Merge pull request #233124 from oshezaf/asim/add-ids-to-network

Update normalization-common-fields.md

Author: PMEds28

articles/sentinel/normalization-common-fields.md

@@ -42,10 +42,10 @@ The following fields are defined by ASIM for all schemas:
 | <a name="eventsubtype"></a>**EventSubType** | Optional | Enumerated | Describes a subdivision of the operation reported in the [EventType](#eventtype) field. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the [EventOriginalSubType](#eventoriginalsubtype) field. |
 | <a name="eventresult"></a>**EventResult** | Mandatory | Enumerated | One of the following values: **Success**, **Partial**, **Failure**, **NA** (Not Applicable).<br> <br>The value might be provided in the source record by using different terms, which should be normalized to these values. Alternatively, the source might provide only the [EventResultDetails](#eventresultdetails) field, which should be analyzed to derive the EventResult value.<br><br>Example: `Success`|
 | <a name="eventresultdetails"></a>**EventResultDetails** | Recommended | Enumerated | Reason or details for the result reported in the [EventResult](#eventresult) field. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the [EventOriginalResultDetails](#eventoriginalresultdetails) field.<br><br>Example: `NXDOMAIN`|
-| <a name="eventuid"></a>**EventUid**    | Recommended    | String     |   The unique ID of the record, as assigned by Microsoft Sentinel. This is typically mapped to the `_ItemId` Log Analytics field. |
+| <a name="eventuid"></a>**EventUid**    | Recommended    | String     |   The unique ID of the record, as assigned by Microsoft Sentinel. This field is typically mapped to the `_ItemId` Log Analytics field. |
 | <a name="eventoriginaluid"></a>**EventOriginalUid**    | Optional    | String     |   A unique ID of the original record, if provided by the source.<br><br>Example: `69f37748-ddcd-4331-bf0f-b137f1ea83b`|
-| <a name="eventoriginaltype"></a>**EventOriginalType**   | Optional    | String     |   The original event type or ID, if provided by the source. For example, this field will be used to store the original Windows event ID. This value is used to derive [EventType](#eventtype), which should have only one of the values documented for each schema.<br><br>Example: `4624`|
-| <a name="eventoriginalsubtype"></a>**EventOriginalSubType**   | Optional    | String     |   The original event subtype or ID, if provided by the source. For example, this field will be used to store the original Windows logon type. This value is used to derive [EventSubType](#eventsubtype), which should have only one of the values documented for each schema.<br><br>Example: `2`|
+| <a name="eventoriginaltype"></a>**EventOriginalType**   | Optional    | String     |   The original event type or ID, if provided by the source. For example, this field is used to store the original Windows event ID. This value is used to derive [EventType](#eventtype), which should have only one of the values documented for each schema.<br><br>Example: `4624`|
+| <a name="eventoriginalsubtype"></a>**EventOriginalSubType**   | Optional    | String     |   The original event subtype or ID, if provided by the source. For example, this field is used to store the original Windows logon type. This value is used to derive [EventSubType](#eventsubtype), which should have only one of the values documented for each schema.<br><br>Example: `2`|
 | <a name="eventoriginalresultdetails"></a>**EventOriginalResultDetails** | Optional | String | The original result details provided by the source. This value is used to derive [EventResultDetails](#eventresultdetails), which should have only one of the values documented for each schema. |
 | <a name="eventseverity"></a>**EventSeverity** | Recommended | Enumerated | The severity of the event. Valid values are: `Informational`, `Low`, `Medium`, or `High`. | 
 | <a name="eventoriginalseverity"></a>**EventOriginalSeverity** | Optional | String | The original severity as provided by the reporting device. This value is used to derive [EventSeverity](#eventseverity). | 
@@ -59,26 +59,31 @@ The following fields are defined by ASIM for all schemas:
 
 ### Device fields
 
-The role of the device fields is different for different schemas and event types. For example, for the Network Session schema, device fields provide information about the device which generated the event, while for the Process Event schema, the device fields provide information on the device on which the process is executed. Each schema document specifies the role of the device for the schema.  
+The role of the device fields is different for different schemas and event types. For example:
+
+- For the Network Session events, device fields usually provide information about the device that generated the event
+- For the Process events, the device fields provide information on the device on that the process is executed.
+
+Each schema document specifies the role of the device for the schema.  
 
