but isn't actually, necessarily, connected. |
NetworkDuration | Optional | Integer | The amount of time, in milliseconds, for the completion of the network session or connection. Example: 1500 |
Duration | Alias | Alias to NetworkDuration. | |
NetworkIcmpType | Optional | String | For an ICMP message, ICMP type name associated with the numerical value, as described in RFC 2780 for IPv4 network connections, or in RFC 4443 for IPv6 network connections. Example: Destination Unreachable for NetworkIcmpCode 3 |
NetworkIcmpCode | Optional | Integer | For an ICMP message, the ICMP code number as described in RFC 2780 for IPv4 network connections, or in RFC 4443 for IPv6 network connections. |
NetworkConnectionHistory | Optional | String | TCP flags and other potential IP header information. |
DstBytes | Recommended | Long | The number of bytes sent from the destination to the source for the connection or session. If the event is aggregated, DstBytes should be the sum over all aggregated sessions. Example: 32455 |
SrcBytes | Recommended | Long | The number of bytes sent from the source to the destination for the connection or session. If the event is aggregated, SrcBytes should be the sum over all aggregated sessions. Example: 46536 |
NetworkBytes | Optional | Long | Number of bytes sent in both directions. If both BytesReceived and BytesSent exist, BytesTotal should equal their sum. If the event is aggregated, NetworkBytes should be the sum over all aggregated sessions. Example: 78991 |
DstPackets | Optional | Long | The number of packets sent from the destination to the source for the connection or session. The meaning of a packet is defined by the reporting device. If the event is aggregated, DstPackets should be the sum over all aggregated sessions. Example: 446 |
SrcPackets | Optional | Long | The number of packets sent from the source to the destination for the connection or session. The meaning of a packet is defined by the reporting device. If the event is aggregated, SrcPackets should be the sum over all aggregated sessions. Example: 6478 |
NetworkPackets | Optional | Long | The number of packets sent in both directions. If both PacketsReceived and PacketsSent exist, BytesTotal should equal their sum. The meaning of a packet is defined by the reporting device. If the event is aggregated, NetworkPackets should be the sum over all aggregated sessions. Example: 6924 |
NetworkSessionId | Optional | string | The session identifier as reported by the reporting device. Example: 172\_12\_53\_32\_4322\_\_123\_64\_207\_1\_80 |
SessionId | Alias | String | Alias to NetworkSessionId. |
TcpFlagsAck | Optional | Boolean | The TCP ACK Flag reported. The acknowledgment flag is used to acknowledge the successful receipt of a packet. As we can see from the diagram above, the receiver sends an ACK and a SYN in the second step of the three way handshake process to tell the sender that it received its initial packet. |
TcpFlagsFin | Optional | Boolean | The TCP FIN Flag reported. The finished flag means there is no more data from the sender. Therefore, it is used in the last packet sent from the sender. |
TcpFlagsSyn | Optional | Boolean | The TCP SYN Flag reported. The synchronization flag is used as a first step in establishing a three way handshake between two hosts. Only the first packet from both the sender and receiver should have this flag set. |
TcpFlagsUrg | Optional | Boolean | The TCP URG Flag reported. The urgent flag is used to notify the receiver to process the urgent packets before processing all other packets. The receiver will be notified when all known urgent data has been received. See RFC 6093 for more details. |
TcpFlagsPsh | Optional | Boolean | The TCP PSH Flag reported. The push flag is similar to the URG flag and tells the receiver to process these packets as they are received instead of buffering them. |
TcpFlagsRst | Optional | Boolean | The TCP RST Flag reported. The reset flag gets sent from the receiver to the sender when a packet is sent to a particular host that was not expecting it. |
TcpFlagsEce | Optional | Boolean | The TCP ECE Flag reported. This flag is responsible for indicating if the TCP peer is ECN capable. See RFC 3168 for more details. |
TcpFlagsCwr | Optional | Boolean | The TCP CWR Flag reported. The congestion window reduced flag is used by the sending host to indicate it received a packet with the ECE flag set. See RFC 3168 for more details. |
TcpFlagsNs | Optional | Boolean | The TCP NS Flag reported. The nonce sum flag is still an experimental flag used to help protect against accidental malicious concealment of packets from the sender. See RFC 3540 for more details |
Destination system fields
Field | Class | Type | Description |
---|---|---|---|
Dst | Recommended | Alias | A unique identifier of the server receiving the DNS request. This field might alias the DstDvcId, DstHostname, or DstIpAddr fields. Example: 192.168.12.1 |
DstIpAddr | Recommended | IP address | The IP address of the connection or session destination. If the session uses network address translation, DstIpAddr is the publicly visible address, and not the original address of the source, which is stored in DstNatIpAddrExample: 2001:db8::ff00:42:8329 Note: This value is mandatory if DstHostname is specified. |
DstPortNumber | Optional | Integer | The destination IP port. Example: 443 |
DstHostname | Recommended | Hostname | The destination device hostname, excluding domain information. If no device name is available, store the relevant IP address in this field. Example: DESKTOP-1282V4D |
DstDomain | Recommended | String | The domain of the destination device. Example: Contoso |
DstDomainType | Conditional | Enumerated | The type of DstDomain. For a list of allowed values and further information, refer to DomainType in the Schema Overview article. Required if DstDomain is used. |
DstFQDN | Optional | String | The destination device hostname, including domain information when available. Example: Contoso\DESKTOP-1282V4D Note: This field supports both traditional FQDN format and Windows domain\hostname format. The DstDomainType reflects the format used. |
DstDvcId | Optional | String | The ID of the destination device. If multiple IDs are available, use the most important one, and store the others in the fields DstDvc<DvcIdType> . Example: ac7e9755-8eae-4ffc-8a02-50ed7a2216c3 |
DstDvcScopeId | Optional | String | The cloud platform scope ID the device belongs to. DstDvcScopeId map to a subscription ID on Azure. |
DstDvcScope | Optional | String | The cloud platform scope the device belongs to. DstDvcScope map to a subscription ID on Azure. |
DstDvcIdType | Conditional | Enumerated | The type of DstDvcId. For a list of allowed values and further information, refer to DvcIdType in the Schema Overview article. Required if DstDeviceId is used. |
DstDeviceType | Optional | Enumerated | The type of the destination device. For a list of allowed values and further information, refer to DeviceType in the Schema Overview article. |
DstZone | Optional | String | The network zone of the destination, as defined by the reporting device. Example: Dmz |
DstInterfaceName | Optional | String | The network interface used for the connection or session by the destination device. Example: Microsoft Hyper-V Network Adapter |
DstInterfaceGuid | Optional | String | The GUID of the network interface used on the destination device. Example: 46ad544b-eaf0-47ef- 827c-266030f545a6 |
DstMacAddr | Optional | String | The MAC address of the network interface used for the connection or session by the destination device. Example: 06:10:9f:eb:8f:14 |
DstVlanId | Optional | String | The VLAN ID related to the destination device. Example: 130 |
OuterVlanId | Optional | Alias | Alias to DstVlanId. In many cases, the VLAN can't be determined as a source or a destination but is characterized as inner or outer. This alias to signifies that DstVlanId should be used when the VLAN is characterized as outer. |
DstSubscriptionId | Optional | String | The cloud platform subscription ID the destination device belongs to. DstSubscriptionId map to a subscription ID on Azure. |
DstGeoCountry | Optional | Country | The country/region associated with the destination IP address. For more information, see Logical types. |
DstGeoRegion | Optional | Region | The region, or state, associated with the destination IP address. For more information, see Logical types. |
DstGeoCity | Optional | City | The city associated with the destination IP address. For more information, see Logical types. |
DstGeoLatitude | Optional | Latitude | The latitude of the geographical coordinate associated with the destination IP address. For more information, see Logical types. Example: 44.475833 |
DstGeoLongitude | Optional | Longitude | The longitude of the geographical coordinate associated with the destination IP address. For more information, see Logical types. Example: 73.211944 |
Destination user fields
Field | Class | Type | Description |
---|---|---|---|
DstUserId | Optional | String | A machine-readable, alphanumeric, unique representation of the destination user. For the supported format for different ID types, refer to the User entity. Example: S-1-12 |
DstUserScope | Optional | String | The scope, such as Microsoft Entra tenant, in which DstUserId and DstUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article. |
DstUserScopeId | Optional | String | The scope ID, such as Microsoft Entra Directory ID, in which DstUserId and DstUsername are defined. for more information and list of allowed values, see UserScopeId in the Schema Overview article. |
DstUserIdType | Conditional | UserIdType | The type of the ID stored in the DstUserId field. For a list of allowed values and further information, refer to UserIdType in the Schema Overview article. |
DstUsername | Optional | String | The destination username, including domain information when available. For the supported format for different ID types, refer to the User entity. Use the simple form only if domain information isn't available. Store the Username type in the DstUsernameType field. If other username formats are available, store them in the fields DstUsername<UsernameType> .Example: AlbertE |
User | Alias | Alias to DstUsername. | |
DstUsernameType | Conditional | UsernameType | Specifies the type of the username stored in the DstUsername field. For a list of allowed values and further information, refer to UsernameType in the Schema Overview article. Example: Windows |
DstUserType | Optional | UserType | The type of destination user. For a list of allowed values and further information, refer to UserType in the Schema Overview article. Note: The value might be provided in the source record by using different terms, which should be normalized to these values. Store the original value in the DstOriginalUserType field. |
DstOriginalUserType | Optional | String | The original destination user type, if provided by the source. |
Destination application fields
Field | Class | Type | Description |
---|---|---|---|
DstAppName | Optional | String | The name of the destination application. |
DstAppId | Optional | String | The ID of the destination application, as reported by the reporting device.If DstAppType is Process , DstAppId and DstProcessId should have the same value.Example: 124 |
DstAppType | Optional | AppType | The type of the destination application. For a list of allowed values and further information, refer to AppType in the Schema Overview article. This field is mandatory if DstAppName or DstAppId are used. |
DstProcessName | Optional | String | The file name of the process that terminated the network session. This name is typically considered to be the process name. Example: C:\Windows\explorer.exe |
Process | Alias | Alias to the DstProcessName Example: C:\Windows\System32\rundll32.exe |
|
DstProcessId | Optional | String | The process ID (PID) of the process that terminated the network session. Example: 48610176 Note: The type is defined as string to support varying systems, but on Windows and Linux this value must be numeric. If you are using a Windows or Linux machine and used a different type, make sure to convert the values. For example, if you used a hexadecimal value, convert it to a decimal value. |
DstProcessGuid | Optional | String | A generated unique identifier (GUID) of the process that terminated the network session. Example: EF3BD0BD-2B74-60C5-AF5C-010000001E00 |
Source system fields
Field | Class | Type | Description |
---|---|---|---|
Src | Alias | A unique identifier of the source device. This field might alias the SrcDvcId, SrcHostname, or SrcIpAddr fields. Example: 192.168.12.1 |
|
SrcIpAddr | Recommended | IP address | The IP address from which the connection or session originated. This value is mandatory if SrcHostname is specified. If the session uses network address translation, SrcIpAddr is the publicly visible address, and not the original address of the source, which is stored in SrcNatIpAddrExample: 77.138.103.108 |
SrcPortNumber | Optional | Integer | The IP port from which the connection originated. Might not be relevant for a session comprising multiple connections. Example: 2335 |
SrcHostname | Recommended | Hostname | The source device hostname, excluding domain information. If no device name is available, store the relevant IP address in this field. Example: DESKTOP-1282V4D |
SrcDomain | Recommended | String | The domain of the source device. Example: Contoso |
SrcDomainType | Conditional | DomainType | The type of SrcDomain. For a list of allowed values and further information, refer to DomainType in the Schema Overview article. Required if SrcDomain is used. |
SrcFQDN | Optional | String | The source device hostname, including domain information when available. Note: This field supports both traditional FQDN format and Windows domain\hostname format. The SrcDomainType field reflects the format used. Example: Contoso\DESKTOP-1282V4D |
SrcDvcId | Optional | String | The ID of the source device. If multiple IDs are available, use the most important one, and store the others in the fields SrcDvc<DvcIdType> .Example: ac7e9755-8eae-4ffc-8a02-50ed7a2216c3 |
SrcDvcScopeId | Optional | String | The cloud platform scope ID the device belongs to. SrcDvcScopeId map to a subscription ID on Azure. |
SrcDvcScope | Optional | String | The cloud platform scope the device belongs to. SrcDvcScope map to a subscription ID on Azure. |
SrcDvcIdType | Conditional | DvcIdType | The type of SrcDvcId. For a list of allowed values and further information, refer to DvcIdType in the Schema Overview article. Note: This field is required if SrcDvcId is used. |
SrcDeviceType | Optional | DeviceType | The type of the source device. For a list of allowed values and further information, refer to DeviceType in the Schema Overview article. |
SrcZone | Optional | String | The network zone of the source, as defined by the reporting device. Example: Internet |
SrcInterfaceName | Optional | String | The network interface used for the connection or session by the source device. Example: eth01 |
SrcInterfaceGuid | Optional | String | The GUID of the network interface used on the source device. Example: 46ad544b-eaf0-47ef- 827c-266030f545a6 |
SrcMacAddr | Optional | String | The MAC address of the network interface from which the connection or session originated. Example: 06:10:9f:eb:8f:14 |
SrcVlanId | Optional | String | The VLAN ID related to the source device. Example: 130 |
InnerVlanId | Optional | Alias | Alias to SrcVlanId. In many cases, the VLAN can't be determined as a source or a destination but is characterized as inner or outer. This alias to signifies that SrcVlanId should be used when the VLAN is characterized as inner. |
SrcSubscriptionId | Optional | String | The cloud platform subscription ID the source device belongs to. SrcSubscriptionId map to a subscription ID on Azure. |
SrcGeoCountry | Optional | Country | The country/region associated with the source IP address. |
SrcGeoRegion | Optional | Region | The region associated with the source IP address. |
SrcGeoCity | Optional | City | The city associated with the source IP address. |
SrcGeoLatitude | Optional | Latitude | The latitude of the geographical coordinate associated with the source IP address. Example: 44.475833 |
SrcGeoLongitude | Optional | Longitude | The longitude of the geographical coordinate associated with the source IP address. Example: 73.211944 |
Source user fields
Field | Class | Type | Description |
---|---|---|---|
SrcUserId | Optional | String | A machine-readable, alphanumeric, unique representation of the source user. For the supported format for different ID types, refer to the User entity. Example: S-1-12 |
SrcUserScope | Optional | String | The scope, such as Microsoft Entra tenant, in which SrcUserId and SrcUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article. |
SrcUserScopeId | Optional | String | The scope ID, such as Microsoft Entra Directory ID, in which SrcUserId and SrcUsername are defined. for more information and list of allowed values, see UserScopeId in the Schema Overview article. |
SrcUserIdType | Conditional | UserIdType | The type of the ID stored in the SrcUserId field. For a list of allowed values and further information, refer to UserIdType in the Schema Overview article. |
SrcUsername | Optional | String | The source username, including domain information when available. For the supported format for different ID types, refer to the User entity. Use the simple form only if domain information isn't available. Store the Username type in the SrcUsernameType field. If other username formats are available, store them in the fields SrcUsername<UsernameType> .Example: AlbertE |
