You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/normalization-about-schemas.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -105,7 +105,7 @@ Users are central to activities reported by events. The fields listed in this se
105
105
|-------|-------|------|-------------|
106
106
| <a name="userid"></a>**UserId** | Optional | String | A machine-readable, alphanumeric, unique representation of the user. |
107
107
| <a name="useridtype"></a>**UserIdType** | Optional | UserIdType | The type of the ID stored in the [UserId](#userid) field. |
108
-
| **SID**, **UID**, **AADID**, **OktaId**, **AWSId** | Optional | String | Fields used to store additional user IDs, if the original event includes multiple user IDs. Select the ID most associated with the event as the primary ID stored in [UserId](#userid).
108
+
| **UserSid**, **UserUid**, **UserAadId**, **UserOktaId**, **UserAWSId** | Optional | String | Fields used to store additional user IDs, if the original event includes multiple user IDs. Select the ID most associated with the event as the primary ID stored in [UserId](#userid).
109
109
110
110
The allowed values for a user ID type are:
111
111
@@ -124,7 +124,7 @@ The allowed values for a user ID type are:
124
124
|-------|-------|------|-------------|
125
125
| <a name="username"></a>**Username** | Optional | String | The source username, including domain information when available. Use the simple form only if domain information isn't available. Store the Username type in the [UsernameType](#usernametype) field. |
126
126
| <a name="usernametype"></a>**UsernameType** | Optional | UsernameType | Specifies the type of the username stored in the [Username](#username) field. |
127
-
| **UPN**, **WindowsUsername**, **DNUsername**, **SimpleUsername** | Optional | String | Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in [Username](#username). |
127
+
| **UserUPN**, **WindowsUsername**, **DNUsername**, **SimpleUsername** | Optional | String | Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in [Username](#username). |
Copy file name to clipboardExpand all lines: articles/sentinel/process-events-normalization-schema.md
+2-1Lines changed: 2 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -61,7 +61,7 @@ The following filtering parameters are available:
61
61
|**parentprocess_has_any**| dynamic | Filter only process events for which the target process name, which includes the entire process path, has any of the listed values. The length of the list is limited to 10,000 items. |
62
62
|**targetusername_has** or **actorusername_has**| string| Filter only process events for which the target username (for process create events), or actor username (for process terminate events) has any of the listed values. The length of the list is limited to 10,000 items. |
63
63
|**dvcipaddr_has_any_prefix**| dynamic | Filter only process events for which the device IP address matches any of the listed IP addresses or IP address prefixes. Prefixes should end with a `.`, for example: `10.0.`. The length of the list is limited to 10,000 items.|
64
-
|**dvchostname_has_any**| dynamic | Filter only process events for which the device hostname has any of the listed values. The length of the list is limited to 10,000 items. |
64
+
|**dvchostname_has_any**| dynamic | Filter only process events for which the device hostname, or device FQDN is available, has any of the listed values. The length of the list is limited to 10,000 items. |
65
65
|**eventtype**| string | Filter only process events of the specified type. |
66
66
67
67
@@ -242,6 +242,7 @@ The process event schema references the following entities, which are central to
242
242
|**TargetProcessGuid**| Optional | String |A generated unique identifier (GUID) of the target process. Enables identifying the process across systems. <br><br> Example: `EF3BD0BD-2B74-60C5-AF5C-010000001E00`|
243
243
|**TargetProcessIntegrityLevel**| Optional | String | Every process has an integrity level that is represented in its token. Integrity levels determine the process level of protection or access. <br><br> Windows defines the following integrity levels: **low**, **medium**, **high**, and **system**. Standard users receive a **medium** integrity level and elevated users receive a **high** integrity level. <br><br> For more information, see [Mandatory Integrity Control - Win32 apps](/windows/win32/secauthz/mandatory-integrity-control). |
244
244
|**TargetProcessTokenElevation**| Optional | String |Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that was created or terminated. <br><br> Example: `None`|
245
+
|**TargetProcessStatusCode**| Optional | String | The exit code returned by the target process when terminated. This field is valid only for process termination events. For consistency, the field type is string, even if value provided by the operating system is numeric. |
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments