You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/dns-normalization-schema.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -211,7 +211,7 @@ The fields listed in this section are specific to DNS events, although many are
211
211
| <aname=responsename></a>**DnsResponseName**| Optional | String | The content of the response, as included in the record.<br> <br> The DNS response data is inconsistent across reporting devices, is complex to parse, and has less value for source-agnostic analytics. Therefore the information model doesn't require parsing and normalization, and Microsoft Sentinel uses an auxiliary function to provide response information. For more information, see [Handling DNS response](#handling-dns-response).|
212
212
| <aname=responsecodename></a>**DnsResponseCodeName**| Mandatory | Enumerated | The [DNS response code](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml). <br><br>**Note**: IANA doesn't define the case for the values, so analytics must normalize the case. If the source provides only a numerical response code and not a response code name, the parser must include a lookup table to enrich with this value. <br><br> If this record represents a request and not a response, set to **NA**. <br><br>Example: `NXDOMAIN`|
|**TransactionIdHex**| Recommended | String | The DNS unique hex transaction ID. |
214
+
|<aname="transactionidhex"></a>**TransactionIdHex**| Recommended | String | The DNS query unique ID as assigned by the DNS client, in hexadecimal format. Note that this value is part of the DNS protocol and different from [DnsSessionId](#dnssessionid), the network layer session ID, typically assigned by the reporting device. |
215
215
|**NetworkProtocol**| Optional | Enumerated | The transport protocol used by the network resolution event. The value can be **UDP** or **TCP**, and is most commonly set to **UDP** for DNS. <br><br>Example: `UDP`|
216
216
|**DnsQueryClass**| Optional | Integer | The [DNS class ID](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml).<br> <br>In practice, only the **IN** class (ID 1) is used, and therefore this field is less valuable.|
217
217
|**DnsQueryClassName**| Optional | String | The [DNS class name](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml).<br> <br>In practice, only the **IN** class (ID 1) is used, and therefore this field is less valuable.<br><br>Example: `IN`|
@@ -228,7 +228,7 @@ The fields listed in this section are specific to DNS events, although many are
228
228
|**DnsFlagsRecursionDesired**| Optional | Boolean | The DNS `RD` flag indicates in a request that that client would like the server to use recursive queries. |
229
229
|**DnsFlagsTruncates**| Optional | Boolean | The DNS `TC` flag indicates that a response was truncates as it exceeded the maximum response size. |
230
230
|**DnsFlagsZ**| Optional | Boolean | The DNS `Z` flag is a deprecated DNS flag, which might be reported by older DNS systems. |
231
-
|<aname="dnssessionid"></a>**DnsSessionId**| Optional | string | The DNS session identifier as reported by the reporting device. <br><br>Example: `EB4BFA28-2EAD-4EF7-BC8A-51DF4FDF5B55`|
231
+
|<aname="dnssessionid"></a>**DnsSessionId**| Optional | string | The DNS session identifier as reported by the reporting device. Note that this value is different from [TransactionIdHex](#transactionidhex), the DNS query unique ID as assigned by the DNS client.<br><br>Example: `EB4BFA28-2EAD-4EF7-BC8A-51DF4FDF5B55`|
232
232
|**SessionId**| Alias | String | Alias to [DnsSessionId](#dnssessionid)|
0 commit comments