SrcUsernameType | Conditional | UsernameType | Specifies the type of the username stored in the SrcUsername field. For a list of allowed values and further information, refer to UsernameType in the Schema Overview article. Example: Windows |
SrcUserType | Optional | UserType | The type of source user. For a list of allowed values and further information, refer to UserType in the Schema Overview article. Note: The value might be provided in the source record by using different terms, which should be normalized to these values. Store the original value in the SrcOriginalUserType field. |
SrcOriginalUserType | Optional | String | The original destination user type, if provided by the reporting device. |
Source application fields
Field | Class | Type | Description |
---|---|---|---|
SrcAppName | Optional | String | The name of the source application. Example: filezilla.exe |
SrcAppId | Optional | String | The ID of the source application, as reported by the reporting device. If SrcAppType is Process , SrcAppId and SrcProcessId should have the same value.Example: 124 |
SrcAppType | Optional | AppType | The type of the source application. For a list of allowed values and further information, refer to AppType in the Schema Overview article. This field is mandatory if SrcAppName or SrcAppId are used. |
SrcProcessName | Optional | String | The file name of the process that initiated the network session. This name is typically considered to be the process name. Example: C:\Windows\explorer.exe |
SrcProcessId | Optional | String | The process ID (PID) of the process that initiated the network session. Example: 48610176 Note: The type is defined as string to support varying systems, but on Windows and Linux this value must be numeric. If you are using a Windows or Linux machine and used a different type, make sure to convert the values. For example, if you used a hexadecimal value, convert it to a decimal value. |
SrcProcessGuid | Optional | String | A generated unique identifier (GUID) of the process that initiated the network session. Example: EF3BD0BD-2B74-60C5-AF5C-010000001E00 |
Local and remote aliases
All the source and destination fields listed above, can be optionally aliased by fields with the same name and the descriptors Local
and Remote
. This is typically helpful for events reported by an endpoint and for which the event type is EndpointNetworkSession
.
For such events the descriptors Local
and Remote
denote the endpoint itself and the device at the other end of the network session respectively. For inbound connections, the local system is the destination, Local
fields are aliases to the Dst
fields, and 'Remote' fields are aliases to Src
fields. Conversely, for outbound connections, the local system is the source, Local
fields are aliases to the Src
fields, and Remote
fields are aliases to Dst
fields.
For example, for an inbound event, the field LocalIpAddr
is an alias to DstIpAddr
and the field RemoteIpAddr
is an alias to SrcIpAddr
.
Hostname and IP address aliases
Field | Class | Type | Description |
---|---|---|---|
Hostname | Alias | - If the event type is NetworkSession , Flow or L2NetworkSession , Hostname is an alias to DstHostname.- If the event type is EndpointNetworkSession , Hostname is an alias to RemoteHostname , which can alias either DstHostname or SrcHostName, depending on NetworkDirection |
|
IpAddr | Alias | - If the event type is NetworkSession , Flow or L2NetworkSession , IpAddr is an alias to SrcIpAddr.- If the event type is EndpointNetworkSession , IpAddr is an alias to LocalIpAddr , which can alias either SrcIpAddr or DstIpAddr, depending on NetworkDirection. |
Intermediary device and Network Address Translation (NAT) fields
The following fields are useful if the record includes information about an intermediary device, such as a firewall or a proxy, which relays the network session.
Intermediary systems often use address translation and therefore the original address and the address observed externally are not the same. In such cases, the primary address fields such as SrcIPAddr and DstIpAddr represent the addresses observed externally, while the NAT address fields, SrcNatIpAddr and DstNatIpAddr represent the internal address of the original device before translation.
Inspection fields
The following fields are used to represent that inspection which a security device such as a firewall, an IPS, or a web security gateway performed:
Field | Class | Type | Description |
---|---|---|---|
NetworkRuleName | Optional | String | The name or ID of the rule by which DvcAction was decided upon. Example: AnyAnyDrop |
NetworkRuleNumber | Optional | Integer | The number of the rule by which DvcAction was decided upon. Example: 23 |
Rule | Alias | String | Either the value of NetworkRuleName or the value of NetworkRuleNumber. If the value of NetworkRuleNumber is used, the type should be converted to string. |
ThreatId | Optional | String | The ID of the threat or malware identified in the network session. Example: Tr.124 |
ThreatName | Optional | String | The name of the threat or malware identified in the network session. Example: EICAR Test File |
ThreatCategory | Optional | String | The category of the threat or malware identified in the network session. Example: Trojan |
ThreatRiskLevel | Optional | Integer | The risk level associated with the session. The level should be a number between 0 and 100. Note: The value might be provided in the source record by using a different scale, which should be normalized to this scale. The original value should be stored in ThreatRiskLevelOriginal. |
ThreatOriginalRiskLevel | Optional | String | The risk level as reported by the reporting device. |
ThreatIpAddr | Optional | IP Address | An IP address for which a threat was identified. The field ThreatField contains the name of the field ThreatIpAddr represents. |
ThreatField | Conditional | Enumerated | The field for which a threat was identified. The value is either SrcIpAddr or DstIpAddr . |
ThreatConfidence | Optional | Integer | The confidence level of the threat identified, normalized to a value between 0 and a 100. |
ThreatOriginalConfidence | Optional | String | The original confidence level of the threat identified, as reported by the reporting device. |
ThreatIsActive | Optional | Boolean | True if the threat identified is considered an active threat. |
ThreatFirstReportedTime | Optional | datetime | The first time the IP address or domain were identified as a threat. |
ThreatLastReportedTime | Optional | datetime | The last time the IP address or domain were identified as a threat. |
Other fields
If the event is reported by one of the endpoints of the network session, it might include information about the process that initiated or terminated the session. In such cases, the ASIM Process Event schema is used to normalize this information.
Schema updates
The following are the changes in version 0.2.1 of the schema:
- Added
Src
andDst
as aliases to a leading identifier for the source and destination systems. - Added the fields
NetworkConnectionHistory
,SrcVlanId
,DstVlanId
,InnerVlanId
, andOuterVlanId
.
The following are the changes in version 0.2.2 of the schema:
- Added
Remote
andLocal
aliases. - Added the event type
EndpointNetworkSession
. - Defined
Hostname
andIpAddr
as aliases forRemoteHostname
andLocalIpAddr
respectively when the event type isEndpointNetworkSession
. - Defined
DvcInterface
as an alias toDvcInboundInterface
orDvcOutboundInterface
. - Changed the type of the following fields from Integer to Long:
SrcBytes
,DstBytes
,NetworkBytes
,SrcPackets
,DstPackets
, andNetworkPackets
. - Added the fields
NetworkProtocolVersion
,SrcSubscriptionId
, andDstSubscriptionId
. - Deprecated
DstUserDomain
andSrcUserDomain
.
The following are the changes in version 0.2.3 of the schema:
- Added the
ipaddr_has_any_prefix
filtering parameter. - The
hostname_has_any
filtering parameter now matches either source or destination hostnames. - Added the fields
ASimMatchingHostname
andASimMatchingIpAddr
.
The following are the changes in version 0.2.4 of the schema:
- Added the
TcpFlags
fields. - Updated
NetworkIcpmType
andNetworkIcmpCode
to reflect the number value for both. - Added additional inspection fields.
- The field 'ThreatRiskLevelOriginal' was renamed to
ThreatOriginalRiskLevel
to align with ASIM conventions. Existing Microsoft parsers will maintainThreatRiskLevelOriginal
until May 1st 2023. - Marked
EventResultDetails
as recommended, and specified the allowed values.
The following are the changes in version 0.2.5 of the schema:
- Added the fields
DstUserScope
,SrcUserScope
,SrcDvcScopeId
,SrcDvcScope
,DstDvcScopeId
,DstDvcScope
,DvcScopeId
, andDvcScope
.
The following are the changes in version 0.2.6 of the schema:
- Added IDS as an event type
Next steps
For more information, see: