ASIM Schema Browser — Microsoft Sentinel

Field	Class	Type	Logical Type	Entity	Role	Refers To	Description	Source

ActorDNUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorSimpleUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorUserAadId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserAWSId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserOktaId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserPuid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserSid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserUid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserUpn	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorWindowsUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
AdditionalFields	Optional	dynamic					If your source provides additional information worth preserving, either keep it with the original field names or create the dynamic AdditionalFields field, and add the extra information as key/value pairs.	Common
AlertDescription	Alias	string				EventMessage		Schema
AlertId	Alias	string				EventUid		Schema
AlertName	Recommended	string					Title or name of the alert. (e.g. Possible use of the Rubeus kerberoasting tool)	Schema
AlertOriginalStatus	Optional	string					The status of the alert as reported by the originating system.	Schema
AlertStatus	Optional	string	Enumerated Values (2) Active, Closed				Indicates the current state or progress of the alert.	Schema
AlertVerdict	Optional	string	Enumerated Values (4) True Positive, False Positive, Benign Positive, Unknown				The final determination or outcome of the alert, indicating whether the alert was confirmed as a threat, deemed suspicious, or resolved as a false positive.	Schema
AttackRemediationSteps	Recommended	string					Recommended actions or steps to mitigate or remediate the identified attack or threat. (e.g. 1. Make sure the machine is completely updated and all your software has the latest patch. 2. Contact your incident response team)	Schema
AttackTactics	Recommended	string					The attack tactics (name, ID, or both) associated with the alert. Preferred format (e.g. Persistence, Privilege Escalation)	Schema
AttackTechniques	Recommended	string					The attack techniques (name, ID, or both) associated with the alert. Preferred format (e.g. Local Groups (T1069.001), Domain Groups (T1069.002))	Schema
DetectionMethod	Optional	string	Enumerated Values (13) EDR, Behavioral Analytics, Reputation, Threat Intelligence, Intrusion Detection, Automated Investigation, Antivirus, Data Loss Prevention, User Defined Blocked List, Cloud Security Posture Management, Cloud Application Security, Scheduled Alerts, Other				Provides detailed information about the specific detection method, technology, or data source that contributed to the generation of the alert. This field offers greater insight into how the alert was detected or triggered, aiding in the understanding of the detection context and reliability.	Schema
DvcAction	Optional	string		Device	Dvc		For reporting security systems, the action taken by the system, if applicable. (e.g. Blocked)	Common
DvcAwsVpcId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcAzureResourceId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcDescription	Optional	string		Device	Dvc		A descriptive text associated with the device. (e.g. Primary Domain Controller)	Common
DvcDomain	Recommended	string	Domain	Device	Dvc		The domain of the device on which the event occurred or which reported the event, depending on the schema. (e.g. Contoso)	Common
DvcDomainType	Conditional	string	DomainType Values (2) FQDN, Windows	Device	Dvc	DvcDomain	The type of DvcDomain. For a list of allowed values and further information, refer to DomainType.	Common
DvcFQDN	Optional	string	FQDN	Device	Dvc		The hostname of the device on which the event occurred or which reported the event, depending on the schema. (e.g. Contoso\DESKTOP-1282V4D)	Common
DvcHostname	Recommended	string	Hostname	Device	Dvc		The hostname of the device on which the event occurred or which reported the event, depending on the schema. (e.g. ContosoDc)	Common
DvcId	Optional	string		Device	Dvc		The unique ID of the device on which the event occurred or which reported the event, depending on the schema. (e.g. 41502da5-21b7-48ec-81c9-baeea8d7d669 If multiple IDs are available, use the first one from the list, and store the others by using the field names DvcAzureResourceId, DvcMDEid, etc)	Common
DvcIdType	Conditional	string	Enumerated Values (9) AzureResourceId, MDEid, MD4IoTid, VMConnectionId, AwsVpcId, VectraId, AppGateId, FQDN, Other	Device	Dvc	DvcId	The type of DvcId. The list of allowed values is `AzureResourceId`, `MDEid`, `MD4IoTid`, `VMConnectionId`, `AwsVpcId`, `VectraId`, `AppGateId`, `FQDN`, and `Other`. Using `FQDN` as a device ID, implies reusing the hostname. Use it only as a last resort	Common
DvcInterface	Optional	string		Device	Dvc		The network interface on which data was captured. This field is typically relevant to network related activity, which is captured by an intermediate or tap device.	Common
DvcIpAddr	Recommended	string	IP address	Device	Dvc		The IP address of the device on which the event occurred or which reported the event, depending on the schema. (e.g. 45.21.42.12)	Common
DvcMacAddr	Optional	string	MAC address	Device	Dvc		The MAC address of the device on which the event occurred or which reported the event. (e.g. 00:1B:44:11:3A:B7)	Common
DvcMD4IoTid	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcMDEid	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcOriginalAction	Optional	string		Device	Dvc		The original DvcAction as provided by the reporting device.	Common
DvcOs	Optional	string		Device	Dvc		The operating system running on the device on which the event occurred or which reported the event. (e.g. Windows)	Common
DvcOsVersion	Optional	string		Device	Dvc		The version of the operating system on the device on which the event occurred or which reported the event. (e.g. 10)	Common
DvcScope	Optional	string		Device	Dvc		The cloud platform scope the device belongs to. DvcScope map to a subscription ID on Azure and to an account ID on AWS.	Common
DvcScopeId	Optional	string		Device	Dvc		The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS.	Common
DvcVectraId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcVMConnectionId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcZone	Optional	string		Device	Dvc		The network on which the event occurred or which reported the event, depending on the schema. The zone is defined by the reporting device. (e.g. Dmz)	Common
EmailMessageId	Optional	string					Unique identifier for the email message, associated with the alert. (e.g. Request for Invoice Access)	Schema
EmailSubject	Optional	string					Subject of the email. (e.g. j5kl6mn7-op8q-r9st-0uv1-wx2yz3ab4c)	Schema
EventCount	Mandatory	int					The number of events described by the record. This value is used when the source supports aggregation, and a single record might represent multiple events. For other sources, set to `1`.	Common
EventEndTime	Mandatory	datetime					The time when the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field	Common
EventMessage	Optional	string					Detailed information about the alert, including its context, cause, and potential impact. (e.g. Potential use of the Rubeus tool for kerberoasting, a technique used to extract service account credentials from Kerberos tickets)	Schema
EventOriginalResultDetails		string						Physical Table Only
EventOriginalSeverity	Optional	string					The original severity as provided by the reporting device. This value is used to derive EventSeverity.	Common
EventOriginalSubType	Optional	string					The original event subtype or ID, if provided by the source. For example, this field is used to store the original Windows logon type. This value is used to derive EventSubType, which should have only one of the values documented for each schema. (e.g. 2)	Common
EventOriginalType	Optional	string					The original event type or ID, if provided by the source. For example, this field is used to store the original Windows event ID. This value is used to derive EventType, which should have only one of the values documented for each schema. (e.g. 4624)	Common
EventOriginalUid	Optional	string					A unique ID of the original record, if provided by the source. (e.g. 69f37748-ddcd-4331-bf0f-b137f1ea83b)	Common
EventOwner	Optional	string					The owner of the event, which is usually the department or subsidiary in which it was generated.	Common
EventProduct	Mandatory	string					The product generating the event. The value should be one of the values listed in Vendors and Products. (e.g. Sysmon)	Common
EventProductVersion	Optional	string					The version of the product generating the event. (e.g. 12.1)	Common
EventReportUrl	Optional	string	URL				A URL provided in the event for a resource that provides more information about the event.	Common
EventResult	Mandatory	string	Enumerated Values (4) Success, Partial, Failure, NA				The value might be provided in the source record by using different terms, which should be normalized to these values. Alternatively, the source might provide only the EventResultDetails field, which should be analyzed to derive the EventResult value. (e.g. Success)	Common
EventResultDetails		string						Physical Table Only
EventSchema	Mandatory	string	Enumerated Values (1) AlertEvent				The schema used for the event. The schema documented here is `AlertEvent`	Schema
EventSchemaVersion	Mandatory	string	SchemaVersion				The version of the schema. The version of the schema documented here is `0.1`.	Schema
EventSeverity	Recommended	string	Enumerated Values (4) Informational, Low, Medium, High				The severity of the event	Common
EventStartTime	Mandatory	datetime					The time when the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field	Common
EventSubType	Recommended	string	Enumerated Values (4) Threat, Suspicious Activity, Anomaly, Compliance Violation				Specifies the subtype or category of the alert event, providing more granular detail within the broader event classification. This field helps distinguish the nature of the detected issue, improving incident prioritization and response strategies.	Schema
EventType	Mandatory	string	Enumerated Values (1) Alert				Type of the event.	Schema
EventUid	Mandatory	string					A machine-readable, alphanumeric string that uniquely identifies an alert within a system. (e.g. A1bC2dE3fH4iJ5kL6mN7oP8qR9s)	Schema
EventVendor	Mandatory	string					The vendor of the product generating the event. The value should be one of the values listed in Vendors and Products. (e.g. Microsoft)	Common
FileMD5	Optional	string					MD5 hash of the file. (e.g. j5kl6mn7op8qr9st0uv1wx2yz3ab4c)	Schema
FileName	Optional	string					Name of the file associated with the alert, without path or a location. (e.g. Notepad.exe)	Schema
FilePath	Optional	string					The full, normalized path of the target file, including the folder or location, the file name, and the extension. (e.g. C:\Windows\System32\notepad.exe)	Schema
FileSHA1	Optional	string					SHA1 hash of the file. (e.g. j5kl6mn7op8qr9st0uv1)	Schema
FileSHA256	Optional	string					SHA256 hash of the file. (e.g. a1bc2de3fh4ij5kl6mn7op8qrs2de3)	Schema
FileSize	Optional	long					Size of the file in bytes. (e.g. 123456)	Schema
Hostname	Alias					DvcHostname		Schema
IndicatorAssociation	Optional	string	Enumerated Values (2) Associated, Targeted				Specifies whether the indicator is linked to or directly impacted by the threat.	Schema
IndicatorType	Recommended	string	Enumerated Values (12) Ip, User, Process, Registry, Url, Host, Cloud Resource, Application, File, Email, Mailbox, Logon Session				The type or category of the indicator	Schema
IpAddr	Alias					DvcIpAddr		Schema
OriginalUserType	Optional	string		User			The user type as reported by the reporting device.	Schema
ProcessCommandLine	Optional	string		Process			Command line used to start the process. (e.g. "choco.exe" -v)	Schema
ProcessFileCompany	Optional	string		Process			Company that created the process image file. (e.g. Microsoft)	Schema
ProcessId	Optional	string		Process			The process ID (PID) associated with the alert. (e.g. 12345678)	Schema
ProcessName	Optional	string		Process			Name of the process. (e.g. C:\Windows\explorer.exe)	Schema
RegistryKey	Optional	string					The registry key associated with the alert, normalized to standard root key naming conventions. (e.g. HKEY_LOCAL_MACHINE\SOFTWARE\MTG)	Schema
RegistryValue	Optional	string					Registry value. (e.g. ImagePath)	Schema
RegistryValueData	Optional	string					Data of the registry value. (e.g. C:\Windows\system32;C:\Windows;)	Schema
RegistryValueType	Optional	string	Enumerated				Type of the registry value. (e.g. Reg_Expand_Sz)	Schema
Rule	Alias	string				Either of RuleName, RuleNumber	Either the value of RuleName or the value of RuleNumber. If the value of RuleNumber is used, the type should be converted to string	Schema
RuleDescription	Optional	string					Description of the rule associated with the alert. (e.g. This rule detects remote execution on a server using PSEXEC, which may indicate unauthorized administrative activity or lateral movement within the network)	Schema
RuleName	Optional	string					The name or ID of the rule associated with the alert. (e.g. Server PSEXEC Execution via Remote Access)	Schema
RuleNumber	Optional	int					The number of the rule associated with the alert. (e.g. 123456)	Schema
TargetDNUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetSimpleUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetUserAadId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserAWSId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserOktaId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserPuid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserSid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserUid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserUpn	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetWindowsUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ThreatCategory	Recommended	string	Enumerated Values (15) Malware, Ransomware, Trojan, Virus, Worm, Adware, Spyware, Rootkit, Cryptominor, Phishing, Spam, MaliciousUrl, Spoofing, Security Policy Violation, Unknown				The category of the threat or malware identified in the alert.	Schema
ThreatConfidence	Optional	int	ConfidenceLevel				The confidence level of the threat identified, normalized to a value between 0 and a 100.	Schema
ThreatFirstReportedTime	Optional	datetime					Date and time when the threat was first reported. (e.g. 2024-09-19T10:12:10.0000000Z)	Schema
ThreatId	Optional	string					The ID of the threat or malware identified in the alert. (e.g. 1234567891011121314)	Schema
ThreatIsActive	Optional	bool	Values (2) True, False				Indicates whether the threat is currently active.	Schema
ThreatLastReportedTime	Optional	datetime					Date and time when the threat was last reported. (e.g. 2024-09-19T10:12:10.0000000Z)	Schema
ThreatName	Optional	string					The name of the threat or malware identified in the alert. (e.g. Init.exe)	Schema
ThreatOriginalCategory	Optional	string					The category of the threat as reported by the originating system.	Schema
ThreatOriginalConfidence	Optional	string					The confidence level as reported by the originating system.	Schema
ThreatOriginalRiskLevel	Optional	string					The risk level as reported by the originating system.	Schema
ThreatRiskLevel	Optional	int	RiskLevel				The risk level associated with the threat. The level should be a number between 0 and 100. Note: The value might be provided in the source record by using a different scale, which should be normalized to this scale. The original value should be stored in ThreatRiskLevelOriginal.	Schema
TimeGenerated	Mandatory	datetime					The time the event was generated by the reporting device.	Common (Implicit)
Type	Mandatory	string					The original table from which the record was fetched. This field is useful when the same event can be received through multiple channels to different tables, and have the same EventVendor and EventProduct values. (e.g. a Sysmon event can be collected either to the Event table or to the WindowsEvent table)	Common (Implicit)
Url	Optional	string					The URL string captured in the alert. (e.g. https://contoso.com/fo/?k=v&q=u#f)	Schema
User	Alias	string		User		Username		Schema
UserId	Optional	string		User			A machine-readable, alphanumeric, unique representation of the user associated with the alert. (e.g. A1bC2dE3fH4iJ5kL6mN7o)	Schema
UserIdType	Conditional	string	Enumerated Values (6) GUID, SID, Email, Username, Phone, Other	User			The type of the user ID, such as `GUID`, `SID`, or `Email`.	Schema
Username	Recommended	string	Username	User			Name of the user associated with the alert, including domain information when available. (e.g. Contoso\JSmith or john.smith@contoso.com)	Schema
UsernameType	Conditional	string	UsernameType	User			Specifies the type of the user name stored in the `Username` field. For more information, and list of allowed values, see UsernameType in the Schema Overview article. (e.g. Windows)	Schema
UserScope	Optional	string		User			The scope, such as Microsoft Entra tenant, in which UserId and Username are defined. For more information and list of allowed values, see UserScope in the Schema Overview article. (e.g. Contoso Directory)	Schema
UserScopeId	Optional	string		User			The scope ID, such as Microsoft Entra Directory ID, in which UserId and Username are defined. (e.g. a1bc2de3-fh4i-j5kl-6mn7-op8qrs)	Schema
UserSessionId	Optional	string		User			The unique ID of the user's session associated with the alert. (e.g. a1bc2de3-fh4i-j5kl-6mn7-op8qr9st0u)	Schema
UserType	Optional	string	UserType	User			The type of the Actor. For more information, and list of allowed values, see UserType in the Schema Overview article. (e.g. Guest)	Schema

