You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/network-normalization-schema.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -109,7 +109,7 @@ The following list mentions fields that have specific guidelines for Network Ses
109
109
|**EventResult**| Mandatory | Enumerated | If the source device does not provide an event result, **EventResult** should be based on the value of [DvcAction](#dvcaction). If [DvcAction](#dvcaction) is `Deny`, `Drop`, `Drop ICMP`, `Reset`, `Reset Source`, or `Reset Destination`<br>, **EventResult** should be `Failure`. Otherwise, **EventResult** should be `Success`. |
110
110
|**EventSchema**| Mandatory | String | The name of the schema documented here is `NetworkSession`. |
111
111
|**EventSchemaVersion**| Mandatory | String | The version of the schema. The version of the schema documented here is `0.2.3`. |
112
-
| <aname="dvcaction"></a>**DvcAction**|Optional| Enumerated | The action taken on the network session. Supported values are:<br>- `Allow`<br>- `Deny`<br>- `Drop`<br>- `Drop ICMP`<br>- `Reset`<br>- `Reset Source`<br>- `Reset Destination`<br>- `Encrypt`<br>- `Decrypt`<br>- `VPNroute`<br><br>**Note**: The value might be provided in the source record by using different terms, which should be normalized to these values. The original value should be stored in the [DvcOriginalAction](normalization-common-fields.md#dvcoriginalaction) field.<br><br>Example: `drop`|
112
+
| <aname="dvcaction"></a>**DvcAction**|Recommended| Enumerated | The action taken on the network session. Supported values are:<br>- `Allow`<br>- `Deny`<br>- `Drop`<br>- `Drop ICMP`<br>- `Reset`<br>- `Reset Source`<br>- `Reset Destination`<br>- `Encrypt`<br>- `Decrypt`<br>- `VPNroute`<br><br>**Note**: The value might be provided in the source record by using different terms, which should be normalized to these values. The original value should be stored in the [DvcOriginalAction](normalization-common-fields.md#dvcoriginalaction) field.<br><br>Example: `drop`|
113
113
|**EventSeverity**| Optional | Enumerated | If the source device does not provide an event severity, **EventSeverity** should be based on the value of [DvcAction](#dvcaction). If [DvcAction](#dvcaction) is `Deny`, `Drop`, `Drop ICMP`, `Reset`, `Reset Source`, or `Reset Destination`<br>, **EventSeverity** should be `Low`. Otherwise, **EventSeverity** should be `Informational`. |
114
114
|**DvcInterface**||| The DvcInterface field should alias either the [DvcInboundInterface](#dvcinboundinterface) or the [DvcOutboundInterface](#dvcoutboundinterface) fields. |
115
115
|**Dvc** fields||| For Network Session events, device fields refer to the system reporting the Network Session event. |
Copy file name to clipboardExpand all lines: articles/sentinel/normalization-common-fields.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -75,7 +75,7 @@ The role of the device fields is different for different schemas and event types
75
75
| <aname="dvczone"></a>**DvcZone**| Optional | String | The network on which the event occurred or which reported the event, depending on the schema. The zone is defined by the reporting device.<br><br>Example: `Dmz`|
76
76
| <aname="dvcos"></a>**DvcOs**| Optional | String | The operating system running on the device on which the event occurred or which reported the event. <br><br>Example: `Windows`|
77
77
| <aname="dvcosversion"></a>**DvcOsVersion**| Optional | String | The version of the operating system on the device on which the event occurred or which reported the event. <br><br>Example: `10`|
78
-
| <aname="dvcaction"></a>**DvcAction**|Optional| String | For reporting security systems, the action taken by the system, if applicable. <br><br>Example: `Blocked`|
78
+
| <aname="dvcaction"></a>**DvcAction**|Recommended| String | For reporting security systems, the action taken by the system, if applicable. <br><br>Example: `Blocked`|
79
79
| <aname="dvcoriginalaction"></a>**DvcOriginalAction**| Optional | String | The original [DvcAction](#dvcaction) as provided by the reporting device. |
80
80
| <aname="dvcinterface"></a>**DvcInterface**| Optional | String | The network interface on which data was captured. This field is typically relevant to network related activity which is captured by an intermediate or tap device. |
81
81
| <aname="dvcsubscription"></a>**DvcSubscriptionId**| Optional | String | The cloud platform subscription ID the device belongs to. **DvcSubscriptionId** map to a subscription ID on Azure and to an account ID on AWS. |
Copy file name to clipboardExpand all lines: articles/sentinel/web-normalization-schema.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -25,7 +25,7 @@ For more information about normalization in Microsoft Sentinel, see [Normalizati
25
25
26
26
## Schema overview
27
27
28
-
The Web Session normalization schema represents any HTTP network session, and is specifically suitable to provide support for common source types, including:
28
+
The Web Session normalization schema represents any HTTP network session, and is suitable to provide support for common source types, including:
29
29
30
30
- Web servers
31
31
- Web proxies
@@ -76,9 +76,9 @@ The following filtering parameters are available:
76
76
|----------|-----------|-------------|
77
77
|**starttime**| datetime | Filter only Web sessions that **started** at or after this time. |
78
78
|**endtime**| datetime | Filter only Web sessions that **started** running at or before this time. |
79
-
|**srcipaddr_has_any_prefix**| dynamic | Filter only Web sessions for which the [source IP address field](network-normalization-schema.md#srcipaddr) prefix is in one of the listed values. Note that the list of values can include IP addresses as well as IP address prefixes. Prefixes should end with a `.`, for example: `10.0.`. The length of the list is limited to 10,000 items.|
79
+
|**srcipaddr_has_any_prefix**| dynamic | Filter only Web sessions for which the [source IP address field](network-normalization-schema.md#srcipaddr) prefix is in one of the listed values. The list of values can include IP addresses and IP address prefixes. Prefixes should end with a `.`, for example: `10.0.`. The length of the list is limited to 10,000 items.|
80
80
|**ipaddr_has_any_prefix**| dynamic | Filter only network sessions for which the [destination IP address field](network-normalization-schema.md#dstipaddr) or [source IP address field](network-normalization-schema.md#srcipaddr) prefix is in one of the listed values. Prefixes should end with a `.`, for example: `10.0.`. The length of the list is limited to 10,000 items.<br><br>The field [ASimMatchingIpAddr](normalization-common-fields.md#asimmatchingipaddr) is set with the one of the values `SrcIpAddr`, `DstIpAddr`, or `Both` to reflect the matching fields or fields. |
81
-
|**url_has_any**| dynamic | Filter only Web sessions for which the [URL field](#url) has any of the values listed. If specified, and the session is not a web session, no result will be returned. The length of the list is limited to 10,000 items.|
81
+
|**url_has_any**| dynamic | Filter only Web sessions for which the [URL field](#url) has any of the values listed. The parser may ignore the schema of the URL passed as a parameter, if the source does not report it. If specified, and the session is not a web session, no result will be returned. The length of the list is limited to 10,000 items.|
82
82
|**httpuseragent_has_any**| dynamic | Filter only web sessions for which the [user agent field](#httpuseragent) has any of the values listed. If specified, and the session is not a web session, no result will be returned. The length of the list is limited to 10,000 items. |
83
83
|**eventresultdetails_in**| dynamic | Filter only web sessions for which the HTTP status code, stored in the [EventResultDetails](#eventresultdetails) field, is any of the values listed. |
84
84
|**eventresult**| string | Filter only network sessions with a specific **EventResult** value. |
@@ -121,7 +121,7 @@ The following list mentions fields that have specific guidelines for Web Session
|**EventType**| Mandatory | Enumerated | Describes the operation reported by the record and should be set to `HTTPsession`. |
124
-
|**EventResult**| Mandatory | Enumerated | Describes the event result, normalized to one of the following values: <br> - `Success` <br> - `Partial` <br> - `Failure` <br> - `NA` (not applicable) <br><br>For an HTTP session, `Success` is defined as a status code lower than `400`, and `Failure` is defined as a status code higher than `400`. For a list of HTTP status codes refer to [W3 Org](https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html).<br><br>The source may provide only a value for the [EventResultDetails](#eventresultdetails) field, which must be analyzed to get the **EventResult** value. |
124
+
|**EventResult**| Mandatory | Enumerated | Describes the event result, normalized to one of the following values: <br> - `Success` <br> - `Partial` <br> - `Failure` <br> - `NA` (not applicable) <br><br>For an HTTP session, `Success` is defined as a status code lower than `400`, and `Failure` is defined as a status code higher than `400`. For a list of HTTP status codes, refer to [W3 Org](https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html).<br><br>The source may provide only a value for the [EventResultDetails](#eventresultdetails) field, which must be analyzed to get the **EventResult** value. |
125
125
| <aname="eventresultdetails"></a>**EventResultDetails**| Mandatory | String | For HTTP sessions, the value should be the HTTP status code. <br><br>**Note**: The value may be provided in the source record using different terms, which should be normalized to these values. The original value should be stored in the **EventOriginalResultDetails** field.|
126
126
|**EventSchema**| Mandatory | String | The name of the schema documented here is `WebSession`. |
127
127
|**EventSchemaVersion**| Mandatory | String | The version of the schema. The version of the schema documented here is `0.2.3`|
@@ -150,7 +150,7 @@ The following ASIM Network Session schema fields have specific guidelines when u
Web Session events are commonly reported by intermediate devices which terminate the HTTP connection from the client and initiate a new connection, acting as a proxy, with the server. To represent the intermediate device, use the [ASIM Network Session schema](network-normalization-schema.md)[Intermediary device fields](network-normalization-schema.md#Intermediary)
153
+
Web Session events are commonly reported by intermediate devices that terminate the HTTP connection from the client and initiate a new connection, acting as a proxy, with the server. To represent the intermediate device, use the [ASIM Network Session schema](network-normalization-schema.md)[Intermediary device fields](network-normalization-schema.md#Intermediary)
@@ -165,7 +165,7 @@ The following are additional fields that are specific to web sessions:
165
165
|**HttpVersion**| Optional | String | The HTTP Request Version.<br><br>Example: `2.0`|
166
166
|**HttpRequestMethod**| Recommended | Enumerated | The HTTP Method. The values are as defined in [RFC 7231](https://datatracker.ietf.org/doc/html/rfc7231#section-4) and [RFC 5789](https://datatracker.ietf.org/doc/html/rfc5789#section-2), and include `GET`, `HEAD`, `POST`, `PUT`, `DELETE`, `CONNECT`, `OPTIONS`, `TRACE`, and `PATCH`.<br><br>Example: `GET`|
167
167
|**HttpStatusCode**| Alias || The HTTP Status Code. Alias to [EventResultDetails](#eventresultdetails). |
168
-
| <aname="httpcontenttype"></a>**HttpContentType**| Optional | String | The HTTP Response content type header. <br><br>**Note**: The **HttpContentType** field may include both the content format and additional parameters, such as the encoding used to get the actual format.<br><br> Example: `text/html; charset=ISO-8859-4`|
168
+
| <aname="httpcontenttype"></a>**HttpContentType**| Optional | String | The HTTP Response content type header. <br><br>**Note**: The **HttpContentType** field may include both the content format and extra parameters, such as the encoding used to get the actual format.<br><br> Example: `text/html; charset=ISO-8859-4`|
169
169
|**HttpContentFormat**| Optional | String | The content format part of the [HttpContentType](#httpcontenttype) <br><br> Example: `text/html`|
170
170
|**HttpReferrer**| Optional | String | The HTTP referrer header.<br><br>**Note**: ASIM, in sync with OSSEM, uses the correct spelling for *referrer*, and not the original HTTP header spelling.<br><br>Example: `https://developer.mozilla.org/docs`|
171
171
| <aname="httpuseragent"></a>**HttpUserAgent**| Optional | String | The HTTP user agent header.<br><br>Example:<br> `Mozilla/5.0` (Windows NT 10.0; WOW64)<br>`AppleWebKit/537.36` (KHTML, like Gecko)<br>`Chrome/83.0.4103.97 Safari/537.36`|
@@ -198,7 +198,7 @@ If the event is reported by one of the endpoints of the web session, it may incl
198
198
199
199
### Schema updates
200
200
201
-
The Web Session schema relies on the Network Session schema. Therefore, [Network Session schema updates](network-normalization-schema.md#schema-updates) apply to the Web Session schema as well. The WebSession schema version has been updated to reflect this.
201
+
The Web Session schema relies on the Network Session schema. Therefore, [Network Session schema updates](network-normalization-schema.md#schema-updates) apply to the Web Session schema as well. The WebSession schema version has been updated to reflect this dependancy.
0 commit comments