Merge pull request #221332 from oshezaf/asim/update-audit-schema

v-dirichards · web-flow · commit d235209e78c4 · 2022-12-13T14:21:31.000-06:00
asim/update-audit-schema
diff --git a/articles/sentinel/normalization-parsers-list.md b/articles/sentinel/normalization-parsers-list.md
@@ -18,6 +18,8 @@ This document provides a list of Advanced Security Information Model (ASIM) pars
 >
 ## Authentication parsers
 
+To use ASIM authentication parsers, deploy the parsers from the [Microsoft Sentinel GitHub repository](https://aka.ms/ASimAuthentication). Microsoft Sentinel provides the following parsers in the packages deployed from GitHub:
+
 - **Windows sign-ins**
     - Collected using the Log Analytics Agent or Azure Monitor Agent.
     - Collected using either the Security Events connectors to the SecurityEvent table or using the WEF connector to the WindowsEvent table.
@@ -30,12 +32,11 @@ This document provides a list of Advanced Security Information Model (ASIM) pars
 - **AWS sign-ins**, collected using the AWS CloudTrail connector.
 - **Okta authentication**, collected using the Okta connector.
 - **PostgreSQL** sign-in logs.
- 
-Deploy the parsers from the [Microsoft Sentinel GitHub repository](https://aka.ms/ASimAuthentication).
+
 
 ## DNS parsers
 
-Microsoft Sentinel provides the following out-of-the-box, product-specific DNS parsers:
+ASIM DNS parsers are available in every workspace. Microsoft Sentinel provides the following out-of-the-box parsers:
 
 | **Source** | **Notes** | **Parser**
 | --- | --------------------------- | ---------- |
@@ -51,11 +52,12 @@ Microsoft Sentinel provides the following out-of-the-box, product-specific DNS p
 | **Zscaler ZIA** | | `_Im_Dns_ZscalerZIAVxx` |
 ||||
 
-Deploy the workspace deployed parsers from the [Microsoft Sentinel GitHub repository](https://aka.ms/AsimDNS).
+Deploy the workspace deployed parsers version from the [Microsoft Sentinel GitHub repository](https://aka.ms/AsimDNS).
 
 ## File Activity parsers
 
-Microsoft Sentinel provides the following out-of-the-box, product-specific File Activity parsers:
+To use ASIM File Activity parsers, deploy the parsers from the [Microsoft Sentinel GitHub repository](https://aka.ms/ASimFileEvent). Microsoft Sentinel provides the following parsers in the packages deployed from GitHub:
+
 
 - **Windows file activity**
     - Reported by **Windows (event 4663)**:
@@ -69,11 +71,10 @@ Microsoft Sentinel provides the following out-of-the-box, product-specific File
 - **Microsoft Office 365 SharePoint and OneDrive events**, collected using the Office Activity connector.
 - **Azure Storage**, including Blob, File, Queue, and Table Storage.
 
-Deploy the parsers from the [Microsoft Sentinel GitHub repository](https://aka.ms/ASimFileEvent).
-
 ## Network Session parsers
 
-Microsoft Sentinel provides the following out-of-the-box, product-specific Network Session parsers:
+ASIM Network Session parsers are available in every workspace. Microsoft Sentinel provides the following out-of-the-box parsers:
+
 
 | **Source** | **Notes** | **Parser** | 
 | --- | --------------------------- | ------------------------------ | 
@@ -90,52 +91,46 @@ Microsoft Sentinel provides the following out-of-the-box, product-specific Netwo
 | **Fortigate FortiOS** | IP connection logs collected using Syslog. | `_Im_NetworkSession_FortinetFortiGateVxx` |
 | **Microsoft 365 Defender for Endpoint** | | `_Im_NetworkSession_Microsoft365DefenderVxx`|
 | **Microsoft Defender for IoT micro agent** | | `_Im_NetworkSession_MD4IoTAgentVxx` |
-| **Microsoft Defender for IoT sensor** | | `_Im_NetworkSession_MD4IoTSensorVxx` * |
+| **Microsoft Defender for IoT sensor** | | `_Im_NetworkSession_MD4IoTSensorVxx` |
 | **Palo Alto PanOS traffic logs** | Collected using CEF. | `_Im_NetworkSession_PaloAltoCEFVxx` |
 | **Sysmon for Linux**  (event 3) | Collected using the Log Analytics Agent<br> or the Azure Monitor Agent. |`_Im_NetworkSession_LinuxSysmonVxx`  |
 | **Vectra AI** | | `_Im_NetworkSession_VectraIAVxx`  |
 | **Windows Firewall logs** | Collected as Windows events using the Log Analytics Agent (Event table) or Azure Monitor Agent (WindowsEvent table). Supports Windows events 5150 to 5159. | `_Im_NetworkSession_MicrosoftWindowsEventFirewallVxx`|
 | **Watchguard FirewareOW** | Collected using Syslog. | `_Im_NetworkSession_WatchGuardFirewareOSVxx` |
 | **Zscaler ZIA firewall logs** | Collected using CEF. | `_Im_NetworkSessionZscalerZIAVxx` |
 
-Note that the parsers marked with (*) are available for deployment from GitHub and are not yet built into workspaces.
-
-Deploy the workspace deployed parsers from the [Microsoft Sentinel GitHub repository](https://aka.ms/AsimNetworkSession).
+Deploy the workspace deployed parsers version from the [Microsoft Sentinel GitHub repository](https://aka.ms/AsimNetworkSession).
 
 ## Process Event parsers
 
-Microsoft Sentinel provides the following built-in, product-specific Process Event parsers:
+To use ASIM Process Event parsers, deploy the parsers from the [Microsoft Sentinel GitHub repository](https://aka.ms/AsimProcessEvent). Microsoft Sentinel provides the following parsers in the packages deployed from GitHub:
 
 - **Security Events process creation (Event 4688)**, collected using the Log Analytics Agent or Azure Monitor Agent
 - **Security Events process termination (Event 4689)**, collected using the Log Analytics Agent or Azure Monitor Agent
 - **Sysmon process creation (Event 1)**, collected using the Log Analytics Agent or Azure Monitor Agent
 - **Sysmon process termination (Event 5)**, collected using the Log Analytics Agent or Azure Monitor Agent
 - **Microsoft 365 Defender for Endpoint process creation**
 
-Deploy Process Event parsers from the [Microsoft Sentinel GitHub repository](https://aka.ms/AsimProcessEvent).
-
 ## Registry Event parsers
 
-Microsoft Sentinel provides the following built-in, product-specific Registry Event parsers:
+To use ASIM Registry Event parsers, deploy the parsers from the [Microsoft Sentinel GitHub repository](https://aka.ms/AsimRegistryEvent). Microsoft Sentinel provides the following parsers in the packages deployed from GitHub:
 
-- **Security Events registry update (Event 4657**), collected using the Log Analytics Agent or Azure Monitor Agent
+- **Security Events registry update (Events 4657 and 4663)**, collected using the Log Analytics Agent or Azure Monitor Agent
 - **Sysmon registry monitoring events (Events 12, 13, and 14)**, collected using the Log Analytics Agent or Azure Monitor Agent
 - **Microsoft 365 Defender for Endpoint registry events**
 
-Deploy Registry Event parsers from the [Microsoft Sentinel GitHub repository](https://aka.ms/AsimRegistryEvent).
-
 ## Web Session parsers
 
-Microsoft Sentinel provides the following out-of-the-box, product-specific Web Session parsers:
+ASIM Web Session parsers are available in every workspace. Microsoft Sentinel provides the following out-of-the-box parsers:
+
 
 | **Source** | **Notes** | **Parser** | 
 | --- | --------------------------- | ------------------------------ | 
 | **Squid Proxy** | | `_Im_WebSession_SquidProxyVxx` |
 | **Vectra AI Streams** | | `_Im_WebSession_VectraAIVxx`  |
 | **Zscaler ZIA** | Collected using CEF | `_Im_WebSessionZscalerZIAVxx` |
 
-
-These parsers can be deployed from the [Microsoft Sentinel GitHub repository](https://aka.ms/DeployASIM).
+Deploy the workspace deployed parsers version from the [Microsoft Sentinel GitHub repository](https://aka.ms/DeployASIM).
 
 ## <a name="next-steps"></a>Next steps
 
diff --git a/articles/sentinel/normalization-schema-audit.md b/articles/sentinel/normalization-schema-audit.md
@@ -10,7 +10,7 @@ ms.author: ofshezaf
 
 # The Advanced Security Information Model (ASIM) Audit Events normalization schema reference (Public preview)
 
-The Microsoft Sentinel Audit events normalization schema represents events associated with the audit trail of information systems. The audit trail logs system configuration and policy changes. Such changes are often performed by system administrators, but can also be performed by users when configuring the settings of their own applications.
+The Microsoft Sentinel Audit events normalization schema represents events associated with the audit trail of information systems. The audit trail logs system configuration activities and policy changes. Such changes are often performed by system administrators, but can also be performed by users when configuring the settings of their own applications.
 
 Every system logs audit events alongside its core activity logs. For example, a Firewall will log events about the network sessions is processes, as well as audit events about configuration changes applied to the Firewall itself.
 
@@ -27,7 +27,7 @@ For more information about normalization in Microsoft Sentinel, see [Normalizati
 The main fields of an audit event are:
 - The object, typically a configuration atom or policy rule that the event focuses on, represented by the field [Object](#object).
 - The application context of the object, represented by the field [TargetAppName](#targetappname), which is aliased by [Application](#application).
-- The operation performed on the object,represented by the field [EventType](#eventtype).
+- The operation performed on the object, represented by the fields [EventType](#eventtype) and [EventOriginalType](#eventoriginaltype).
 - The old and new values for the object, if applicable, represented by [OldValue](#oldvalue) and [NewValue](#newvalue) respectively.
 
 Audit events also reference the following entities which are involved in the configuration operation:
@@ -55,7 +55,9 @@ The following list mentions fields that have specific guidelines for Audit Event
 
 | Field               | Class       | Type       |  Description        |
 |---------------------|-------------|------------|--------------------|
-| <a name="eventtype"></a> **EventType** | Mandatory | Enumerated | Describes the operation reported by the record.<br><br> For Audit Event records, the allowed values are:<br> - `Set`<br>- `Read`<br>- `Create`<br>- `Delete` |
+| <a name="eventtype"></a> **EventType** | Mandatory | Enumerated | Describes the operation reported by the record.<br><br> For Audit Event records, the allowed values are:<br> - `Set`<br>- `Read`<br>- `Create`<br>- `Delete`<br>- `Execute`<br>- `Install`<br>- `Clear`<br>- `Enable`<br>- `Disable`<br>- `Other`. <br><br>Audit events represent a large variety of operations, and the `Other` value enables mapping operations that have no corresponding `EventType`. However, the use of `Other` limit the usability of the event and should be avoided if possible.   |
+| <a name="eventsubtype"></a> **EventSubType** | Recommended | String | While [EventType](#eventtype) is an enumerated value that has to one of a limited set of options, **EventSubType** allows more specific labeling of the operation audited. |
+| <a name="eventoriginaltype"></a> **EventOriginalType** | Optional | String | The operation as reported by the reporting system. |
 | **EventSchema** | Mandatory | String | The name of the schema documented here is `AuditEvent`. |
 | **EventSchemaVersion**  | Mandatory   | String     | The version of the schema. The version of the schema documented here is `0.1`.  |
 
@@ -80,6 +82,7 @@ Fields that appear in the table below are common to all ASIM schemas. Any guidel
 | **ObjectType** | Mandatory | Enumerated | The type of [Object](#object). Allowed values are:<br>- `Configuration Atom`<br>- `Policy Rule`<br> - Other |
 | <a name="oldvalue"></a> **OldValue** | Optional | String |  The old value of [Object](#object) prior to the operation, if applicable. |
 | <a name="newvalue"></a>**NewValue** | Optional | String | The new value of [Object](#object) after the operation was performed, if applicable. |
+| <a name="value"></a>**Value** | Alias |  | Alias to [NewValue](#newvalue) |
 | **ValueType** | Optional | Enumerated | The type of the old and new values. Allowed values are<br>- Other. |
 
 ### Actor fields