 | Field               | Class       | Type       |  Description        |
 |---------------------|-------------|------------|--------------------|
 | <a name="dvc"></a>**Dvc** | Alias       | String     | A unique identifier of the device on which the event occurred or which reported the event, depending on the schema. <br><br>This field might alias the [DvcFQDN](#dvcfqdn), [DvcId](#dvcid), [DvcHostname](#dvchostname), or [DvcIpAddr](#dvcipaddr) fields. For cloud sources, for which there is no apparent device, use the same value as the [Event Product](#eventproduct) field.            |
 | <a name ="dvcipaddr"></a>**DvcIpAddr**           | Recommended | IP address | The IP address of the device on which the event occurred or which reported the event, depending on the schema. <br><br>Example: `45.21.42.12`    |
 | <a name ="dvchostname"></a>**DvcHostname**         | Recommended | Hostname   | The hostname of the device on which the event occurred or which reported the event, depending on the schema. <br><br>Example: `ContosoDc`               |
 | <a name="dvcdomain"></a>**DvcDomain** | Recommended | String | The domain of the device on which the event occurred or which reported the event, depending on the schema.<br><br>Example: `Contoso` |
-| <a name="dvcdomaintype"></a>**DvcDomainType** | Conditional | Enumerated | The type of  [DvcDomain](#dvcdomain). For a list of allowed values and further information refer to [DomainType](normalization-about-schemas.md#domaintype).<br><br>**Note**: This field is required if the [DvcDomain](#dvcdomain) field is used. |
+| <a name="dvcdomaintype"></a>**DvcDomainType** | Conditional | Enumerated | The type of  [DvcDomain](#dvcdomain). For a list of allowed values and further information, refer to [DomainType](normalization-about-schemas.md#domaintype).<br><br>**Note**: This field is required if the [DvcDomain](#dvcdomain) field is used. |
 | <a name="dvcfqdn"></a>**DvcFQDN** | Optional | String | The hostname of the device on which the event occurred or which reported the event, depending on the schema. <br><br> Example: `Contoso\DESKTOP-1282V4D`<br><br>**Note**: This field supports both traditional FQDN format and Windows domain\hostname format. The  [DvcDomainType](#dvcdomaintype) field reflects the format used.  |
 | <a name = "dvcdescription"></a>**DvcDescription** | Optional | String | A descriptive text associated with the device. For example: `Primary Domain Controller`. |
 | <a name ="dvcid"></a>**DvcId**               | Optional    | String     | The unique ID of the device on which the event occurred or which reported the event, depending on the schema. <br><br>Example: `41502da5-21b7-48ec-81c9-baeea8d7d669`   |
-| <a name="dvcidtype"></a>**DvcIdType** | Conditional | Enumerated | The type of [DvcId](#dvcid). For a list of allowed values and further information refer to [DvcIdType](#dvcidtype).<br>- `MDEid`<br><br>If multiple IDs are available, use the first one from the list, and store the others by using the field names **DvcAzureResourceId** and **DvcMDEid**, respectively.<br><br>**Note**: This field is required if the [DvcId](#dvcid) field is used. |
+| <a name="dvcidtype"></a>**DvcIdType** | Conditional | Enumerated | The type of [DvcId](#dvcid). For a list of allowed values and further information, refer to [DvcIdType](#dvcidtype).<br>- `MDEid`<br><br>If multiple IDs are available, use the first one from the list, and store the others by using the field names **DvcAzureResourceId** and **DvcMDEid**, respectively.<br><br>**Note**: This field is required if the [DvcId](#dvcid) field is used. |
 | <a name="dvcmacaddr"></a>**DvcMacAddr**          | Optional    | MAC        |   The MAC address of the device on which the event occurred or which reported the event.  <br><br>Example: `00:1B:44:11:3A:B7`       |
 | <a name="dvczone"></a>**DvcZone** | Optional | String | The network on which the event occurred or which reported the event, depending on the schema. The zone is defined by the reporting device.<br><br>Example: `Dmz` |
 | <a name="dvcos"></a>**DvcOs**               | Optional    | String     |         The operating system running on the device on which the event occurred or which reported the event.    <br><br>Example: `Windows`    |
 | <a name="dvcosversion"></a>**DvcOsVersion**        | Optional    | String     |   The version of the operating system on the device on which the event occurred or which reported the event. <br><br>Example: `10` |
 | <a name="dvcaction"></a>**DvcAction** | Recommended | String | For reporting security systems, the action taken by the system, if applicable. <br><br>Example: `Blocked` |
 | <a name="dvcoriginalaction"></a>**DvcOriginalAction** | Optional | String | The original [DvcAction](#dvcaction) as provided by the reporting device. |
-| <a name="dvcinterface"></a>**DvcInterface** | Optional | String | The network interface on which data was captured. This field is  typically relevant to network related activity which is captured by an intermediate or tap device. | 
+| <a name="dvcinterface"></a>**DvcInterface** | Optional | String | The network interface on which data was captured. This field is  typically relevant to network related activity, which is captured by an intermediate or tap device. | 
 | <a name="dvcscopeid"></a>**DvcScopeId** | Optional | String | The cloud platform scope ID the device belongs to. **DvcScopeId** map to a subscription ID on Azure and to an account ID on AWS. | 
 | <a name="dvcscope"></a>**DvcScope** | Optional | String | The cloud platform scope the device belongs to. **DvcScope** map to a subscription ID on Azure and to an account ID on AWS. | 
 
@@ -92,8 +97,8 @@ The role of the device fields is different for different schemas and event types
 
 ### Schema updates
 
-- The `EventOwner` field has been added to the common fields on Dec 1st 2022, and therefore to all of the schemas.
-- The `EventUid` field has been added to the common fields on Dec 26th 2022, and therefore to all of the schemas.
+- The `EventOwner` field has been added to the common fields on Dec 1, 2022, and therefore to all of the schemas.
+- The `EventUid` field has been added to the common fields on Dec 26, 2022, and therefore to all of the schemas.
 
 ## Vendors and products
 
@@ -103,26 +108,26 @@ The currently supported list of vendors and products used in the [EventVendor](#
 
 | Vendor | Products |
 | ------ | -------- | 
-| AWS | - CloudTrail<br> - VPC | 
-| Cisco | - ASA<br> - Umbrella<br> - IOS |
-| Corelight | Zeek | 
-| Cynerio | Cynerio |
-| Dataminr | Dataminr Pulse | 
-| GCP | Cloud DNS | 
-| Infoblox | NIOS | 
-| Microsoft | - Microsoft Azure Active Directory (Azure AD)<br> - Azure<br> - Azure Firewall<br> - Azure Blob Storage<br>    - Azure File Storage<br>    - Azure NSG flows<br> - Azure Queue Storage<br>  - Azure Table Storage <br>      -  DNS Server<br> - Microsoft 365 Defender for Endpoint<br> - Microsoft Defender for IoT<br> - Security Events<br>- SharePoint<br>- OneDrive<br>- Sysmon<br> - Sysmon for Linux<br> - VMConnection<br> - Windows Firewall<br> - WireData
-| Linux | - su<br> - sudo |
-| Okta | - Okta<br> - Auth0 | 
-| OpenBSD | OpenSSH |
-| Palo Alto | - PanOS<br> - CDL |
-| PostgreSQL | PostgreSQL |
-| Squid | Squid Proxy | 
-| Vectra AI | Vectra Steam |
-| WatchGuard | Fireware |
-| Zscaler |  - ZIA DNS<br> - ZIA Firewall<br> - ZIA Proxy |
-
-
-If you are developing a parser for a vendor or a product which are not listed here, contact the [Microsoft Sentinel](mailto:[email protected]) team to allocate a new allowed vendor and product designators. 
+| `AWS` | - `CloudTrail`<br> - `VPC` | 
+| `Cisco` | - `ASA`<br> - `Umbrella`<br> - `IOS`<br> - `Meraki` |
+| `Corelight` | `Zeek` | 
+| `Cynerio` | `Cynerio` |
+| `Dataminr` | `Dataminr Pulse` | 
+| `GCP` | `Cloud DNS` | 
+| `Infoblox` | `NIOS` | 
+| `Microsoft` | - Microsoft Azure Active Directory (Azure AD)<br> - `Azure`<br> - `Azure Firewall`<br> - `Azure Blob Storage`<br>    - `Azure File Storage`<br>    - `Azure NSG flows`<br> - `Azure Queue Storage`<br>  - `Azure Table Storage` <br>      -  `DNS Server`<br> - `Microsoft 365 Defender for Endpoint`<br> - `Microsoft Defender for IoT`<br> - `Security Events`<br>- `SharePoint`<br>- `OneDrive`<br>- `Sysmon`<br> - `Sysmon for Linu`x<br> - `VMConnection`<br> - `Windows Firewall`<br> - `WireData`
+| `Linux` | - `su`<br> - `sudo`|
+| `Okta` | - `Okta`<br> - `Auth0` | 
+| `OpenBSD` | `OpenSSH` |
+| `Palo Alto` | - `PanOS`<br> - `CDL` |
+| `PostgreSQL` | `PostgreSQL` |
+| `Squid` | `Squid Proxy`| 
+| `Vectra AI` | `Vectra Steam` |
+| `WatchGuard` | `Fireware` |
+| `Zscaler` |  - `ZIA DNS`<br> - `ZIA Firewall`<br> - `ZIA Proxy` |
+
+
+If you are developing a parser for a vendor or a product,s which are not listed here, contact the [Microsoft Sentinel](mailto:[email protected]) team to allocate a new allowed vendor and product designators. 
 
 
 ## Next steps