Merge pull request #191532 from oshezaf/asim/add-common-to-all-schemas

Asim/add common to all schemas

Author: hmacgregor1

articles/sentinel/TOC.yml

@@ -364,6 +364,8 @@
     items:
       - name: ASIM content
         href: normalization-content.md
+      - name: ASIM Common fields
+        href: normalization-common-fields.md 
       - name: ASIM schemas
         items:
         - name: ASIM authentication schema

articles/sentinel/authentication-normalization-schema.md

@@ -1,14 +1,13 @@
 ---
-title: Microsoft Sentinel Authentication normalization schema reference | Microsoft Docs
+title: The Advanced Security Information Model (ASIM) Authentication normalization schema reference (Public preview) | Microsoft Docs
 description: This article describes the Microsoft Sentinel Authentication normalization schema.
-author: batamig
+author: oshezaf
 ms.topic: reference
 ms.date: 11/09/2021
-ms.author: bagol
-ms.custom: ignite-fall-2021
+ms.author: ofshezaf
 ---
 
-# Microsoft Sentinel Authentication normalization schema reference (Public preview)
+# The Advanced Security Information Model (ASIM) Authentication normalization schema reference (Public preview)
 
 [!INCLUDE [Banner for top of topics](./includes/banner.md)]
 
@@ -104,22 +103,41 @@ An **Actor**, running an acting Application, **ActingApp**, on a source system,
 
 In the following tables, *Type* refers to a logical type. For more information, see [Logical types](normalization-about-schemas.md#logical-types).
 
-### Common fields
+### Common ASIM fields
 
 > [!IMPORTANT]
-> Fields common to all schemas are described in the [ASIM schema overview](normalization-about-schemas.md#common). The following list mentions only fields that have specific guidelines for user management events.
+> Fields common to all schemas are described in detail in the [ASIM Common Fields](normalization-common-fields.md) article.
 >
 
+#### Common fields with specific guidelines
+
+The following list mentions fields that have specific guidelines for authentication events:
+
 | Field               | Class       | Type       |  Description        |
 |---------------------|-------------|------------|--------------------|
 | **EventType**           | Mandatory   | Enumerated |    Describes the operation reported by the record. <br><br>For Authentication records, supported values include: <br>- `Logon` <br>- `Logoff`|
-| <a name ="eventresultdetails"></a>**EventResultDetails**         | Optional   | String |  One of the following values: <br><br>-	`No such user or password`. This value should be used also when the original event reports that there is no such user, without reference to a password. <br>-	`Incorrect password`<br>-	`Account expired`<br>-	`Password expired`<br>-	`User locked`<br>-	`User disabled`<br>-	`Logon violates policy`. This value should be used when the original event reports, for example: MFA required, logon outside of working hours, conditional access restrictions, or too frequent attempts.<br>-	`Session expired`<br>-	`Other`<br><br>**Note**: The value may be provided in the source record using different terms, which should be normalized to these values. The original value should be stored in the field [EventOriginalResultDetails](normalization-about-schemas.md#eventoriginalresultdetails)|
-| **EventSubType**    | Optional    | String     |   The sign-in type. Allowed values include: `System`, `Interactive`, `Service`, `RemoteInteractive`, `RemoteService`, `AssumeRole`. <br><br>Example: `Interactive`. Store the original value in [EventOriginalSubType](normalization-about-schemas.md#eventoriginalsubtype). |
+| <a name ="eventresultdetails"></a>**EventResultDetails**         | Optional   | String |  One of the following values: <br><br>-	`No such user or password`. This value should be used also when the original event reports that there is no such user, without reference to a password. <br>-	`Incorrect password`<br>-	`Account expired`<br>-	`Password expired`<br>-	`User locked`<br>-	`User disabled`<br>-	`Logon violates policy`. This value should be used when the original event reports, for example: MFA required, logon outside of working hours, conditional access restrictions, or too frequent attempts.<br>-	`Session expired`<br>-	`Other`<br><br>**Note**: The value may be provided in the source record using different terms, which should be normalized to these values. The original value should be stored in the field [EventOriginalResultDetails](normalization-common-fields.md#eventoriginalresultdetails)|
+| **EventSubType**    | Optional    | String     |   The sign-in type. Allowed values include: `System`, `Interactive`, `Service`, `RemoteInteractive`, `RemoteService`, `AssumeRole`. <br><br>Example: `Interactive`. Store the original value in [EventOriginalSubType](normalization-common-fields.md#eventoriginalsubtype). |
 | **EventSchemaVersion**  | Mandatory   | String     |    The version of the schema. The version of the schema documented here is `0.1.1`         |
-| **EventSchema** | Mandatory | String | The name of the schema documented here is **Authentication**. |
+| **EventSchema** | Optional | String | The name of the schema documented here is **Authentication**. |
 | **Dvc** fields| -      | -    | For authentication events, device fields refer to the system reporting the event. |
 | | | | |
 
+> [!IMPORTANT]
+> The `EventSchema` field is currently optional but will become Mandatory on July 1st 2022.
+>
+
+#### All common fields
+
+Fields that appear in the table below are common to all ASIM schemas. Any guideline specified above overrides the general guidelines for the field. For example, a field might be optional in general, but mandatory for a specific schema. For further details on each field, refer to the [ASIM Common Fields](normalization-common-fields.md) article.
+
+| **Class** | **Fields** |
+| --------- | ---------- |
+| Mandatory | - [EventCount](normalization-common-fields.md#eventcount)<br> - [EventStartTime](normalization-common-fields.md#eventstarttime)<br> - [EventEndTime](normalization-common-fields.md#eventendtime)<br> - [EventType](normalization-common-fields.md#eventtype)<br>- [EventResult](normalization-common-fields.md#eventresult)<br> - [EventProduct](normalization-common-fields.md#eventproduct)<br> - [EventVendor](normalization-common-fields.md#eventvendor)<br> - [EventSchema](normalization-common-fields.md#eventschema)<br> - [EventSchemaVersion](normalization-common-fields.md#eventschemaversion)<br> - [Dvc](normalization-common-fields.md#dvc)<br>|
+| Recommended | - [EventResultDetails](normalization-common-fields.md#eventresultdetails)<br>- [EventSeverity](normalization-common-fields.md#eventseverity)<br> - [DvcIpAddr](normalization-common-fields.md#dvcipaddr)<br> - [DvcHostname](normalization-common-fields.md#dvchostname)<br> - [DvcDomain](normalization-common-fields.md#dvcdomain)<br>- [DvcDomainType](normalization-common-fields.md#dvcdomaintype)<br>- [DvcFQDN](normalization-common-fields.md#dvcfqdn)<br>- [DvcId](normalization-common-fields.md#dvcid)<br>- [DvcIdType](normalization-common-fields.md#dvcidtype)<br>- [DvcAction](normalization-common-fields.md#dvcaction)|
+| Optional | - [EventMessage](normalization-common-fields.md#eventmessage)<br> - [EventSubType](normalization-common-fields.md#eventsubtype)<br>- [EventOriginalUid](normalization-common-fields.md#eventoriginaluid)<br>- [EventOriginalType](normalization-common-fields.md#eventoriginaltype)<br>- [EventOriginalSubType](normalization-common-fields.md#eventoriginalsubtype)<br>- [EventOriginalResultDetails](normalization-common-fields.md#eventoriginalresultdetails)<br> - [EventOriginalSeverity](normalization-common-fields.md#eventoriginalseverity) <br> - [EventProductVersion](normalization-common-fields.md#eventproductversion)<br> - [EventReportUrl](normalization-common-fields.md#eventreporturl)<br>- [DvcMacAddr](normalization-common-fields.md#dvcmacaddr)<br>- [DvcOs](normalization-common-fields.md#dvcos)<br>- [DvcOsVersion](normalization-common-fields.md#dvchostname)<br>- [DvcOriginalAction](normalization-common-fields.md#dvcoriginalaction)<br>- [DvcInterface](normalization-common-fields.md#dvcinterface)<br>- [AdditionalFields](normalization-common-fields.md#additionalfields)|
+|||
+
 
 ### Authentication-specific fields