Merge pull request #224845 from oshezaf/asim/update-http-status-code-to-recommended

BCS2022 · web-flow · commit 83415890e9fb · 2023-01-24T08:25:09.000-08:00
Renamed web-schema and updated status code to recommended
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
@@ -18384,6 +18384,11 @@
             "redirect_url": "/azure/sentinel/enable-monitoring",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/sentinel/web-normalization-schema.md",
+            "redirect_url": "/azure/sentinel/normalization-schema-web",
+            "redirect_document_id": true
+        },
         {
             "source_path_from_root": "/articles/sentinel/dns-normalization-schema.md",
             "redirect_url": "/azure/sentinel/normalization-schema-dns",
diff --git a/articles/sentinel/TOC.yml b/articles/sentinel/TOC.yml
@@ -576,7 +576,7 @@
         - name: ASIM user management schema
           href: user-management-normalization-schema.md
         - name: ASIM web session schema
-          href: web-normalization-schema.md
+          href: normalization-schema-web.md
         - name: Legacy network normalization schema
           href: normalization-schema-v1.md
   - name: Data collection references
diff --git a/articles/sentinel/normalization-about-parsers.md b/articles/sentinel/normalization-about-parsers.md
@@ -65,7 +65,7 @@ Each schema has a standard set of filtering parameters documented in the relevan
 - [Authentication](authentication-normalization-schema.md)
 - [DNS](normalization-schema-dns.md#filtering-parser-parameters)
 - [Network Session](network-normalization-schema.md#filtering-parser-parameters)
-- [Web Session](web-normalization-schema.md#filtering-parser-parameters)
+- [Web Session](normalization-schema-web.md#filtering-parser-parameters)
 
 Every schema that supports filtering parameters supports at least the `starttime` and `endtime` parameters and using them is often critical for optimizing performance.
 
diff --git a/articles/sentinel/normalization-about-schemas.md b/articles/sentinel/normalization-about-schemas.md
@@ -26,7 +26,7 @@ Schema references outline the fields that comprise each schema. ASIM currently d
 | [Process Event](process-events-normalization-schema.md) | 0.1.4 | Preview |
 | [Registry Event](registry-event-normalization-schema.md) | 0.1.2 | Preview |
 | [User Management](user-management-normalization-schema.md) | 0.1 | Preview |
-| [Web Session](web-normalization-schema.md) | 0.2.5 | Preview |
+| [Web Session](normalization-schema-web.md) | 0.2.5 | Preview |
 
 
 > [!IMPORTANT]
diff --git a/articles/sentinel/normalization-schema-web.md b/articles/sentinel/normalization-schema-web.md
@@ -41,7 +41,7 @@ The most important fields in a Web Session schema are:
 
 - [Url](#url), which reports the url that the client requested from the server.
 - The [SrcIpAddr](network-normalization-schema.md#srcipaddr) (aliased to [IpAddr](network-normalization-schema.md#ipaddr)), which represents the IP address from which the request was generated. 
-- [EventResultDetails](#eventresultdetails) field, which reports the HTTP Status Code.
+- [EventResultDetails](#eventresultdetails) field, which typically reports the HTTP Status Code.
 
 Web Session events may also include [User](network-normalization-schema.md#user) and [Process](process-events-normalization-schema.md) information for the user and process initiating the request. 
 
@@ -119,7 +119,7 @@ The following list mentions fields that have specific guidelines for Web Session
 |---------------------|-------------|------------|--------------------|
 | <a name='eventtype'></a>**EventType** | Mandatory | Enumerated | Describes the operation reported by the record. Allowed values are:<br> - `HTTPsession`: Denotes a network session used for HTTP or HTTPS, typically reported by an intermediary device, such as a proxy or a Web security gateway.<br> - `WebServerSession`: Denotes an HTTP request reported by a web server. Such an event typically has less network related information. The URL reported should not include a schema and a server name, but only the path and parameters part of the URL. <br> - `Api`: Denotes an HTTP request reported associated with an API call, typically reported by an application server. Such an event typically has less network related information. When reported by the application server, the URL reported should not include a schema and a server name, but only the path and parameters part of the URL. |
 | **EventResult** | Mandatory | Enumerated | Describes the event result, normalized to one of the following values: <br> - `Success` <br> - `Partial` <br> - `Failure` <br> - `NA` (not applicable) <br><br>For an HTTP session, `Success` is defined as a status code lower than `400`, and `Failure` is defined as a status code higher than `400`. For a list of HTTP status codes, refer to [W3 Org](https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html).<br><br>The source may provide only a value for the [EventResultDetails](#eventresultdetails)  field, which must be analyzed to get the  **EventResult**  value. |
-| <a name="eventresultdetails"></a>**EventResultDetails** | Mandatory | String | For HTTP sessions, the value should be the HTTP status code. <br><br>**Note**: The value may be provided in the source record using different terms, which should be normalized to these values. The original value should be stored in the **EventOriginalResultDetails** field.|
+| <a name="eventresultdetails"></a>**EventResultDetails** | Recommended | String | The HTTP status code.<br><br>**Note**: The value may be provided in the source record using different terms, which should be normalized to these values. The original value should be stored in the **EventOriginalResultDetails** field.|
 | **EventSchema** | Mandatory | String | The name of the schema documented here is `WebSession`. |
 | **EventSchemaVersion**  | Mandatory   | String     | The version of the schema. The version of the schema documented here is `0.2.6`         |
 | **Dvc** fields|        |      | For Web Session events,  device fields refer to the system reporting the Web Session event. This is typically an intermediary device for `HTTPSession` events, and the destination web or application server for `WebServerSession` and `ApiRequest` events. |
diff --git a/articles/sentinel/normalization.md b/articles/sentinel/normalization.md
@@ -70,7 +70,7 @@ ASIM currently defines the following schemas:
 - [Process Event](process-events-normalization-schema.md)
 - [Registry Event](registry-event-normalization-schema.md)
 - [User Management](user-management-normalization-schema.md)
-- [Web Session](web-normalization-schema.md)
+- [Web Session](normalization-schema-web.md)
 
 For more information, see [ASIM schemas](normalization-about-schemas.md).
 