Mandatory Must be present Recommended Should be present Optional May be present Conditional Conditionally required Alias Computed alias Tester Only In tester but not docs Physical Table Only In table but not docs

Parser	Version	Product	Tables

ASimAlertEventMicrosoftDefenderXDR	0.2.0	Microsoft Defender XDR	AlertEvidence
ASimAlertEventSentinelOneSingularity	0.1.0	SentinelOne	SentinelOne_CL

Field	Class	Type	Logical Type	Refers To	Description	Source

AADTenantId	Mandatory	string			The Azure Active Directory tenant identifier associated with the asset or entity.	Schema
AdditionalAssetOwners	Optional	dynamic			A dynamic collection of additional owners or co-owners associated with the asset. This must be an array of strings.	Schema
AdditionalFields	Optional	dynamic			Additional information about the entity that is not captured by other fields in the schema.	Schema
AssetClassificationLastScanDateTime	Mandatory	datetime			The timestamp (UTC) of when the asset was last scanned for data classification.	Schema
AssetIsProtectedByDlp	Optional	bool			Indicates whether the asset is protected by a Data Loss Prevention (DLP) policy.	Schema
AssetOriginalDataClassificationType	Mandatory	dynamic			The original data classification type(s) assigned to the asset as reported by the source system. This must be an array of strings*.	Schema
AssetOriginalPermissions	Optional	dynamic			The original permission set assigned to the asset as reported by the source system.	Schema
AssetOriginalRiskDetails	Optional	dynamic			The full risk details for the asset as provided by the source system.	Schema
AssetOriginalRiskLevel	Optional	string			The risk level assigned to the asset as reported by the source system, before normalization.	Schema
AssetOriginalSensitivityLevel	Optional	string			The sensitivity level as reported by the source system, before normalization.	Schema
AssetOriginalType	Recommended	string			The original name of the high-level type of the asset at the source.	Schema
AssetOwnerId	Mandatory	string			A machine-readable, alphanumeric, unique representation of the Actor. For more information, and for alternative fields for other IDs, see The User entity.	Schema
AssetOwnerIdType	Recommended	string			The type or format of the asset owner identifier. This is analogous to `UserIdType` in Event schemas. For more information and list of allowed values, see UserIdType in the Schema Overview article	Schema
AssetOwnerScope	Optional	string			The organizational or administrative scope to which the asset owner belongs.	Schema
AssetOwnerScopeId	Optional	string			The identifier of the scope to which the asset owner belongs.	Schema
AssetOwnerType	Optional	string	UserType Values (9) Regular, Machine, Admin, System, Application, Service Principal, Service, Anonymous, Other		The type of the Asset Owner. For more information, and list of allowed values, see UserType in the Schema Overview article.	Schema
AssetPath	Alias	string		Either of FilePath, SitePath	The alias for either `FilePath` or `SitePath`	Schema
AssetRelatedIndicators	Optional	dynamic			A dynamic collection of threat indicators or signals related to the asset.	Schema
AssetRiskFirstReportedTime	Optional	datetime			The timestamp (UTC) of when the risk associated with the asset was first reported.	Schema
AssetRiskLastReportedTime	Optional	datetime			The timestamp (UTC) of when the risk associated with the asset was most recently reported.	Schema
AssetRiskLevel	Optional	string	Enumerated Values (6) Info, Low, Medium, High, Critical, Other		The normalized risk level assigned to the asset. The allowed values are: `Info`, `Low`, `Medium`, `High`, `Critical`, `Other`	Schema
AssetRiskName	Optional	string			The normalized name of the risk or threat associated with the asset.	Schema
AssetSensitivityLabel	Mandatory	string	Values (5) Personal, Public, General, Confidential, Highly Confidential		The sensitivity label applied to the asset. The allowed values are: `Personal`, `Public`, `General`, `Confidential`, `Highly Confidential`	Schema
AssetType	Mandatory	string	Values (2) File, Site		The high-level type of the asset. The allowed and	Schema
EntityCreatedTime	Mandatory	datetime			The timestamp (UTC) of when the entity was originally created in the source system.	Schema
EntityFeedType	Mandatory	string	Enumerated Values (2) Snapshot, Changefeed		The type or category of the data feed that provided the entity record. The allowed values are: `Snapshot` or `Changefeed`	Schema
EntityId	Mandatory	string			The unique identifier of the asset.	Schema
EntityIngestionTime	Optional	datetime			The timestamp (UTC) of when the ingestion pipeline receives the asset log.	Schema
EntityIsDeleted	Optional	bool			Indicates whether the entity has been deleted in the source system.	Schema
EntityLastAccessedTime	Optional	datetime			The timestamp (UTC) of when the entity was last accessed.	Schema
EntityLastModifiedTime	Mandatory	datetime			The timestamp (UTC) of when the entity was last modified in the source system.	Schema
EntityName	Mandatory	string			The name of the entity.	Schema
EntityNameType	Recommended	string			The type of the entity name.	Schema
EntityOriginalId	Optional	string			The unique identifier of the asset at the source if it is different from 'EntityId'.	Schema
EntityProduct	Mandatory	string			The product name associated with the source that reported the entity.	Schema
EntitySchema	Mandatory	string	Enumerated Values (1) Asset		The schema used for the entity. The schema documented here is `Asset`	Schema
EntitySchemaVersion	Mandatory	string	SchemaVersion		The version of the schema. The version of the schema documented here is `0.1.0`.	Schema
EntitySource	Mandatory	string			The data source or connector that provided the entity record.	Schema
EntitySubProduct	Mandatory	string			The sub-product or component name associated with the source that reported the entity.	Schema
EntityUpdatedTime	Mandatory	datetime			The timestamp (UTC) of when the Entity was updated or collected at the source.	Schema
EntityVendor	Mandatory	string			The vendor or provider that reported the entity.	Schema
ExternalUsersCount	Optional	int			The number of external users associated with or having access to the asset.	Schema
FileExtension	Optional	string			The file extension of the file associated with the asset, such as .exe or .pdf.	Schema
FileIsSignatureValid	Optional	bool			Indicates whether the digital signature of the file is valid.	Schema
FileMD5	Optional	string			The MD5 hash of the file associated with the asset.	Schema
FilePath	Optional	string			The full path of the file associated with the asset.	Schema
FileSHA1	Optional	string			The SHA-1 hash of the file associated with the asset.	Schema
FileSHA256	Optional	string			The SHA-256 hash of the file associated with the asset.	Schema
FileSHA512	Optional	string			The SHA-512 hash of the file associated with the asset.	Schema
FileSignatureDetails	Optional	string			Details about the digital signature of the file, such as the signer or certificate information.	Schema
FileSize	Optional	long			The size of the file in bytes.	Schema
IdentityDirectoryId	Mandatory	string			The identifier of the identity directory associated with the entity.	Schema
IdentityDirectoryName	Optional	string			The name of the identity directory, such as Azure AD, GCP, AWS, associated with the entity.	Schema
InternalUsersCount	Optional	int			The number of internal users associated with or having access to the asset.	Schema
SitePath	Optional	string			The path of the site or storage location associated with the asset.	Schema
SitePrimaryUri	Optional	string			The primary URI of the site or storage location associated with the asset.	Schema
TimeGenerated	Mandatory	datetime			The time the event was generated by the reporting device.	Common (Implicit)
Type	Mandatory	string			The original table from which the record was fetched. This field is useful when the same event can be received through multiple channels to different tables, and have the same EventVendor and EventProduct values. (e.g. a Sysmon event can be collected either to the Event table or to the WindowsEvent table)	Common (Implicit)
User	Alias	string		AssetOwnerId	The	Schema

No parsers available for this schema.

Field	Class	Type	Logical Type	Entity	Role	Refers To	Description	Source

ActingAppId	Optional	string		Application	Acting		The ID of the application that initiated the activity reported, including a process, browser, or service. For (e.g. 0x12ae8)	Schema
ActingAppName	Optional	string		Application	Acting		The name of the application that initiated the activity reported, including a service, a URL, or a SaaS application. For (e.g. C:\Windows\System32\svchost.exe)	Schema
ActingAppType	Optional	string	AppType	Application	Acting		The type of acting application. For more information, and allowed list of values, see AppType in the Schema Overview article.	Schema
ActingOriginalAppType	Optional	string		Application	Acting		The type of the application that initiated the activity as reported by the reporting device.	Schema
ActingProcessGuid	Optional	string		Application	Acting		A generated unique identifier (GUID) of the process used by the application. (e.g. 01234567-89AB-CDEF-0123-456789ABCDEF)	Entity Extension
ActingProcessId	Optional	string		Application	Acting		The process ID (PID) of the process the application is using. (e.g. 48610176)	Entity Extension
ActingProcessName	Optional	string		Application	Acting		The file name of the process used by the application. (e.g. C:\Windows\explorer.exe)	Entity Extension
ActorDNUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorOriginalUserType	Optional	string		User	Actor		The user type as reported by the reporting device.	Schema
ActorScope	Optional	string		User	Actor		The scope, such as Microsoft Entra Domain Name, in which ActorUserId and ActorUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article	Schema
ActorScopeId	Optional	string		User	Actor		The scope ID, such as Microsoft Entra Directory ID, in which ActorUserId and ActorUsername are defined. for more information and list of allowed values, see UserScopeId in the Schema Overview article	Schema
ActorSessionId	Optional	string		User	Actor		The unique ID of the sign-in session of the Actor. (e.g. 102pTUgC3p8RIqHvzxLCHnFlg)	Schema
ActorSimpleUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorUserAadId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserAADTenant	Optional	string		User	Actor		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
ActorUserAWSAccount	Optional	string		User	Actor		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
ActorUserAWSId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserId	Optional	string		User	Actor		A machine-readable, alphanumeric, unique representation of the Actor. For more information, and for alternative fields for other IDs, see The User entity. (e.g. S-1-12-1-4141952679-1282074057-627758481-2916039507)	Schema
ActorUserIdType	Conditional	string	UserIdType Values (7) SID, UID, AADID, OktaId, AWSId, PUID, SalesforceId	User	Actor	ActorUserId	The type of the ID stored in the ActorUserId field. For more information and list of allowed values, see UserIdType in the Schema Overview article.	Schema
ActorUsername	Recommended	string	Username	User	Actor		The Actor’s username, including domain information when available. For more information, see The User entity. (e.g. AlbertE)	Schema
ActorUsernameType	Conditional	string	UsernameType	User	Actor	ActorUsername	Specifies the type of the user name stored in the ActorUsername field. For more information, and list of allowed values, see UsernameType in the Schema Overview article. (e.g. Windows)	Schema
ActorUserOktaId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserPuid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserSid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserType	Optional	string	UserType	User	Actor		The type of the Actor. For more information, and list of allowed values, see UserType in the Schema Overview article. For (e.g. Guest)	Schema
ActorUserUid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserUpn	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorWindowsUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
AdditionalFields	Optional	dynamic					If your source provides additional information worth preserving, either keep it with the original field names or create the dynamic AdditionalFields field, and add the extra information as key/value pairs.	Common
Application	Alias			Application	Target	TargetAppName		Schema
Dst	Alias	string		Device	Target	Either of TargetDvcId, TargetHostname, TargetIpAddr, TargetAppId, TargetAppName	A unique identifier of the authentication target. This field may alias the TargetDvcId, TargetHostname, TargetIpAddr, TargetAppId, or TargetAppName fields. (e.g. 192.168.12.1)	Schema
DstDomain	Recommended	string		Device	Target		The domain of the device on which the event occurred, without the hostname.	Entity Extension
DstDomainType	Recommended	string	Enumerated Values (2) FQDN, Windows	Device	Target		The type of Domain	Entity Extension
DstDvcAction	Optional	string		Device	Target		For reporting security systems, the action taken by the system, if applicable. (e.g. Blocked)	Entity Extension
DstDvcAwsVpcId	Optional	string		Device	Target		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DstDvcAzureResourceId	Optional	string		Device	Target		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DstDvcDescription	Optional	string		Device	Target		A descriptive text associated with the device. (e.g. Primary Domain Controller)	Entity Extension
DstDvcId	Optional	string		Device	Target		The unique ID of the device. (e.g. 41502da5-21b7-48ec-81c9-baeea8d7d669)	Entity Extension
DstDvcIdType	Optional	string	Enumerated	Device	Target		The type of DvcId. Typically this field also identifies the type of Scope and ScopeId. This field is required if the DvcId field is used	Entity Extension
DstDvcMD4IoTid	Optional	string		Device	Target		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DstDvcMDEid	Optional	string		Device	Target		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DstDvcOriginalAction	Optional	string		Device	Target		The original DvcAction as provided by the reporting device.	Entity Extension
DstDvcOs	Optional	string		Device	Target		The operating system running on the device on which the event occurred or which reported the event. (e.g. Windows)	Entity Extension
DstDvcOsVersion	Optional	string		Device	Target		The version of the operating system on the device on which the event occurred or which reported the event. (e.g. 10)	Entity Extension
DstDvcScope	Optional	string		Device	Target		The cloud platform scope the device belongs to. Scope map to a subscription on Azure and to an account on AWS.	Entity Extension
DstDvcScopeId	Optional	string		Device	Target		The cloud platform scope ID the device belongs to. Scope map to a subscription ID on Azure and to an account ID on AWS.	Entity Extension
DstDvcVectraId	Optional	string		Device	Target		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DstDvcVMConnectionId	Optional	string		Device	Target		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DstFQDN	Optional	string		Device	Target		The FQDN of the device including both Hostname and Domain . This field supports both traditional FQDN format and Windows domain\hostname format. The DomainType field reflects the format used.	Entity Extension
DstHostname	Recommended	string	Hostname	Device	Target		The short hostname of the device.	Entity Extension
DstInterface	Optional	string		Device	Target		The network interface on which data was captured. This field is typically relevant to network related activity captured by an intermediate or tap device.	Entity Extension
DstIpAddr	Recommended	string	IP address	Device	Target		The IP address of the device. (e.g. 45.21.42.12)	Entity Extension
DstMacAddr	Optional	string	MAC	Device	Target		The MAC address of the device on which the event occurred or which reported the event. (e.g. 00:1B:44:11:3A:B7)	Entity Extension
DstZone	Optional	string		Device	Target		The network on which the event occurred or which reported the event, depending on the schema. The reporting device defines the zone. (e.g. Dmz)	Entity Extension
Dvc	Alias	string		Device	Dvc	Either of DvcFQDN, DvcId, DvcHostname, DvcIpAddr	A unique identifier of the device on which the event occurred or which reported the event, depending on the schema. This field might alias the DvcFQDN, DvcId, DvcHostname, or DvcIpAddr fields. For cloud sources, for which there's no apparent device, use the same value as the Event Product field	Common
DvcAction	Optional	string		Device	Dvc		For reporting security systems, the action taken by the system, if applicable. (e.g. Blocked)	Common
DvcAwsVpcId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcAzureResourceId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcDescription	Optional	string		Device	Dvc		A descriptive text associated with the device. (e.g. Primary Domain Controller)	Common
DvcDomain	Recommended	string	Domain	Device	Dvc		The domain of the device on which the event occurred or which reported the event, depending on the schema. (e.g. Contoso)	Common
DvcDomainType	Conditional	string	DomainType Values (2) FQDN, Windows	Device	Dvc	DvcDomain	The type of DvcDomain. For a list of allowed values and further information, refer to DomainType.	Common
DvcFQDN	Optional	string	FQDN	Device	Dvc		The hostname of the device on which the event occurred or which reported the event, depending on the schema. (e.g. Contoso\DESKTOP-1282V4D)	Common
DvcHostname	Recommended	string	Hostname	Device	Dvc		The hostname of the device on which the event occurred or which reported the event, depending on the schema. (e.g. ContosoDc)	Common
DvcId	Optional	string		Device	Dvc		The unique ID of the device on which the event occurred or which reported the event, depending on the schema. (e.g. 41502da5-21b7-48ec-81c9-baeea8d7d669 If multiple IDs are available, use the first one from the list, and store the others by using the field names DvcAzureResourceId, DvcMDEid, etc)	Common
DvcIdType	Conditional	string	Enumerated Values (9) AzureResourceId, MDEid, MD4IoTid, VMConnectionId, AwsVpcId, VectraId, AppGateId, FQDN, Other	Device	Dvc	DvcId	The type of DvcId. The list of allowed values is `AzureResourceId`, `MDEid`, `MD4IoTid`, `VMConnectionId`, `AwsVpcId`, `VectraId`, `AppGateId`, `FQDN`, and `Other`. Using `FQDN` as a device ID, implies reusing the hostname. Use it only as a last resort	Common
DvcInterface	Optional	string		Device	Dvc		The network interface on which data was captured. This field is typically relevant to network related activity, which is captured by an intermediate or tap device.	Common
DvcIpAddr	Recommended	string	IP address	Device	Dvc		The IP address of the device on which the event occurred or which reported the event, depending on the schema. (e.g. 45.21.42.12)	Common
DvcMacAddr	Optional	string	MAC address	Device	Dvc		The MAC address of the device on which the event occurred or which reported the event. (e.g. 00:1B:44:11:3A:B7)	Common
DvcMD4IoTid	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcMDEid	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcOriginalAction	Optional	string		Device	Dvc		The original DvcAction as provided by the reporting device.	Common
DvcOs	Optional	string		Device	Dvc		The operating system running on the device on which the event occurred or which reported the event. (e.g. Windows)	Common
DvcOsVersion	Optional	string		Device	Dvc		The version of the operating system on the device on which the event occurred or which reported the event. (e.g. 10)	Common
DvcScope	Optional	string		Device	Dvc		The cloud platform scope the device belongs to. DvcScope map to a subscription ID on Azure and to an account ID on AWS.	Common
DvcScopeId	Optional	string		Device	Dvc		The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS.	Common
DvcVectraId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcVMConnectionId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcZone	Optional	string		Device	Dvc		The network on which the event occurred or which reported the event, depending on the schema. The zone is defined by the reporting device. (e.g. Dmz)	Common
EventCount	Mandatory	int					The number of events described by the record. This value is used when the source supports aggregation, and a single record might represent multiple events. For other sources, set to `1`.	Common
EventEndTime	Mandatory	datetime					The time when the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field	Common
EventMessage	Optional	string					A general message or description, either included in or generated from the record.	Common
EventOriginalResultDetails	Optional	string					The original result details provided by the source. This value is used to derive EventResultDetails, which should have only one of the values documented for each schema.	Common
EventOriginalSeverity	Optional	string					The original severity as provided by the reporting device. This value is used to derive EventSeverity.	Common
EventOriginalSubType	Optional	string					The original event subtype or ID, if provided by the source. For example, this field is used to store the original Windows logon type. This value is used to derive EventSubType, which should have only one of the values documented for each schema. (e.g. 2)	Common
EventOriginalType	Optional	string					The original event type or ID, if provided by the source. For example, this field is used to store the original Windows event ID. This value is used to derive EventType, which should have only one of the values documented for each schema. (e.g. 4624)	Common
EventOriginalUid	Optional	string					A unique ID of the original record, if provided by the source. (e.g. 69f37748-ddcd-4331-bf0f-b137f1ea83b)	Common
EventOwner	Optional	string					The owner of the event, which is usually the department or subsidiary in which it was generated.	Common
EventProduct	Mandatory	string					The product generating the event. The value should be one of the values listed in Vendors and Products. (e.g. Sysmon)	Common
EventProductVersion	Optional	string					The version of the product generating the event. (e.g. 12.1)	Common
EventReportUrl	Optional	string	URL				A URL provided in the event for a resource that provides more information about the event.	Common
EventResult	Mandatory	string	Enumerated Values (4) Success, Partial, Failure, NA				The value might be provided in the source record by using different terms, which should be normalized to these values. Alternatively, the source might provide only the EventResultDetails field, which should be analyzed to derive the EventResult value. (e.g. Success)	Common
EventResultDetails	Recommended	string	Enumerated				Reason or details for the result reported in the EventResult field. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the EventOriginalResultDetails field. (e.g. NXDOMAIN)	Common
EventSchema	Mandatory	string	Enumerated Values (1) AuditEvent				The name of the schema documented here is `AuditEvent`	Schema
EventSchemaVersion	Mandatory	string	SchemaVersion				The version of the schema. The version of the schema documented here is `0.1.2`.	Schema
EventSeverity	Recommended	string	Enumerated Values (4) Informational, Low, Medium, High				The severity of the event	Common
EventStartTime	Mandatory	datetime					The time when the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field	Common
EventSubType	Optional	string					Provides further details, which the normalized value in EventType does not convey.	Schema
EventType	Mandatory	string	Enumerated Values (13) Set, Read, Create, Delete, Execute, Install, Clear, Enable, Disable, Initialize, Start, Stop, Other				Describes the operation audited by the event using a normalized value. Use EventSubType to provide further details, which the normalized value does not convey, and Operation. to store the operation as reported by the reporting device. For Audit Event records, the allowed values are: - `Set` - `Read` - `Create` - `Delete` - `Execute` - `Install` - `Clear` - `Enable` - `Disable` - `Initialize` - `Start` - `Stop` - `Other` Audit events represent a large variety of operations, and the `Other` value enables mapping operations that have no corresponding `EventType`. However, the use of `Other` limits the usability of the event and should be avoided if possible	Schema
EventUid	Recommended	string					The unique ID of the record, as assigned by Microsoft Sentinel. This field is typically mapped to the `_ItemId` Log Analytics field.	Common
EventVendor	Mandatory	string					The vendor of the product generating the event. The value should be one of the values listed in Vendors and Products. (e.g. Microsoft)	Common
HttpUserAgent	Optional	string		Application	Acting		When authentication is performed over HTTP or HTTPS, this field's value is the user_agent HTTP header provided by the acting application when performing the authentication. For (e.g. Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1)	Schema
IpAddr	Alias			Device	Src	SrcIpAddr	or to TargetIpAddr if SrcIpAddr is not provided	Schema
NewValue	Recommended	string					The new value of Object after the operation was performed, if applicable.	Schema
Object	Mandatory	string					The name of the object on which the operation identified by EventType is performed.	Schema
ObjectId	Optional	string					The ID of the object on which the operation identified by EventType is performed.	Schema
ObjectType	Conditional	string	Enumerated Values (8) Cloud Resource, Configuration Atom, Policy Rule, Event Log, Scheduled Task, Service, Directory Service Object, Other				The type of Object. Allowed values are: - `Cloud Resource` - `Configuration Atom` - `Policy Rule` - `Event Log` -`Scheduled Task` -`Service` -`Directory Service Object` -`Other`	Schema
OldValue	Optional	string					The old value of Object prior to the operation, if applicable.	Schema
Operation	Mandatory	string					The operation audited as reported by the reporting device.	Schema
OriginalObjectType	Optional	string					The type of Object as reported by the reporting system	Schema
Rule	Alias	string				Either of RuleName, RuleNumber	Either the value of RuleName or the value of RuleNumber. If the value of RuleNumber is used, the type should be converted to string	Schema
RuleName	Optional	string					The name or ID of the rule by associated with the inspection results.	Schema
RuleNumber	Optional	int					The number of the rule associated with the inspection results.	Schema
Src	Alias	string		Device	Src	Either of SrcDvcId, SrcHostname, SrcIpAddr	A unique identifier of the source device. This field might alias the SrcDvcId, SrcHostname, or SrcIpAddr fields. (e.g. 192.168.12.1)	Schema
SrcDescription	Optional	string		Device	Src		A descriptive text associated with the device. (e.g. Primary Domain Controller)	Schema
SrcDeviceType	Optional	string	DeviceType Values (4) Computer, Mobile Device, IOT Device, Other	Device	Src		The type of the source device. For a list of allowed values and further information, refer to DeviceType in the Schema Overview article.	Schema
SrcDomain	Optional	string	Domain	Device	Src		The domain of the source device. (e.g. Contoso)	Schema
SrcDomainType	Conditional	string	DomainType Values (2) FQDN, Windows	Device	Src	SrcDomain	The type of SrcDomain. For a list of allowed values and further information, refer to DomainType in the Schema Overview article. Required if SrcDomain is used.	Schema
SrcDvcAction	Optional	string		Device	Src		For reporting security systems, the action taken by the system, if applicable. (e.g. Blocked)	Entity Extension
SrcDvcAwsVpcId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcAzureResourceId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcId	Optional	string		Device	Src		The ID of the source device. If multiple IDs are available, use the most important one, and store the others in the fields `SrcDvc`. (e.g. ac7e9755-8eae-4ffc-8a02-50ed7a2216c3)	Schema
SrcDvcIdType	Conditional	string	DvcIdType Values (7) MDEid, AzureResourceId, MD4IoTid, VMConnectionId, AwsVpcId, VectraId, Other	Device	Src	SrcDvcId	The type of SrcDvcId. For a list of allowed values and further information, refer to DvcIdType in the Schema Overview article.	Schema
SrcDvcMD4IoTid	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcMDEid	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcOriginalAction	Optional	string		Device	Src		The original DvcAction as provided by the reporting device.	Entity Extension
SrcDvcOs	Optional	string		Device	Src		The operating system running on the device on which the event occurred or which reported the event. (e.g. Windows)	Entity Extension
SrcDvcOsVersion	Optional	string		Device	Src		The version of the operating system on the device on which the event occurred or which reported the event. (e.g. 10)	Entity Extension
SrcDvcScope	Optional	string		Device	Src		The cloud platform scope the device belongs to. SrcDvcScope map to a subscription ID on Azure and to an account ID on AWS.	Schema
SrcDvcScopeId	Optional	string		Device	Src		The cloud platform scope ID the device belongs to. SrcDvcScopeId map to a subscription ID on Azure and to an account ID on AWS.	Schema
SrcDvcVectraId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcVMConnectionId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcFQDN	Optional	string	FQDN	Device	Src		The source device hostname, including domain information when available. (e.g. Contoso\DESKTOP-1282V4D)	Schema
SrcGeoCity	Optional	string	City	Device	Src		The city associated with the source IP address. (e.g. Burlington)	Schema
SrcGeoCountry	Optional	string	Country	Device	Src		The country/region associated with the source IP address. (e.g. USA)	Schema
SrcGeoLatitude	Optional	real	Latitude	Device	Src		The latitude of the geographical coordinate associated with the source IP address. (e.g. 44.475833)	Schema
SrcGeoLongitude	Optional	real	Longitude	Device	Src		The longitude of the geographical coordinate associated with the source IP address. (e.g. 73.211944)	Schema
SrcGeoRegion	Optional	string	Region	Device	Src		The region within a country/region associated with the source IP address. (e.g. Vermont)	Schema
SrcHostname	Optional	string	Hostname	Device	Src		The source device hostname, excluding domain information. If no device name is available, store the relevant IP address in this field. (e.g. DESKTOP-1282V4D)	Schema
SrcInterface	Optional	string		Device	Src		The network interface on which data was captured. This field is typically relevant to network related activity captured by an intermediate or tap device.	Entity Extension
SrcIpAddr	Recommended	string	IP address	Device	Src		The IP address from which the connection or session originated. (e.g. 77.138.103.108)	Schema
SrcMacAddr	Optional	string	MAC	Device	Src		The MAC address of the device on which the event occurred or which reported the event. (e.g. 00:1B:44:11:3A:B7)	Entity Extension
SrcOriginalRiskLevel	Optional	string		Device	Src		The risk level associated with the source, as reported by the reporting device. (e.g. Suspicious)	Schema
SrcPortNumber	Optional	int		Device	Src		The IP port from which the connection originated. Might not be relevant for a session comprising multiple connections. (e.g. 2335)	Schema
SrcRiskLevel	Optional	int		Device	Src		The risk level associated with the source. The value should be adjusted to a range of `0` to `100`, with `0` for benign and `100` for a high risk. (e.g. 90)	Schema
SrcZone	Optional	string		Device	Src		The network on which the event occurred or which reported the event, depending on the schema. The reporting device defines the zone. (e.g. Dmz)	Entity Extension
TargetAppId	Optional	string		Application	Target		The ID of the application to which the event applies, including a process, browser, or service. (e.g. 89162)	Schema
TargetAppName	Optional	string		Application	Target		The name of the application to which event applies, including a service, a URL, or a SaaS application. (e.g. Exchange 365)	Schema
TargetAppType	Conditional	string	AppType	Application	Target		The type of the application authorizing on behalf of the Actor. For more information, and allowed list of values, see AppType in the Schema Overview article.	Schema
TargetDescription	Optional	string		Device	Target		A descriptive text associated with the device. (e.g. Primary Domain Controller)	Schema
TargetDeviceType	Optional	string	DeviceType Values (4) Computer, Mobile Device, IOT Device, Other	Device	Target		The type of the target device. For a list of allowed values and further information, refer to DeviceType in the Schema Overview article.	Schema
TargetDNUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetDomain	Optional	string	Domain	Device	Target		The domain of the target device. (e.g. Contoso)	Schema
TargetDomainType	Conditional	string	DomainType Values (2) FQDN, Windows	Device	Target	TargetDomain	The type of TargetDomain. For a list of allowed values and further information, refer to DomainType in the Schema Overview article. Required if TargetDomain is used.	Schema
TargetDvcAction	Optional	string		Device	Target		For reporting security systems, the action taken by the system, if applicable. (e.g. Blocked)	Entity Extension
TargetDvcAwsVpcId	Optional	string		Device	Target		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
TargetDvcAzureResourceId	Optional	string		Device	Target		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
TargetDvcId	Optional	string		Device	Target		The ID of the target device. If multiple IDs are available, use the most important one, and store the others in the fields `TargetDvc`. (e.g. ac7e9755-8eae-4ffc-8a02-50ed7a2216c3)	Schema
TargetDvcIdType	Conditional	string	DvcIdType Values (7) MDEid, AzureResourceId, MD4IoTid, VMConnectionId, AwsVpcId, VectraId, Other	Device	Target		The type of TargetDvcId. For a list of allowed values and further information, refer to DvcIdType in the Schema Overview article. Required if TargetDeviceId is used.	Schema
TargetDvcMD4IoTid	Optional	string		Device	Target		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
TargetDvcMDEid	Optional	string		Device	Target		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
TargetDvcOriginalAction	Optional	string		Device	Target		The original DvcAction as provided by the reporting device.	Entity Extension
TargetDvcOs	Optional	string		Device	Target		The OS of the target device. (e.g. Windows 10)	Schema
TargetDvcOsVersion	Optional	string		Device	Target		The version of the operating system on the device on which the event occurred or which reported the event. (e.g. 10)	Entity Extension
TargetDvcScope	Optional	string		Device	Target		The cloud platform scope the device belongs to. TargetDvcScope map to a subscription ID on Azure and to an account ID on AWS.	Schema
TargetDvcScopeId	Optional	string		Device	Target		The cloud platform scope ID the device belongs to. TargetDvcScopeId map to a subscription ID on Azure and to an account ID on AWS.	Schema
TargetDvcVectraId	Optional	string		Device	Target		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
TargetDvcVMConnectionId	Optional	string		Device	Target		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
TargetFQDN	Optional	string	FQDN	Device	Target		The target device hostname, including domain information when available. (e.g. Contoso\DESKTOP-1282V4D)	Schema
TargetGeoCity	Optional	string	City	Device	Target		The city associated with the Target IP address. (e.g. Burlington)	Schema
TargetGeoCountry	Optional	string	Country	Device	Target		The country/region associated with the Target IP address. (e.g. USA)	Schema
TargetGeoLatitude	Optional	real	Latitude	Device	Target		The latitude of the geographical coordinate associated with the Target IP address. (e.g. 44.475833)	Schema
TargetGeoLongitude	Optional	real	Longitude	Device	Target		The longitude of the geographical coordinate associated with the Target IP address. (e.g. 73.211944)	Schema
TargetGeoRegion	Optional	string	Region	Device	Target		The region within a country/region associated with the Target IP address. (e.g. Vermont)	Schema
TargetHostname	Recommended	string	Hostname	Device	Target		The target device hostname, excluding domain information. (e.g. DESKTOP-1282V4D)	Schema
TargetInterface	Optional	string		Device	Target		The network interface on which data was captured. This field is typically relevant to network related activity captured by an intermediate or tap device.	Entity Extension
TargetIpAddr	Recommended	string	IP Address	Device	Target		The IP address of the target device. (e.g. 2.2.2.2)	Schema
TargetMacAddr	Optional	string	MAC	Device	Target		The MAC address of the device on which the event occurred or which reported the event. (e.g. 00:1B:44:11:3A:B7)	Entity Extension
TargetOriginalAppType	Optional	string		Application	Target		The type of the application to which event applies as reported by the reporting device.	Schema
TargetOriginalRiskLevel	Optional	string		Device	Target		The risk level associated with the target, as reported by the reporting device. (e.g. Suspicious)	Schema
TargetPortNumber	Optional	int		Device	Target		The port of the target device.	Schema
TargetProcessGuid	Optional	string		Application	Target		A generated unique identifier (GUID) of the process used by the application. (e.g. 01234567-89AB-CDEF-0123-456789ABCDEF)	Entity Extension
TargetProcessId	Optional	string		Application	Target		The process ID (PID) of the process the application is using. (e.g. 48610176)	Entity Extension
TargetProcessName	Optional	string		Application	Target		The file name of the process used by the application. (e.g. C:\Windows\explorer.exe)	Entity Extension
TargetRiskLevel	Optional	int		Device	Target		The risk level associated with the target. The value should be adjusted to a range of `0` to `100`, with `0` for benign and `100` for a high risk. (e.g. 90)	Schema
TargetSimpleUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetUrl	Optional	string	URL	Application	Target		The URL associated with the target application. (e.g. https://console.aws.amazon.com/console/home?fromtb=true&hashArgs=%23&isauthcode=true&nc2=h_ct&src=header-signin&state=hashArgsFromTB_us-east-1_7596bc16c83d260b)	Schema
TargetUserAadId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserAWSId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserOktaId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserPuid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserSid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserUid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserUpn	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetWindowsUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetZone	Optional	string		Device	Target		The network on which the event occurred or which reported the event, depending on the schema. The reporting device defines the zone. (e.g. Dmz)	Entity Extension
ThreatCategory	Optional	string					The category of the threat or malware identified in audit file activity.	Schema
ThreatConfidence	Optional	int	ConfidenceLevel				The confidence level of the threat identified, normalized to a value between 0 and a 100.	Schema
ThreatField	Conditional	string	Enumerated Values (2) SrcIpAddr, TargetIpAddr				The field for which a threat was identified. The value is either `SrcIpAddr` or `TargetIpAddr`	Schema
ThreatFirstReportedTime	Optional	datetime					The first time the IP address or domain were identified as a threat.	Schema
ThreatId	Optional	string					The ID of the threat or malware identified in the audit activity.	Schema
ThreatIpAddr	Optional	string	IP Address				An IP address for which a threat was identified. The field ThreatField contains the name of the field ThreatIpAddr represents.	Schema
ThreatIsActive	Optional	boolean					True if the threat identified is considered an active threat.	Schema
ThreatLastReportedTime	Optional	datetime					The last time the IP address or domain were identified as a threat.	Schema
ThreatName	Optional	string					The name of the threat or malware identified in the audit activity.	Schema
ThreatOriginalConfidence	Optional	string					The original confidence level of the threat identified, as reported by the reporting device.	Schema
ThreatOriginalRiskLevel	Optional	string					The risk level as reported by the reporting device.	Schema
ThreatRiskLevel	Optional	int	RiskLevel				The risk level associated with the identified threat. The level should be a number between 0 and 100.	Schema
TimeGenerated	Mandatory	datetime					The time the event was generated by the reporting device.	Common (Implicit)
Type	Mandatory	string					The original table from which the record was fetched. This field is useful when the same event can be received through multiple channels to different tables, and have the same EventVendor and EventProduct values. (e.g. a Sysmon event can be collected either to the Event table or to the WindowsEvent table)	Common (Implicit)
User	Alias			User	Actor	ActorUsername		Schema
Value	Alias					NewValue		Schema
ValueType	Conditional	string	Enumerated Values (1) Other				The type of the old and new values. Allowed values are - Other	Schema

Parser	Version	Product	Tables	Solutions

ASimAuditEventAWSCloudTrail	0.1.0	AWS CloudTrail	AWSCloudTrail, Operation	Amazon Web Services
ASimAuditEventAzureActivity	0.3.0	Microsoft Azure	AzureActivity	Azure Activity
ASimAuditEventAzureKeyVault	0.1.0	Azure Key Vault	AZKVAuditLogs, AzureDiagnostics
ASimAuditEventBarracudaCEF	0.2.1	Barracuda WAF	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimAuditEventBarracudaWAF	0.2.1	Barracuda WAF	barracuda_CL
ASimAuditEventCiscoISE	0.1.0	Cisco ISE	Syslog	Syslog
ASimAuditEventCiscoMeraki	0.2.1	Cisco Meraki	meraki_CL	CiscoMeraki, CustomLogsAma
ASimAuditEventCiscoMerakiSyslog	0.2.1	Cisco Meraki	Syslog	Syslog
ASimAuditEventCrowdStrikeFalconHost	0.1.0	CrowdStrike Falcon Endpoint Protection	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimAuditEventIllumioSaaSCore	0.2.1	Illumio Core	Illumio_Auditable_Events_CL	IllumioSaaS
ASimAuditEventInfobloxBloxOne	0.1.0	Infoblox BloxOne	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimAuditEventMicrosoftEvent	0.2.1	Microsoft Windows	Event
ASimAuditEventMicrosoftExchangeAdmin365	0.2	Microsoft SharePoint	OfficeActivity
ASimAuditEventMicrosoftSecurityEvents	0.2.1	Microsoft Windows	SecurityEvent	Windows Security Events
ASimAuditEventMicrosoftWindowsEvents	0.2.1	Microsoft Windows	WindowsEvent	Windows Forwarded Events
ASimAuditEventNative	0.1.0	Native	ASimAuditEventLogs	Cisco Meraki Events via REST API, SynqlyIntegrationConnector, Workday
ASimAuditEventSentinelOne	0.1.0	SentinelOne	SentinelOne_CL
ASimAuditEventSQLSecurityAudit	0.1.0	SQLSecurityAudit Logs	AzureDiagnostics, SQLSecurityAuditEvents
ASimAuditEventVectraXDRAudit	0.1.1	Vectra	Audits_Data_CL	Vectra XDR
ASimAuditEventVMwareCarbonBlackCloud	0.2.0	VMware Carbon Black Cloud	CarbonBlackAuditLogs_CL

Field	Class	Type	Logical Type	Entity	Role	Refers To	Description	Source

ActingAppId	Optional	string		Application	Acting		The ID of the application authorizing on behalf of the actor, including a process, browser, or service. For (e.g. 0x12ae8)	Schema
ActingAppName	Optional	string		Application	Acting		The name of the application authorizing on behalf of the actor, including a process, browser, or service. For (e.g. C:\Windows\System32\svchost.exe)	Schema
ActingAppType	Optional	string	AppType	Application	Acting		The type of acting application. For more information, and allowed list of values, see AppType in the Schema Overview article.	Schema
ActingOriginalAppType	Optional	string		Application	Acting		The type of the acting application as reported by the reporting device.	Schema
ActingProcessGuid	Optional	string		Application	Acting		A generated unique identifier (GUID) of the process used by the application. (e.g. 01234567-89AB-CDEF-0123-456789ABCDEF)	Entity Extension
ActingProcessId	Optional	string		Application	Acting		The process ID (PID) of the process the application is using. (e.g. 48610176)	Entity Extension
ActingProcessName	Optional	string		Application	Acting		The file name of the process used by the application. (e.g. C:\Windows\explorer.exe)	Entity Extension
ActorDNUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorOriginalUserType	Optional	string		User	Actor		The user type as reported by the reporting device.	Schema
ActorScope	Optional	string		User	Actor		The scope, such as Microsoft Entra tenant, in which ActorUserId and ActorUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article	Schema
ActorScopeId	Optional	string		User	Actor		The scope ID, such as Microsoft Entra Directory ID, in which ActorUserId and ActorUsername are defined. for more information and list of allowed values, see UserScopeId in the Schema Overview article	Schema
ActorSessionId	Optional	string		User	Actor		The unique ID of the sign-in session of the Actor. (e.g. 102pTUgC3p8RIqHvzxLCHnFlg)	Schema
ActorSimpleUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorUserAadId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserAADTenant	Optional	string		User	Actor		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
ActorUserAWSAccount	Optional	string		User	Actor		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
ActorUserAWSId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserId	Optional	string		User	Actor		A machine-readable, alphanumeric, unique representation of the Actor. For more information, and for alternative fields for additional IDs, see The User entity. (e.g. S-1-12-1-4141952679-1282074057-627758481-2916039507)	Schema
ActorUserIdType	Conditional	string	UserIdType Values (7) SID, UID, AADID, OktaId, AWSId, PUID, SalesforceId	User	Actor	ActorUserId	The type of the ID stored in the ActorUserId field. For more information and list of allowed values, see UserIdType in the Schema Overview article.	Schema
ActorUsername	Optional	string	Username	User	Actor		The Actor’s username, including domain information when available. For more information, see The User entity. (e.g. AlbertE)	Schema
ActorUsernameType	Conditional	string	UsernameType	User	Actor	ActorUsername	Specifies the type of the user name stored in the ActorUsername field. For more information, and list of allowed values, see UsernameType in the Schema Overview article. (e.g. Windows)	Schema
ActorUserOktaId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserPuid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserSid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserType	Optional	string	UserType	User	Actor		The type of the Actor. For more information, and list of allowed values, see UserType in the Schema Overview article. For (e.g. Guest)	Schema
ActorUserUid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserUpn	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorWindowsUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
AdditionalFields	Optional	dynamic					If your source provides additional information worth preserving, either keep it with the original field names or create the dynamic AdditionalFields field, and add the extra information as key/value pairs.	Common
Application	Alias			Application	Target	TargetAppName		Schema
Dst	Alias	string		Device	Target	Either of TargetDvcId, TargetHostname, TargetIpAddr, TargetAppId, TargetAppName	A unique identifier of the authentication target. This field may alias the TargetDvcId, TargetHostname, TargetIpAddr, TargetAppId, or TargetAppName fields. (e.g. 192.168.12.1)	Schema
DstDomain	Recommended	string		Device	Target		The domain of the device on which the event occurred, without the hostname.	Entity Extension
DstDomainType	Recommended	string	Enumerated Values (2) FQDN, Windows	Device	Target		The type of Domain	Entity Extension
DstDvcAction	Optional	string		Device	Target		For reporting security systems, the action taken by the system, if applicable. (e.g. Blocked)	Entity Extension
DstDvcAwsVpcId	Optional	string		Device	Target		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DstDvcAzureResourceId	Optional	string		Device	Target		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DstDvcDescription	Optional	string		Device	Target		A descriptive text associated with the device. (e.g. Primary Domain Controller)	Entity Extension
DstDvcId	Optional	string		Device	Target		The unique ID of the device. (e.g. 41502da5-21b7-48ec-81c9-baeea8d7d669)	Entity Extension
DstDvcIdType	Optional	string	Enumerated	Device	Target		The type of DvcId. Typically this field also identifies the type of Scope and ScopeId. This field is required if the DvcId field is used	Entity Extension
DstDvcMD4IoTid	Optional	string		Device	Target		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DstDvcMDEid	Optional	string		Device	Target		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DstDvcOriginalAction	Optional	string		Device	Target		The original DvcAction as provided by the reporting device.	Entity Extension
DstDvcOs	Optional	string		Device	Target		The operating system running on the device on which the event occurred or which reported the event. (e.g. Windows)	Entity Extension
DstDvcOsVersion	Optional	string		Device	Target		The version of the operating system on the device on which the event occurred or which reported the event. (e.g. 10)	Entity Extension
DstDvcScope	Optional	string		Device	Target		The cloud platform scope the device belongs to. Scope map to a subscription on Azure and to an account on AWS.	Entity Extension
DstDvcScopeId	Optional	string		Device	Target		The cloud platform scope ID the device belongs to. Scope map to a subscription ID on Azure and to an account ID on AWS.	Entity Extension
DstDvcVectraId	Optional	string		Device	Target		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DstDvcVMConnectionId	Optional	string		Device	Target		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DstFQDN	Optional	string		Device	Target		The FQDN of the device including both Hostname and Domain . This field supports both traditional FQDN format and Windows domain\hostname format. The DomainType field reflects the format used.	Entity Extension
DstHostname	Recommended	string	Hostname	Device	Target		The short hostname of the device.	Entity Extension
DstInterface	Optional	string		Device	Target		The network interface on which data was captured. This field is typically relevant to network related activity captured by an intermediate or tap device.	Entity Extension
DstIpAddr	Recommended	string	IP address	Device	Target		The IP address of the device. (e.g. 45.21.42.12)	Entity Extension
DstMacAddr	Optional	string	MAC	Device	Target		The MAC address of the device on which the event occurred or which reported the event. (e.g. 00:1B:44:11:3A:B7)	Entity Extension
DstZone	Optional	string		Device	Target		The network on which the event occurred or which reported the event, depending on the schema. The reporting device defines the zone. (e.g. Dmz)	Entity Extension
Dvc	Alias	string		Device	Dvc	Either of DvcFQDN, DvcId, DvcHostname, DvcIpAddr	A unique identifier of the device on which the event occurred or which reported the event, depending on the schema. This field might alias the DvcFQDN, DvcId, DvcHostname, or DvcIpAddr fields. For cloud sources, for which there's no apparent device, use the same value as the Event Product field	Common
DvcAction	Optional	string		Device	Dvc		For reporting security systems, the action taken by the system, if applicable. (e.g. Blocked)	Common
DvcAwsVpcId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcAzureResourceId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcDescription	Optional	string		Device	Dvc		A descriptive text associated with the device. (e.g. Primary Domain Controller)	Common
DvcDomain	Recommended	string	Domain	Device	Dvc		The domain of the device on which the event occurred or which reported the event, depending on the schema. (e.g. Contoso)	Common
DvcDomainType	Conditional	string	DomainType Values (2) FQDN, Windows	Device	Dvc	DvcDomain	The type of DvcDomain. For a list of allowed values and further information, refer to DomainType.	Common
DvcFQDN	Optional	string	FQDN	Device	Dvc		The hostname of the device on which the event occurred or which reported the event, depending on the schema. (e.g. Contoso\DESKTOP-1282V4D)	Common
DvcHostname	Recommended	string	Hostname	Device	Dvc		The hostname of the device on which the event occurred or which reported the event, depending on the schema. (e.g. ContosoDc)	Common
DvcId	Optional	string		Device	Dvc		The unique ID of the device on which the event occurred or which reported the event, depending on the schema. (e.g. 41502da5-21b7-48ec-81c9-baeea8d7d669 If multiple IDs are available, use the first one from the list, and store the others by using the field names DvcAzureResourceId, DvcMDEid, etc)	Common
DvcIdType	Conditional	string	Enumerated Values (9) AzureResourceId, MDEid, MD4IoTid, VMConnectionId, AwsVpcId, VectraId, AppGateId, FQDN, Other	Device	Dvc	DvcId	The type of DvcId. The list of allowed values is `AzureResourceId`, `MDEid`, `MD4IoTid`, `VMConnectionId`, `AwsVpcId`, `VectraId`, `AppGateId`, `FQDN`, and `Other`. Using `FQDN` as a device ID, implies reusing the hostname. Use it only as a last resort	Common
DvcInterface	Optional	string		Device	Dvc		The network interface on which data was captured. This field is typically relevant to network related activity, which is captured by an intermediate or tap device.	Common
DvcIpAddr	Recommended	string	IP address	Device	Dvc		The IP address of the device on which the event occurred or which reported the event, depending on the schema. (e.g. 45.21.42.12)	Common
DvcMacAddr	Optional	string	MAC address	Device	Dvc		The MAC address of the device on which the event occurred or which reported the event. (e.g. 00:1B:44:11:3A:B7)	Common
DvcMD4IoTid	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcMDEid	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcOriginalAction	Optional	string		Device	Dvc		The original DvcAction as provided by the reporting device.	Common
DvcOs	Optional	string		Device	Dvc		The operating system running on the device on which the event occurred or which reported the event. (e.g. Windows)	Common
DvcOsVersion	Optional	string		Device	Dvc		The version of the operating system on the device on which the event occurred or which reported the event. (e.g. 10)	Common
DvcScope	Optional	string		Device	Dvc		The cloud platform scope the device belongs to. DvcScope map to a subscription ID on Azure and to an account ID on AWS.	Common
DvcScopeId	Optional	string		Device	Dvc		The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS.	Common
DvcVectraId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcVMConnectionId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcZone	Optional	string		Device	Dvc		The network on which the event occurred or which reported the event, depending on the schema. The zone is defined by the reporting device. (e.g. Dmz)	Common
EventCount	Mandatory	int					The number of events described by the record. This value is used when the source supports aggregation, and a single record might represent multiple events. For other sources, set to `1`.	Common
EventEndTime	Mandatory	datetime					The time when the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field	Common
EventMessage	Optional	string					A general message or description, either included in or generated from the record.	Common
EventOriginalResultDetails	Optional	string					The original result details provided by the source. This value is used to derive EventResultDetails, which should have only one of the values documented for each schema.	Common
EventOriginalSeverity	Optional	string					The original severity as provided by the reporting device. This value is used to derive EventSeverity.	Common
EventOriginalSubType	Optional	string					The original event subtype or ID, if provided by the source. For example, this field is used to store the original Windows logon type. This value is used to derive EventSubType, which should have only one of the values documented for each schema. (e.g. 2)	Common
EventOriginalType	Optional	string					The original event type or ID, if provided by the source. For example, this field is used to store the original Windows event ID. This value is used to derive EventType, which should have only one of the values documented for each schema. (e.g. 4624)	Common
EventOriginalUid	Optional	string					A unique ID of the original record, if provided by the source. (e.g. 69f37748-ddcd-4331-bf0f-b137f1ea83b)	Common
EventOwner	Optional	string					The owner of the event, which is usually the department or subsidiary in which it was generated.	Common
EventProduct	Mandatory	string					The product generating the event. The value should be one of the values listed in Vendors and Products. (e.g. Sysmon)	Common
EventProductVersion	Optional	string					The version of the product generating the event. (e.g. 12.1)	Common
EventReportUrl	Optional	string	URL				A URL provided in the event for a resource that provides more information about the event.	Common
EventResult	Mandatory	string	Enumerated Values (4) Success, Partial, Failure, NA				The value might be provided in the source record by using different terms, which should be normalized to these values. Alternatively, the source might provide only the EventResultDetails field, which should be analyzed to derive the EventResult value. (e.g. Success)	Common
EventResultDetails	Recommended	string	Enumerated Values (11) No such user or password, No such user, Incorrect password, Incorrect key, Account expired, Password expired, User locked, User disabled, Logon violates policy, Session expired, Other				The details associated with the event result. This field is typically populated when the result is a failure. Allowed values include: - `No such user or password`. This value should be used also when the original event reports that there is no such user, without reference to a password. - `No such user` - `Incorrect password` - `Incorrect key` - `Account expired` - `Password expired` - `User locked` - `User disabled` - `Logon violates policy`. This value should be used when the original event reports (e.g. MFA required, log on outside of working hours, conditional access restrictions, or too frequent attempts. - Session expired - Other The value may be provided in the source record using different terms, which should be normalized to these values. The original value should be stored in the field [EventOriginalResultDetails](normalization-common-fields.md#eventoriginalresultdetails))	Schema
EventSchema	Mandatory	string	Enumerated Values (1) Authentication				The name of the schema documented here is Authentication	Schema
EventSchemaVersion	Mandatory	string	SchemaVersion				The version of the schema. The version of the schema documented here is `0.1.4`	Schema
EventSeverity	Recommended	string	Enumerated Values (4) Informational, Low, Medium, High				The severity of the event	Common
EventStartTime	Mandatory	datetime					The time when the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field	Common
EventSubType	Optional	string	Enumerated Values (8) System, Interactive, RemoteInteractive, Service, RemoteService, Remote, AssumeRole, Elevate				The sign-in type. Allowed values include: - `System` - `Interactive` - `RemoteInteractive` - `Service` - `RemoteService` - `Remote` - Use when the type of remote sign-in is unknown. - `AssumeRole` - Typically used when the event type is `Elevate`. The value may be provided in the source record using different terms, which should be normalized to these values. The original value should be stored in the field EventOriginalSubType	Schema
EventType	Mandatory	string	Enumerated Values (3) Logon, Logoff, Elevate				Describes the operation reported by the record. For Authentication records	Schema
EventUid	Recommended	string					The unique ID of the record, as assigned by Microsoft Sentinel. This field is typically mapped to the `_ItemId` Log Analytics field.	Common
EventVendor	Mandatory	string					The vendor of the product generating the event. The value should be one of the values listed in Vendors and Products. (e.g. Microsoft)	Common
HttpUserAgent	Optional	string		Application	Acting		When authentication is performed over HTTP or HTTPS, this field's value is the user_agent HTTP header provided by the acting application when performing the authentication. For (e.g. Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1)	Schema
IpAddr	Alias			Device	Src	SrcIpAddr		Schema
LogonMethod	Optional	string	Values (8) Managed Identity, Service Principal, Username & Password, Multi factor authentication, Passwordless, PKI, PAM, Other				The method used to perform authentication. Allowed values include: `Managed Identity`, `Service Principal`, `Username & Password`, `Multi factor authentication`, `Passwordless`, `PKI`, `PAM`, and `Other`. (e.g. Managed Identity)	Schema
LogonProtocol	Optional	string					The protocol used to perform authentication. (e.g. NTLM)	Schema
LogonTarget	Alias			Application	Target	Either of TargetAppName, TargetUrl, TargetHostname	Alias to either TargetAppName, TargetUrl, or TargetHostname, whichever field best describes the authentication target	Schema
Rule	Alias	string				Either of RuleName, RuleNumber	Either the value of RuleName or the value of RuleNumber. If the value of RuleNumber is used, the type should be converted to string	Schema
RuleName	Optional	string					The name or ID of the rule by associated with the inspection results.	Schema
RuleNumber	Optional	int					The number of the rule associated with the inspection results.	Schema
Src	Recommended	string		Device	Src		A unique identifier of the source device. This field may alias the SrcDvcId, SrcHostname, or SrcIpAddr fields. (e.g. 192.168.12.1)	Schema
SrcDescription	Optional	string		Device	Src		A descriptive text associated with the device. (e.g. Primary Domain Controller)	Schema
SrcDeviceType	Optional	string	DeviceType Values (4) Computer, Mobile Device, IOT Device, Other	Device	Src		The type of the source device. For a list of allowed values and further information refer to DeviceType in the Schema Overview article.	Schema
SrcDomain	Optional	string	Domain	Device	Src		The domain of the source device. (e.g. Contoso)	Schema
SrcDomainType	Conditional	string	DomainType Values (2) FQDN, Windows	Device	Src	SrcDomain	The type of SrcDomain. For a list of allowed values and further information refer to DomainType in the Schema Overview article. Required if SrcDomain is used.	Schema
SrcDvcAction	Optional	string		Device	Src		For reporting security systems, the action taken by the system, if applicable. (e.g. Blocked)	Entity Extension
SrcDvcAwsVpcId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcAzureResourceId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcId	Optional	string		Device	Src		The ID of the source device. If multiple IDs are available, use the most important one, and store the others in the fields `SrcDvc`. (e.g. ac7e9755-8eae-4ffc-8a02-50ed7a2216c3)	Schema
SrcDvcIdType	Conditional	string	DvcIdType Values (7) MDEid, AzureResourceId, MD4IoTid, VMConnectionId, AwsVpcId, VectraId, Other	Device	Src	SrcDvcId	The type of SrcDvcId. For a list of allowed values and further information refer to DvcIdType in the Schema Overview article.	Schema
SrcDvcMD4IoTid	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcMDEid	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcOriginalAction	Optional	string		Device	Src		The original DvcAction as provided by the reporting device.	Entity Extension
SrcDvcOs	Optional	string		Device	Src		The OS of the source device. (e.g. Windows 10)	Schema
SrcDvcOsVersion	Optional	string		Device	Src		The version of the operating system on the device on which the event occurred or which reported the event. (e.g. 10)	Entity Extension
SrcDvcScope	Optional	string		Device	Src		The cloud platform scope the device belongs to. SrcDvcScope map to a subscription ID on Azure and to an account ID on AWS.	Schema
SrcDvcScopeId	Optional	string		Device	Src		The cloud platform scope ID the device belongs to. SrcDvcScopeId map to a subscription ID on Azure and to an account ID on AWS.	Schema
SrcDvcVectraId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcVMConnectionId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcFQDN	Optional	string	FQDN	Device	Src		The source device hostname, including domain information when available. (e.g. Contoso\DESKTOP-1282V4D)	Schema
SrcGeoCity	Optional	string	City	Device	Src		(e.g. Montreal For more information, see [Logical types](normalization-about-schemas.md#logical-types))	Schema
SrcGeoCountry	Optional	string	Country	Device	Src		(e.g. Canada For more information, see [Logical types](normalization-about-schemas.md#logical-types))	Schema
SrcGeoLatitude	Optional	real	Latitude	Device	Src		(e.g. 45.505918 For more information, see [Logical types](normalization-about-schemas.md#logical-types))	Schema
SrcGeoLongitude	Optional	real	Longitude	Device	Src		(e.g. -73.614830 For more information, see [Logical types](normalization-about-schemas.md#logical-types))	Schema
SrcGeoRegion	Optional	string	Region	Device	Src		(e.g. Quebec For more information, see [Logical types](normalization-about-schemas.md#logical-types))	Schema
SrcHostname	Optional	string	Hostname	Device	Src		The source device hostname, excluding domain information. If no device name is available, store the relevant IP address in this field. (e.g. DESKTOP-1282V4D)	Schema
SrcInterface	Optional	string		Device	Src		The network interface on which data was captured. This field is typically relevant to network related activity captured by an intermediate or tap device.	Entity Extension
SrcIpAddr	Recommended	string	IP Address	Device	Src		The IP address of the source device. (e.g. 2.2.2.2)	Schema
SrcIsp	Optional	string		Device	Src		The Internet Service Provider (ISP) used by the source device to connect to the internet. (e.g. corpconnect)	Schema
SrcMacAddr	Optional	string	MAC	Device	Src		The MAC address of the device on which the event occurred or which reported the event. (e.g. 00:1B:44:11:3A:B7)	Entity Extension
SrcOriginalRiskLevel	Optional	string		Device	Src		The risk level associated with the source, as reported by the reporting device. (e.g. Suspicious)	Schema
SrcPortNumber	Optional	int		Device	Src		The IP port from which the connection originated. (e.g. 2335)	Schema
SrcRiskLevel	Optional	int		Device	Src		The risk level associated with the source. The value should be adjusted to a range of `0` to `100`, with `0` for benign and `100` for a high risk. (e.g. 90)	Schema
SrcZone	Optional	string		Device	Src		The network on which the event occurred or which reported the event, depending on the schema. The reporting device defines the zone. (e.g. Dmz)	Entity Extension
TargetAppId	Optional	string		Application	Target		The ID of the application to which the authorization is required, often assigned by the reporting device. (e.g. 89162)	Schema
TargetAppName	Optional	string		Application	Target		The name of the application to which the authorization is required, including a service, a URL, or a SaaS application. (e.g. Saleforce)	Schema
TargetAppType	Conditional	string	AppType	Application	Target		The type of the application authorizing on behalf of the Actor. For more information, and allowed list of values, see AppType in the Schema Overview article.	Schema
TargetDescription	Optional	string		Device	Target		A descriptive text associated with the device. (e.g. Primary Domain Controller)	Schema
TargetDeviceType	Optional	string	DeviceType Values (4) Computer, Mobile Device, IOT Device, Other	Device	Target		The type of the target device. For a list of allowed values and further information refer to DeviceType in the Schema Overview article.	Schema
TargetDNUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetDomain	Recommended	string	Domain	Device	Target		The domain of the target device. (e.g. Contoso)	Schema
TargetDomainType	Conditional	string	DomainType Values (2) FQDN, Windows	Device	Target	TargetDomain	The type of TargetDomain. For a list of allowed values and further information refer to DomainType in the Schema Overview article. Required if TargetDomain is used.	Schema
TargetDvcAction	Optional	string		Device	Target		For reporting security systems, the action taken by the system, if applicable. (e.g. Blocked)	Entity Extension
TargetDvcAwsVpcId	Optional	string		Device	Target		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
TargetDvcAzureResourceId	Optional	string		Device	Target		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
TargetDvcId	Optional	string		Device	Target		The ID of the target device. If multiple IDs are available, use the most important one, and store the others in the fields `TargetDvc`. (e.g. ac7e9755-8eae-4ffc-8a02-50ed7a2216c3)	Schema
TargetDvcIdType	Conditional	string	DvcIdType Values (7) MDEid, AzureResourceId, MD4IoTid, VMConnectionId, AwsVpcId, VectraId, Other	Device	Target		The type of TargetDvcId. For a list of allowed values and further information refer to DvcIdType in the Schema Overview article. Required if TargetDeviceId is used.	Schema
TargetDvcMD4IoTid	Optional	string		Device	Target		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
TargetDvcMDEid	Optional	string		Device	Target		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
TargetDvcOriginalAction	Optional	string		Device	Target		The original DvcAction as provided by the reporting device.	Entity Extension
TargetDvcOs	Optional	string		Device	Target		The OS of the target device. (e.g. Windows 10)	Schema
TargetDvcOsVersion	Optional	string		Device	Target		The version of the operating system on the device on which the event occurred or which reported the event. (e.g. 10)	Entity Extension
TargetDvcScope	Optional	string		Device	Target		The cloud platform scope the device belongs to. TargetDvcScope map to a subscription ID on Azure and to an account ID on AWS.	Schema
TargetDvcScopeId	Optional	string		Device	Target		The cloud platform scope ID the device belongs to. TargetDvcScopeId map to a subscription ID on Azure and to an account ID on AWS.	Schema
TargetDvcVectraId	Optional	string		Device	Target		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
TargetDvcVMConnectionId	Optional	string		Device	Target		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
TargetFQDN	Optional	string	FQDN	Device	Target		The target device hostname, including domain information when available. (e.g. Contoso\DESKTOP-1282V4D)	Schema
TargetGeoCity	Optional	string	City	Device	Target		The city associated with the target IP address. (e.g. Burlington)	Schema
TargetGeoCountry	Optional	string	Country	Device	Target		The country/region associated with the target IP address. (e.g. USA)	Schema
TargetGeoLatitude	Optional	real	Latitude	Device	Target		The latitude of the geographical coordinate associated with the target IP address. (e.g. 44.475833)	Schema
TargetGeoLongitude	Optional	real	Longitude	Device	Target		The longitude of the geographical coordinate associated with the target IP address. (e.g. 73.211944)	Schema
TargetGeoRegion	Optional	string	Region	Device	Target		The region associated with the target IP address. (e.g. Vermont)	Schema
TargetHostname	Recommended	string	Hostname	Device	Target		The target device hostname, excluding domain information. (e.g. DESKTOP-1282V4D)	Schema
TargetInterface	Optional	string		Device	Target		The network interface on which data was captured. This field is typically relevant to network related activity captured by an intermediate or tap device.	Entity Extension
TargetIpAddr	Optional	string	IP Address	Device	Target		The IP address of the target device. (e.g. 2.2.2.2)	Schema
TargetMacAddr	Optional	string	MAC	Device	Target		The MAC address of the device on which the event occurred or which reported the event. (e.g. 00:1B:44:11:3A:B7)	Entity Extension
TargetOriginalAppType	Optional	string		Application	Target		The type of the application authorizing on behalf of the Actor as reported by the reporting device.	Schema
TargetOriginalRiskLevel	Optional	string		Device	Target		The risk level associated with the target, as reported by the reporting device. (e.g. Suspicious)	Schema
TargetOriginalUserType	Optional	string		User	Target		The user type as reported by the reporting device.	Schema
TargetPortNumber	Optional	int		Device	Target		The port of the target device.	Schema
TargetProcessGuid	Optional	string		Application	Target		A generated unique identifier (GUID) of the process used by the application. (e.g. 01234567-89AB-CDEF-0123-456789ABCDEF)	Entity Extension
TargetProcessId	Optional	string		Application	Target		The process ID (PID) of the process the application is using. (e.g. 48610176)	Entity Extension
TargetProcessName	Optional	string		Application	Target		The file name of the process used by the application. (e.g. C:\Windows\explorer.exe)	Entity Extension
TargetRiskLevel	Optional	int		Device	Target		The risk level associated with the target. The value should be adjusted to a range of `0` to `100`, with `0` for benign and `100` for a high risk. (e.g. 90)	Schema
TargetSessionId	Optional	string		User	Target		The sign-in session identifier of the TargetUser on the source device.	Schema
TargetSimpleUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetUrl	Optional	string	URL	Application	Target		The URL associated with the target application. (e.g. https://console.aws.amazon.com/console/home?fromtb=true&hashArgs=%23&isauthcode=true&nc2=h_ct&src=header-signin&state=hashArgsFromTB_us-east-1_7596bc16c83d260b)	Schema
TargetUserAadId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserAADTenant	Optional	string		User	Target		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
TargetUserAWSAccount	Optional	string		User	Target		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
TargetUserAWSId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserId	Optional	string		User	Target		A machine-readable, alphanumeric, unique representation of the target user. For more information, and for alternative fields for additional IDs, see The User entity. (e.g. 00urjk4znu3BcncfY0h7)	Schema
TargetUserIdType	Conditional	string	UserIdType	User	Target	TargetUserId	The type of the user ID stored in the TargetUserId field. For more information and list of allowed values, see UserIdType in the Schema Overview article. (e.g. SID)	Schema
TargetUsername	Optional	string	Username	User	Target		The target user username, including domain information when available. For more information, see The User entity. (e.g. MarieC)	Schema
TargetUsernameType	Conditional	string	UsernameType Values (5) UPN, Windows, DN, Simple, AWSId	User	Target	TargetUsername	Specifies the type of the username stored in the TargetUsername field. For more information and list of allowed values, see UsernameType in the Schema Overview article.	Schema
TargetUserOktaId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserPuid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserScope	Optional	string		User	Target		The scope, such as Microsoft Entra tenant, in which TargetUserId and TargetUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article	Schema
TargetUserScopeId	Optional	string		User	Target		The scope ID, such as Microsoft Entra Directory ID, in which TargetUserId and TargetUsername are defined. for more information and list of allowed values, see UserScopeId in the Schema Overview article	Schema
TargetUserSid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserType	Optional	string	UserType	User	Target		The type of the Target user. For more information, and list of allowed values, see UserType in the Schema Overview article. For (e.g. Member)	Schema
TargetUserUid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserUpn	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetWindowsUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetZone	Optional	string		Device	Target		The network on which the event occurred or which reported the event, depending on the schema. The reporting device defines the zone. (e.g. Dmz)	Entity Extension
ThreatCategory	Optional	string					The category of the threat or malware identified in audit file activity.	Schema
ThreatConfidence	Optional	int	ConfidenceLevel				The confidence level of the threat identified, normalized to a value between 0 and a 100.	Schema
ThreatField	Conditional	string	Enumerated Values (2) SrcIpAddr, TargetIpAddr				The field for which a threat was identified. The value is either `SrcIpAddr` or `TargetIpAddr`	Schema
ThreatFirstReportedTime	Optional	datetime					The first time the IP address or domain were identified as a threat.	Schema
ThreatId	Optional	string					The ID of the threat or malware identified in the audit activity.	Schema
ThreatIpAddr	Optional	string	IP Address				An IP address for which a threat was identified. The field ThreatField contains the name of the field ThreatIpAddr represents.	Schema
ThreatIsActive	Optional	boolean					True if the threat identified is considered an active threat.	Schema
ThreatLastReportedTime	Optional	datetime					The last time the IP address or domain were identified as a threat.	Schema
ThreatName	Optional	string					The name of the threat or malware identified in the audit activity.	Schema
ThreatOriginalConfidence	Optional	string					The original confidence level of the threat identified, as reported by the reporting device.	Schema
ThreatOriginalRiskLevel	Optional	string					The risk level as reported by the reporting device.	Schema
ThreatRiskLevel	Optional	int	RiskLevel				The risk level associated with the identified threat. The level should be a number between 0 and 100.	Schema
TimeGenerated	Mandatory	datetime					The time the event was generated by the reporting device.	Common (Implicit)
Type	Mandatory	string					The original table from which the record was fetched. This field is useful when the same event can be received through multiple channels to different tables, and have the same EventVendor and EventProduct values. (e.g. a Sysmon event can be collected either to the Event table or to the WindowsEvent table)	Common (Implicit)
User	Alias	string	Username	User	Target	TargetUsername	or to the TargetUserId if TargetUsername is not defined. (e.g. CONTOSO\dadmin)	Schema

Parser	Version	Product	Tables	Solutions

ASimAuthenticationAADManagedIdentitySignInLogs	0.2.3	Microsoft Entra ID	AADManagedIdentitySignInLogs	Microsoft Entra ID
ASimAuthenticationAADNonInteractiveUserSignInLogs	0.2.3	Microsoft Entra ID	AADNonInteractiveUserSignInLogs	Microsoft Entra ID
ASimAuthenticationAADServicePrincipalSignInLogs	0.2.3	Microsoft Entra ID	AADServicePrincipalSignInLogs	Microsoft Entra ID
ASimAuthenticationAWSCloudTrail	0.2.2	AWS	AWSCloudTrail	Amazon Web Services
ASimAuthenticationBarracudaWAF	0.1.0	Barracuda WAF	CommonSecurityLog, barracuda_CL	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimAuthenticationCiscoASA	0.1.1	Cisco Adaptive Security Appliance (ASA)	CommonSecurityLog	CiscoASA, Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimAuthenticationCiscoIOS	0.1.1	Cisco IOS	Syslog	Syslog
ASimAuthenticationCiscoISE	0.1.0	Cisco ISE	Syslog	Syslog
ASimAuthenticationCiscoISEAdministrator	0.1.1	Cisco ISE Administrator	Syslog	Syslog
ASimAuthenticationCiscoMeraki	0.2.1	Cisco Meraki	meraki_CL	CiscoMeraki, CustomLogsAma
ASimAuthenticationCiscoMerakiSyslog	0.2.1	Cisco Meraki	Syslog	Syslog
ASimAuthenticationCrowdStrikeFalconHost	0.2.0	CrowdStrike Falcon Endpoint Protection	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimAuthenticationFortinetFortigate	0.1.0	Fortigate	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimAuthenticationGoogleWorkspace	0.1.0	Google Workspace	GWorkspace_ReportsAPI_login_CL
ASimAuthenticationIllumioSaaSCore	0.3.0	Illumio	Illumio_Auditable_Events_CL	IllumioSaaS
ASimAuthenticationM365Defender	0.2.0	M365 Defender for EndPoint	DeviceLogonEvents
ASimAuthenticationMD4IoT	0.1.2	Microsoft Defender for IoT	SecurityIoTRawEvent
ASimAuthenticationMicrosoftWindowsEvent	0.2.1	Windows Security Events	SecurityEvent, WindowsEvent	Microsoft Exchange Security - Exchange On-Premises, Windows Forwarded Events, Windows Security Events
ASimAuthenticationNative	0.1.0	Native	ASimAuthenticationEventLogs	SynqlyIntegrationConnector, VMware Carbon Black Cloud
ASimAuthenticationOktaSSO	0.4.0	Okta	Okta_CL	Okta Single Sign-On
ASimAuthenticationOktaSystemLogs	0.1.0	Okta	OktaSystemLogs
ASimAuthenticationOktaV2	0.4.0	Okta	OktaV2_CL	Okta Single Sign-On
ASimAuthenticationPaloAltoCortexDataLake	0.2.0	Palo Alto Cortex Data Lake	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimAuthenticationPaloAltoGlobalProtect	0.1.0	Palo Alto PAN-OS GlobalProtect	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimAuthenticationPaloAltoPanOS	0.1.0	Palo Alto PAN-OS	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimAuthenticationPostgreSQL	0.1.4	PostgreSQL	PostgreSQL_CL	CustomLogsAma
ASimAuthenticationSalesforceSC	0.1.0	Salesforce Service Cloud	SalesforceServiceCloud_CL
ASimAuthenticationSentinelOne	0.1.1	SentinelOne	SentinelOne_CL
ASimAuthenticationSigninLogs	0.4.1	Microsoft Entra ID	SigninLogs	Microsoft Entra ID
ASimAuthenticationSshd	0.3.1	OpenSSH	Syslog	Syslog
ASimAuthenticationSu	0.3.0	su	Syslog	Syslog
ASimAuthenticationSudo	0.2.0	sudo	Syslog	Syslog
ASimAuthenticationVectraXDRAudit	0.1	Vectra	Audits_Data_CL	Vectra XDR
ASimAuthenticationVMwareCarbonBlackCloud	0.1.0	VMware Carbon Black Cloud	CarbonBlackAuditLogs_CL
ASimAuthenticationVMwareVCenter	0.1.1	VMware vCenter	AVSVcSyslog, vcenter_CL	CustomLogsAma

Field	Class	Type	Logical Type	Entity	Role	Refers To	Description	Source

ActorDNUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorSimpleUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorUserAadId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserAWSId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserOktaId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserPuid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserSid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserUid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserUpn	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorWindowsUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
AdditionalFields	Optional	dynamic					If your source provides additional information worth preserving, either keep it with the original field names or create the dynamic AdditionalFields field, and add the extra information as key/value pairs.	Common
DhcpCircuitId	Optional	string					The DHCP circuit ID, as defined by RFC3046	Schema
DhcpLeaseDuration	Optional	int					The length of the lease granted to a client, in seconds.	Schema
DhcpSessionDuration	Optional	int					The amount of time, in milliseconds, for the completion of the DHCP session. (e.g. 1500)	Schema
DhcpSessionId	Optional	string					The session identifier as reported by the reporting device. For the Windows DHCP server, set this to the TransactionID field. (e.g. 2099570186)	Schema
DhcpSrcDHCId	Optional	string					The DHCP client ID, as defined by RFC4701	Schema
DhcpSubscriberId	Optional	string					The DHCP subscriber ID, as defined by RFC3993	Schema
DhcpUserClass	Optional	string					The DHCP User Class, as defined by RFC3004.	Schema
DhcpUserClassId	Optional	string					The DHCP User Class ID, as defined by RFC3004.	Schema
DhcpVendorClass	Optional	string					The DHCP Vendor Class, as defined by RFC3925.	Schema
DhcpVendorClassId	Optional	string					The DHCP Vendor Class Id, as defined by RFC3925.	Schema
Dst		string						Physical Table Only
Duration	Alias					DhcpSessionDuration		Schema
Dvc	Alias	string		Device	Dvc	Either of DvcFQDN, DvcId, DvcHostname, DvcIpAddr	A unique identifier of the device on which the event occurred or which reported the event, depending on the schema. This field might alias the DvcFQDN, DvcId, DvcHostname, or DvcIpAddr fields. For cloud sources, for which there's no apparent device, use the same value as the Event Product field	Common
DvcAction	Optional	string		Device	Dvc		For reporting security systems, the action taken by the system, if applicable. (e.g. Blocked)	Common
DvcAwsVpcId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcAzureResourceId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcDescription	Optional	string		Device	Dvc		A descriptive text associated with the device. (e.g. Primary Domain Controller)	Common
DvcDomain	Recommended	string	Domain	Device	Dvc		The domain of the device on which the event occurred or which reported the event, depending on the schema. (e.g. Contoso)	Common
DvcDomainType	Conditional	string	DomainType Values (2) FQDN, Windows	Device	Dvc	DvcDomain	The type of DvcDomain. For a list of allowed values and further information, refer to DomainType.	Common
DvcFQDN	Optional	string	FQDN	Device	Dvc		The hostname of the device on which the event occurred or which reported the event, depending on the schema. (e.g. Contoso\DESKTOP-1282V4D)	Common
DvcHostname	Recommended	string	Hostname	Device	Dvc		The hostname of the device on which the event occurred or which reported the event, depending on the schema. (e.g. ContosoDc)	Common
DvcId	Optional	string		Device	Dvc		The unique ID of the device on which the event occurred or which reported the event, depending on the schema. (e.g. 41502da5-21b7-48ec-81c9-baeea8d7d669 If multiple IDs are available, use the first one from the list, and store the others by using the field names DvcAzureResourceId, DvcMDEid, etc)	Common
DvcIdType	Conditional	string	Enumerated Values (9) AzureResourceId, MDEid, MD4IoTid, VMConnectionId, AwsVpcId, VectraId, AppGateId, FQDN, Other	Device	Dvc	DvcId	The type of DvcId. The list of allowed values is `AzureResourceId`, `MDEid`, `MD4IoTid`, `VMConnectionId`, `AwsVpcId`, `VectraId`, `AppGateId`, `FQDN`, and `Other`. Using `FQDN` as a device ID, implies reusing the hostname. Use it only as a last resort	Common
DvcInterface	Optional	string		Device	Dvc		The network interface on which data was captured. This field is typically relevant to network related activity, which is captured by an intermediate or tap device.	Common
DvcIpAddr	Recommended	string	IP address	Device	Dvc		The IP address of the device on which the event occurred or which reported the event, depending on the schema. (e.g. 45.21.42.12)	Common
DvcMacAddr	Optional	string	MAC address	Device	Dvc		The MAC address of the device on which the event occurred or which reported the event. (e.g. 00:1B:44:11:3A:B7)	Common
DvcMD4IoTid	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcMDEid	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcOriginalAction	Optional	string		Device	Dvc		The original DvcAction as provided by the reporting device.	Common
DvcOs	Optional	string		Device	Dvc		The operating system running on the device on which the event occurred or which reported the event. (e.g. Windows)	Common
DvcOsVersion	Optional	string		Device	Dvc		The version of the operating system on the device on which the event occurred or which reported the event. (e.g. 10)	Common
DvcScope	Optional	string		Device	Dvc		The cloud platform scope the device belongs to. DvcScope map to a subscription ID on Azure and to an account ID on AWS.	Common
DvcScopeId	Optional	string		Device	Dvc		The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS.	Common
DvcVectraId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcVMConnectionId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcZone	Optional	string		Device	Dvc		The network on which the event occurred or which reported the event, depending on the schema. The zone is defined by the reporting device. (e.g. Dmz)	Common
EventCount	Mandatory	int					The number of events described by the record. This value is used when the source supports aggregation, and a single record might represent multiple events. For other sources, set to `1`.	Common
EventEndTime	Mandatory	datetime					The time when the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field	Common
EventMessage	Optional	string					A general message or description, either included in or generated from the record.	Common
EventOriginalResultDetails	Optional	string					The original result details provided by the source. This value is used to derive EventResultDetails, which should have only one of the values documented for each schema.	Common
EventOriginalSeverity	Optional	string					The original severity as provided by the reporting device. This value is used to derive EventSeverity.	Common
EventOriginalSubType	Optional	string					The original event subtype or ID, if provided by the source. For example, this field is used to store the original Windows logon type. This value is used to derive EventSubType, which should have only one of the values documented for each schema. (e.g. 2)	Common
EventOriginalType	Optional	string					The original event type or ID, if provided by the source. For example, this field is used to store the original Windows event ID. This value is used to derive EventType, which should have only one of the values documented for each schema. (e.g. 4624)	Common
EventOriginalUid	Optional	string					A unique ID of the original record, if provided by the source. (e.g. 69f37748-ddcd-4331-bf0f-b137f1ea83b)	Common
EventOwner	Optional	string					The owner of the event, which is usually the department or subsidiary in which it was generated.	Common
EventProduct	Mandatory	string					The product generating the event. The value should be one of the values listed in Vendors and Products. (e.g. Sysmon)	Common
EventProductVersion	Optional	string					The version of the product generating the event. (e.g. 12.1)	Common
EventReportUrl	Optional	string	URL				A URL provided in the event for a resource that provides more information about the event.	Common
EventResult	Mandatory	string	Enumerated Values (4) Success, Partial, Failure, NA				The value might be provided in the source record by using different terms, which should be normalized to these values. Alternatively, the source might provide only the EventResultDetails field, which should be analyzed to derive the EventResult value. (e.g. Success)	Common
EventResultDetails	Recommended	string	Enumerated				Reason or details for the result reported in the EventResult field. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the EventOriginalResultDetails field. (e.g. NXDOMAIN)	Common
EventSchema	Mandatory	string	Enumerated Values (1) DhcpEvent				The name of the schema documented here's DhcpEvent.	Schema
EventSchemaVersion	Mandatory	string	SchemaVersion				The version of the schema documented here's 0.1.1.	Schema
EventSeverity	Recommended	string	Enumerated Values (4) Informational, Low, Medium, High				The severity of the event	Common
EventStartTime	Mandatory	datetime					The time when the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field	Common
EventSubType	Optional	string	Enumerated				Describes a subdivision of the operation reported in the EventType field. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the EventOriginalSubType field	Common
EventType	Mandatory	string	Enumerated Values (4) Assign, Renew, Release, DNS Update				Indicate the operation reported by the record. Possible values are `Assign`, `Renew`, `Release`, and `DNS Update`. (e.g. Assign)	Schema
EventUid	Recommended	string					The unique ID of the record, as assigned by Microsoft Sentinel. This field is typically mapped to the `_ItemId` Log Analytics field.	Common
EventVendor	Mandatory	string					The vendor of the product generating the event. The value should be one of the values listed in Vendors and Products. (e.g. Microsoft)	Common
Hostname	Alias			Device	Src	SrcHostname		Schema
IpAddr	Alias			Device	Src	SrcIpAddr		Schema
RequestedIpAddr	Optional	string	IP Address				The IP address requested by the DHCP client, when available. (e.g. 192.168.12.3)	Schema
Rule	Alias	string				Either of RuleName, RuleNumber	Either the value of RuleName or the value of RuleNumber. If the value of RuleNumber is used, the type should be converted to string	Schema
RuleName	Optional	string					The name or ID of the rule associated with the alert. (e.g. Server PSEXEC Execution via Remote Access)	Schema
RuleNumber	Optional	int					The number of the rule associated with the alert. (e.g. 123456)	Schema
SessionId	Alias	string				DhcpSessionId		Schema
Src	Alias	string		Device	Src	Either of SrcDvcId, SrcHostname, SrcIpAddr	A unique identifier of the source device. This field might alias the SrcDvcId, SrcHostname, or SrcIpAddr fields. (e.g. 192.168.12.1)	Schema
SrcDescription	Optional	string		Device	Src		A descriptive text associated with the device. (e.g. Primary Domain Controller)	Schema
SrcDeviceType	Optional	string	Enumerated Values (4) Computer, Mobile Device, IOT Device, Other	Device	Src		The type of the source device. Possible values include: - `Computer` - `Mobile Device` - `IOT Device` - `Other`	Schema
SrcDNUsername	Optional	string		User	Src		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
SrcDomain	Recommended	string	Domain	Device	Src		The domain of the source device. (e.g. Contoso)	Schema
SrcDomainType	Conditional	string	Enumerated Values (3) Windows, contoso, FQDN	Device	Src	SrcDomain	The type of SrcDomain, if known. Possible values include: - `Windows` (such as: `contoso`) - `FQDN` (such as: `microsoft.com`) Required if SrcDomain is used	Schema
SrcDvcAction	Optional	string		Device	Src		For reporting security systems, the action taken by the system, if applicable. (e.g. Blocked)	Entity Extension
SrcDvcAwsVpcId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcAzureResourceId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcId	Optional	string		Device	Src		The ID of the source device as reported in the record. For (e.g. ac7e9755-8eae-4ffc-8a02-50ed7a2216c3)	Schema
SrcDvcIdType	Conditional	string	Enumerated Values (2) AzureResourceId, MDEid	Device	Src	SrcDvcId	The type of SrcDvcId, if known. Possible values include: - `AzureResourceId` - `MDEid` If multiple IDs are available, use the first one from the list above, and store the others in the SrcDvcAzureResourceId and SrcDvcMDEid, respectively	Schema
SrcDvcMD4IoTid	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcMDEid	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcOriginalAction	Optional	string		Device	Src		The original DvcAction as provided by the reporting device.	Entity Extension
SrcDvcOs	Optional	string		Device	Src		The operating system running on the device on which the event occurred or which reported the event. (e.g. Windows)	Entity Extension
SrcDvcOsVersion	Optional	string		Device	Src		The version of the operating system on the device on which the event occurred or which reported the event. (e.g. 10)	Entity Extension
SrcDvcScope	Optional	string		Device	Src		The cloud platform scope the device belongs to. SrcDvcScope map to a subscription ID on Azure and to an account ID on AWS.	Schema
SrcDvcScopeId	Optional	string		Device	Src		The cloud platform scope ID the device belongs to. SrcDvcScopeId map to a subscription ID on Azure and to an account ID on AWS.	Schema
SrcDvcVectraId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcVMConnectionId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcFQDN	Optional	string	FQDN	Device	Src		The source device hostname, including domain information when available. (e.g. Contoso\DESKTOP-1282V4D)	Schema
SrcGeoCity	Optional	string	City	Device	Src		The city associated with the source IP address. (e.g. Burlington)	Schema
SrcGeoCountry	Optional	string	Country	Device	Src		The country/region associated with the source IP address. (e.g. USA)	Schema
SrcGeoLatitude	Optional	real	Latitude	Device	Src		The latitude of the geographical coordinate associated with the source IP address. (e.g. 44.475833)	Schema
SrcGeoLongitude	Optional	real	Longitude	Device	Src		The longitude of the geographical coordinate associated with the source IP address. (e.g. 73.211944)	Schema
SrcGeoRegion	Optional	string	Region	Device	Src		The region associated with the source IP address. (e.g. Vermont)	Schema
SrcHostname	Mandatory	string	Hostname	Device	Src		The hostname of the device requesting the DHCP lease. If no device name is available, store the relevant IP address in this field. (e.g. DESKTOP-1282V4D)	Schema
SrcInterface	Optional	string		Device	Src		The network interface on which data was captured. This field is typically relevant to network related activity captured by an intermediate or tap device.	Entity Extension
SrcIpAddr	Mandatory	string	IP Address	Device	Src		The IP address assigned to the client by the DHCP server. (e.g. 192.168.12.1)	Schema
SrcMacAddr	Mandatory	string	Mac Address	User	Src		The MAC address of the client requesting a DHCP lease. (e.g. 06:10:9f:eb:8f:14)	Schema
SrcOriginalRiskLevel	Optional	string		Device	Src		The risk level associated with the source, as reported by the reporting device. (e.g. Suspicious)	Schema
SrcOriginalUserType	Optional	string		User	Src		The original source user type, if provided by the source.	Schema
SrcPortNumber	Optional	int		Device	Src		The IP port from which the connection originated. Might not be relevant for a session comprising multiple connections. (e.g. 2335)	Schema
SrcRiskLevel	Optional	int		Device	Src		The risk level associated with the source. The value should be adjusted to a range of `0` to `100`, with `0` for benign and `100` for a high risk. (e.g. 90)	Schema
SrcSimpleUsername	Optional	string		User	Src		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
SrcUserAadId	Optional	string		User	Src		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
SrcUserAADTenant	Optional	string		User	Src		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
SrcUserAWSAccount	Optional	string		User	Src		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
SrcUserAWSId	Optional	string		User	Src		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
SrcUserId	Optional	string		User	Src		A machine-readable, alphanumeric, unique representation of the source user. For more information, and for alternative fields for additional IDs, see The User entity. (e.g. S-1-12-1-4141952679-1282074057-627758481-2916039507)	Schema
SrcUserIdType	Conditional	string	UserIdType Values (7) SID, UID, AADID, OktaId, AWSId, PUID, SalesforceId	User	Src	SrcUserId	The type of the ID stored in the SrcUserId field. For more information and list of allowed values, see UserIdType in the Schema Overview article.	Schema
SrcUsername	Optional	string	Username	User	Src		The source username, including domain information when available. For more information, see The User entity. (e.g. AlbertE)	Schema
SrcUsernameType	Conditional	string	UsernameType	User	Src	SrcUsername	Specifies the type of the user name stored in the SrcUsername field. For more information, and list of allowed values, see UsernameType in the Schema Overview article. (e.g. Windows)	Schema
SrcUserOktaId	Optional	string		User	Src		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
SrcUserPuid	Optional	string		User	Src		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
SrcUserScope	Optional	string		User	Src		The scope, such as Microsoft Entra tenant, in which SrcUserId and SrcUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article	Schema
SrcUserScopeId	Optional	string		User	Src		The scope ID, such as Microsoft Entra Directory ID, in which SrcUserId and SrcUsername are defined. for more information and list of allowed values, see UserScopeId in the Schema Overview article	Schema
SrcUserSessionId	Optional	string		User	Src		The unique ID of the sign-in session of the Actor. (e.g. 102pTUgC3p8RIqHvzxLCHnFlg)	Schema
SrcUserSid	Optional	string		User	Src		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
SrcUserType	Optional	string	UserType	User	Src		The type of the source user. For more information, and list of allowed values, see UserType in the Schema Overview article. For (e.g. Guest)	Schema
SrcUserUid	Optional	string		User	Src		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
SrcUserUPN	Optional	string		User	Src		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
SrcWindowsUsername	Optional	string		User	Src		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
SrcZone	Optional	string		Device	Src		The network on which the event occurred or which reported the event, depending on the schema. The reporting device defines the zone. (e.g. Dmz)	Entity Extension
TargetDNUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetSimpleUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetUserAadId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserAWSId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserOktaId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserPuid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserSid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserUid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserUpn	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetWindowsUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ThreatCategory	Optional	string	Values (15) Malware, Ransomware, Trojan, Virus, Worm, Adware, Spyware, Rootkit, Cryptominor, Phishing, Spam, MaliciousUrl, Spoofing, Security Policy Violation, Unknown				The category of the threat or malware identified in the alert.	Schema
ThreatConfidence	Optional	int	ConfidenceLevel				The confidence level of the threat identified, normalized to a value between 0 and a 100.	Schema
ThreatField		string						Physical Table Only
ThreatFirstReportedTime	Optional	datetime					Date and time when the threat was first reported. (e.g. 2024-09-19T10:12:10.0000000Z)	Schema
ThreatId	Optional	string					The ID of the threat or malware identified in the alert. (e.g. 1234567891011121314)	Schema
ThreatIsActive	Optional	bool	Values (2) True, False				Indicates whether the threat is currently active.	Schema
ThreatLastReportedTime	Optional	datetime					Date and time when the threat was last reported. (e.g. 2024-09-19T10:12:10.0000000Z)	Schema
ThreatName	Optional	string					The name of the threat or malware identified in the alert. (e.g. Init.exe)	Schema
ThreatOriginalConfidence	Optional	string					The confidence level as reported by the originating system.	Schema
ThreatOriginalRiskLevel	Optional	string					The risk level as reported by the originating system.	Schema
ThreatRiskLevel	Optional	int	RiskLevel				The risk level associated with the threat. The level should be a number between 0 and 100. Note: The value might be provided in the source record by using a different scale, which should be normalized to this scale. The original value should be stored in ThreatRiskLevelOriginal.	Schema
TimeGenerated	Mandatory	datetime					The time the event was generated by the reporting device.	Common (Implicit)
Type	Mandatory	string					The original table from which the record was fetched. This field is useful when the same event can be received through multiple channels to different tables, and have the same EventVendor and EventProduct values. (e.g. a Sysmon event can be collected either to the Event table or to the WindowsEvent table)	Common (Implicit)
User	Alias			User	Src	SrcUsername		Schema

Parser	Version	Product	Tables	Solutions

ASimDhcpEventInfobloxBloxOne	0.1.0	Infoblox BloxOne	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimDhcpEventNative	0.1.0	Native	ASimDhcpEventLogs	SynqlyIntegrationConnector

Field	Class	Type	Logical Type	Entity	Role	Refers To	Description	Source

ActorDNUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorSimpleUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorUserAadId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserAWSId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserOktaId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserPuid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserSid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserUid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserUpn	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorWindowsUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
AdditionalFields	Optional	dynamic					If your source provides additional information worth preserving, either keep it with the original field names or create the dynamic AdditionalFields field, and add the extra information as key/value pairs.	Common
DnsFlags	Optional	string					The flags field, as provided by the reporting device. If flag information is provided in multiple fields, concatenate them with comma as a separator. Since DNS flags are complex to parse and are less often used by analytics, parsing, and normalization aren't required. Microsoft Sentinel can use an auxiliary function to provide flags information. For more information, see Handling DNS response. (e.g. ["DR"])	Schema
DnsFlagsAuthenticated	Optional	boolean					The DNS `AD` flag, which is related to DNSSEC, indicates in a response that all data included in the answer and authority sections of the response have been verified by the server according to the policies of that server. For more information, see RFC 3655 Section 6.1 for more information.	Schema
DnsFlagsAuthoritative	Optional	boolean					The DNS `AA` flag indicates whether the response from the server was authoritative	Schema
DnsFlagsCheckingDisabled	Optional	boolean					The DNS `CD` flag, which is related to DNSSEC, indicates in a query that non-verified data is acceptable to the system sending the query. For more information, see RFC 3655 Section 6.1 for more information.	Schema
DnsFlagsRecursionAvailable	Optional	boolean					The DNS `RA` flag indicates in a response that that server supports recursive queries.	Schema
DnsFlagsRecursionDesired	Optional	boolean					The DNS `RD` flag indicates in a request that that client would like the server to use recursive queries.	Schema
DnsFlagsTruncated	Optional	boolean					The DNS `TC` flag indicates that a response was truncated as it exceeded the maximum response size.	Schema
DnsFlagsZ	Optional	boolean					The DNS `Z` flag is a deprecated DNS flag, which might be reported by older DNS systems.	Schema
DnsNetworkDuration	Optional	int					The amount of time, in milliseconds, for the completion of DNS request. (e.g. 1500)	Schema
DnsQuery	Mandatory	string					The domain that the request tries to resolve. Notes: - Some sources send valid FQDN queries in a different format. For example, in the DNS protocol itself, the query includes a dot (.) at the end, which must be removed. - While the DNS protocol limits the type of value in this field to an FQDN, most DNS servers allow any value, and this field is therefore not limited to FQDN values only. Most notably, DNS tunneling attacks may use invalid FQDN values in the query field. - While the DNS protocol allows for multiple queries in a single request, this scenario is rare, if it's found at all. If the request has multiple queries, store the first one in this field, and then and optionally keep the rest in the AdditionalFields field. (e.g. www.malicious.com)	Schema
DnsQueryClass	Optional	int					The DNS class ID. In practice, only the IN class (ID 1) is used, and therefore this field is less valuable.	Schema
DnsQueryClassName	Recommended	string	DnsQueryClassName				The DNS class name. In practice, only the IN class (ID 1) is used, and therefore this field is less valuable. (e.g. IN)	Schema
DnsQueryType	Optional	int					The DNS Resource Record Type codes. (e.g. 28)	Schema
DnsQueryTypeName	Recommended	string	Enumerated Values (1) ANY				The DNS Resource Record Type names. Notes: - IANA doesn't define the case for the values, so analytics must normalize the case as needed. - The value `ANY` is supported for the response code 255. - The value `TYPExxxx` is supported for unmapped response codes, where `xxxx` is the numerical value of the response code, as reported by the BIND DNS server. -If the source provides only a numerical query type code and not a query type name, the parser must include a lookup table to enrich with this value. (e.g. AAAA)	Schema
DnsResponseCode	Optional	int					The DNS numerical response code. (e.g. 3)	Schema
DnsResponseCodeName	Alias					EventResultDetails		Schema
DnsResponseIpCity	Optional	string	City				The city associated with one of the IP addresses in the DNS response. For more information, see Logical types. (e.g. Burlington)	Schema
DnsResponseIpCountry	Optional	string	Country				The country/region associated with one of the IP addresses in the DNS response. For more information, see Logical types. (e.g. USA)	Schema
DnsResponseIpLatitude	Optional	real	Latitude				The latitude of the geographical coordinate associated with one of the IP addresses in the DNS response. For more information, see Logical types. (e.g. 44.475833)	Schema
DnsResponseIpLongitude	Optional	real	Longitude				The longitude of the geographical coordinate associated with one of the IP addresses in the DNS response. For more information, see Logical types. (e.g. 73.211944)	Schema
DnsResponseIpRegion	Optional	string	Region				The region, or state, associated with one of the IP addresses in the DNS response. For more information, see Logical types. (e.g. Vermont)	Schema
DnsResponseName	Optional	string					The content of the response, as included in the record. The DNS response data is inconsistent across reporting devices, is complex to parse, and has less value for source-agnostic analytics. Therefore the information model doesn't require parsing and normalization, and Microsoft Sentinel uses an auxiliary function to provide response information. For more information, see Handling DNS response.	Schema
DnsSessionId	Optional	string					The DNS session identifier as reported by the reporting device. This value is different from TransactionIdHex, the DNS query unique ID as assigned by the DNS client. (e.g. EB4BFA28-2EAD-4EF7-BC8A-51DF4FDF5B55)	Schema
Domain	Alias					DnsQuery		Schema
DomainCategory	Alias					UrlCategory		Schema
Dst	Alias	string		Device	Dst	Either of DstDvcId, DstHostname, DstIpAddr	A unique identifier of the server that received the DNS request. This field may alias the DstDvcId, DstHostname, or DstIpAddr fields. (e.g. 192.168.12.1)	Schema
DstDescription	Optional	string		Device	Dst		A descriptive text associated with the device. (e.g. Primary Domain Controller)	Schema
DstDeviceType	Optional	string	Enumerated Values (4) Computer, Mobile Device, IOT Device, Other	Device	Dst		The type of the destination device. Possible values include: - `Computer` - `Mobile Device` - `IOT Device` - `Other`	Schema
DstDomain	Optional	string	Domain	Device	Dst		The domain of the destination device. (e.g. Contoso)	Schema
DstDomainType	Conditional	string	Enumerated Values (1) Windows (contoso\mypc)	Device	Dst	DstDomain	The type of DstDomain, if known. Possible values include: - `Windows (contoso\mypc)` - `FQDN (learn.microsoft.com)` Required if DstDomain is used	Schema
DstDvcAction	Optional	string		Device	Dst		For reporting security systems, the action taken by the system, if applicable. (e.g. Blocked)	Entity Extension
DstDvcAwsVpcId	Optional	string		Device	Dst		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DstDvcAzureResourceId	Optional	string		Device	Dst		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DstDvcId	Optional	string		Device	Dst		The ID of the destination device as reported in the record. (e.g. ac7e9755-8eae-4ffc-8a02-50ed7a2216c3)	Schema
DstDvcIdType	Conditional	string	Enumerated Values (2) AzureResourceId, MDEidIf	Device	Dst		The type of DstDvcId, if known. Possible values include: - `AzureResourceId` - `MDEidIf` If multiple IDs are available, use the first one from the list above, and store the others in the DstDvcAzureResourceId or DstDvcMDEid fields, respectively. Required if DstDeviceId is used	Schema
DstDvcMD4IoTid	Optional	string		Device	Dst		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DstDvcMDEid	Optional	string		Device	Dst		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DstDvcOriginalAction	Optional	string		Device	Dst		The original DvcAction as provided by the reporting device.	Entity Extension
DstDvcOs	Optional	string		Device	Dst		The operating system running on the device on which the event occurred or which reported the event. (e.g. Windows)	Entity Extension
DstDvcOsVersion	Optional	string		Device	Dst		The version of the operating system on the device on which the event occurred or which reported the event. (e.g. 10)	Entity Extension
DstDvcScope	Optional	string		Device	Dst		The cloud platform scope the device belongs to. DstDvcScope map to a subscription ID on Azure and to an account ID on AWS.	Schema
DstDvcScopeId	Optional	string		Device	Dst		The cloud platform scope ID the device belongs to. DstDvcScopeId map to a subscription ID on Azure and to an account ID on AWS.	Schema
DstDvcVectraId	Optional	string		Device	Dst		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DstDvcVMConnectionId	Optional	string		Device	Dst		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DstFQDN	Optional	string	FQDN	Device	Dst		The destination device hostname, including domain information when available. (e.g. Contoso\DESKTOP-1282V4D)	Schema
DstGeoCity	Optional	string	City	Device	Dst		The city associated with the destination IP address. For more information, see Logical types. (e.g. Burlington)	Schema
DstGeoCountry	Optional	string	Country	Device	Dst		The country/region associated with the destination IP address. For more information, see Logical types. (e.g. USA)	Schema
DstGeoLatitude	Optional	real	Latitude	Device	Dst		The latitude of the geographical coordinate associated with the destination IP address. For more information, see Logical types. (e.g. 44.475833)	Schema
DstGeoLongitude	Optional	real	Longitude	Device	Dst		The longitude of the geographical coordinate associated with the destination IP address. For more information, see Logical types. (e.g. 73.211944)	Schema
DstGeoRegion	Optional	string	Region	Device	Dst		The region, or state, associated with the destination IP address. For more information, see Logical types. (e.g. Vermont)	Schema
DstHostname	Optional	string	Hostname	Device	Dst		The destination device hostname, excluding domain information. If no device name is available, store the relevant IP address in this field. (e.g. DESKTOP-1282V4D)	Schema
DstInterface	Optional	string		Device	Dst		The network interface on which data was captured. This field is typically relevant to network related activity captured by an intermediate or tap device.	Entity Extension
DstIpAddr	Optional	string	IP Address	Device	Dst		The IP address of the server that received the DNS request. For a regular DNS request, this value would typically be the reporting device, and in most cases set to `127.0.0.1`. (e.g. 127.0.0.1)	Schema
DstMacAddr	Optional	string	MAC	Device	Dst		The MAC address of the device on which the event occurred or which reported the event. (e.g. 00:1B:44:11:3A:B7)	Entity Extension
DstOriginalRiskLevel	Optional	string		Device	Dst		The risk level associated with the destination, as reported by the reporting device. (e.g. Malicious)	Schema
DstPortNumber	Optional	int		Device	Dst		Destination Port number. (e.g. 53)	Schema
DstRiskLevel	Optional	int		Device	Dst		The risk level associated with the destination. The value should be adjusted to a range of 0 to 100, which 0 being benign and 100 being a high risk. (e.g. 90)	Schema
DstZone	Optional	string		Device	Dst		The network on which the event occurred or which reported the event, depending on the schema. The reporting device defines the zone. (e.g. Dmz)	Entity Extension
Duration	Alias					DnsNetworkDuration		Schema
Dvc	Alias	string		Device	Dvc	Either of DvcFQDN, DvcId, DvcHostname, DvcIpAddr	A unique identifier of the device on which the event occurred or which reported the event, depending on the schema. This field might alias the DvcFQDN, DvcId, DvcHostname, or DvcIpAddr fields. For cloud sources, for which there's no apparent device, use the same value as the Event Product field	Common
DvcAction	Optional	string		Device	Dvc		For reporting security systems, the action taken by the system, if applicable. (e.g. Blocked)	Common
DvcAwsVpcId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcAzureResourceId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcDescription	Optional	string		Device	Dvc		A descriptive text associated with the device. (e.g. Primary Domain Controller)	Common
DvcDomain	Recommended	string	Domain	Device	Dvc		The domain of the device on which the event occurred or which reported the event, depending on the schema. (e.g. Contoso)	Common
DvcDomainType	Conditional	string	DomainType Values (2) FQDN, Windows	Device	Dvc	DvcDomain	The type of DvcDomain. For a list of allowed values and further information, refer to DomainType.	Common
DvcFQDN	Optional	string	FQDN	Device	Dvc		The hostname of the device on which the event occurred or which reported the event, depending on the schema. (e.g. Contoso\DESKTOP-1282V4D)	Common
DvcHostname	Recommended	string	Hostname	Device	Dvc		The hostname of the device on which the event occurred or which reported the event, depending on the schema. (e.g. ContosoDc)	Common
DvcId	Optional	string		Device	Dvc		The unique ID of the device on which the event occurred or which reported the event, depending on the schema. (e.g. 41502da5-21b7-48ec-81c9-baeea8d7d669 If multiple IDs are available, use the first one from the list, and store the others by using the field names DvcAzureResourceId, DvcMDEid, etc)	Common
DvcIdType	Conditional	string	Enumerated Values (9) AzureResourceId, MDEid, MD4IoTid, VMConnectionId, AwsVpcId, VectraId, AppGateId, FQDN, Other	Device	Dvc	DvcId	The type of DvcId. The list of allowed values is `AzureResourceId`, `MDEid`, `MD4IoTid`, `VMConnectionId`, `AwsVpcId`, `VectraId`, `AppGateId`, `FQDN`, and `Other`. Using `FQDN` as a device ID, implies reusing the hostname. Use it only as a last resort	Common
DvcInterface	Optional	string		Device	Dvc		The network interface on which data was captured. This field is typically relevant to network related activity, which is captured by an intermediate or tap device.	Common
DvcIpAddr	Recommended	string	IP address	Device	Dvc		The IP address of the device on which the event occurred or which reported the event, depending on the schema. (e.g. 45.21.42.12)	Common
DvcMacAddr	Optional	string	MAC address	Device	Dvc		The MAC address of the device on which the event occurred or which reported the event. (e.g. 00:1B:44:11:3A:B7)	Common
DvcMD4IoTid	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcMDEid	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcOriginalAction	Optional	string		Device	Dvc		The original DvcAction as provided by the reporting device.	Common
DvcOs	Optional	string		Device	Dvc		The operating system running on the device on which the event occurred or which reported the event. (e.g. Windows)	Common
DvcOsVersion	Optional	string		Device	Dvc		The version of the operating system on the device on which the event occurred or which reported the event. (e.g. 10)	Common
DvcScope	Optional	string		Device	Dvc		The cloud platform scope the device belongs to. DvcScope map to a subscription ID on Azure and to an account ID on AWS.	Common
DvcScopeId	Optional	string		Device	Dvc		The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS.	Common
DvcVectraId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcVMConnectionId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcZone	Optional	string		Device	Dvc		The network on which the event occurred or which reported the event, depending on the schema. The zone is defined by the reporting device. (e.g. Dmz)	Common
EventCount	Mandatory	int					The number of events described by the record. This value is used when the source supports aggregation, and a single record might represent multiple events. For other sources, set to `1`.	Common
EventEndTime	Mandatory	datetime					The time when the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field	Common
EventMessage	Optional	string					A general message or description, either included in or generated from the record.	Common
EventOriginalResultDetails	Optional	string					The original result details provided by the source. This value is used to derive EventResultDetails, which should have only one of the values documented for each schema.	Common
EventOriginalSeverity	Optional	string					The original severity as provided by the reporting device. This value is used to derive EventSeverity.	Common
EventOriginalSubType	Optional	string					The original event subtype or ID, if provided by the source. For example, this field is used to store the original Windows logon type. This value is used to derive EventSubType, which should have only one of the values documented for each schema. (e.g. 2)	Common
EventOriginalType	Optional	string					The original event type or ID, if provided by the source. For example, this field is used to store the original Windows event ID. This value is used to derive EventType, which should have only one of the values documented for each schema. (e.g. 4624)	Common
EventOriginalUid	Optional	string					A unique ID of the original record, if provided by the source. (e.g. 69f37748-ddcd-4331-bf0f-b137f1ea83b)	Common
EventOwner	Optional	string					The owner of the event, which is usually the department or subsidiary in which it was generated.	Common
EventProduct	Mandatory	string					The product generating the event. The value should be one of the values listed in Vendors and Products. (e.g. Sysmon)	Common
EventProductVersion	Optional	string					The version of the product generating the event. (e.g. 12.1)	Common
EventReportUrl	Optional	string	URL				A URL provided in the event for a resource that provides more information about the event.	Common
EventResult	Mandatory	string	Enumerated Values (4) Success, Partial, Failure, NA				The value might be provided in the source record by using different terms, which should be normalized to these values. Alternatively, the source might provide only the EventResultDetails field, which should be analyzed to derive the EventResult value. (e.g. Success)	Common
EventResultDetails	Mandatory	string	Enumerated				For DNS events, this field provides the DNS response code. Notes: - IANA doesn't define the case for the values, so analytics must normalize the case. - If the source provides only a numerical response code and not a response code name, the parser must include a lookup table to enrich with this value. - If this record represents a request and not a response, set to NA. (e.g. NXDOMAIN)	Schema
EventSchema	Mandatory	string	Enumerated Values (1) Dns				The name of the schema documented here is Dns	Schema
EventSchemaVersion	Mandatory	string	SchemaVersion				The version of the schema documented here is 0.1.7.	Schema
EventSeverity	Recommended	string	Enumerated Values (4) Informational, Low, Medium, High				The severity of the event	Common
EventStartTime	Mandatory	datetime					The time when the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field	Common
EventSubType	Optional	string	Enumerated Values (2) request, response				Either `request` or `response`. For most sources, only the responses are logged, and therefore the value is often response	Schema
EventType	Mandatory	string	Enumerated				Indicates the operation reported by the record. For DNS records, this value would be the DNS op code. (e.g. Query)	Schema
EventUid	Recommended	string					The unique ID of the record, as assigned by Microsoft Sentinel. This field is typically mapped to the `_ItemId` Log Analytics field.	Common
EventVendor	Mandatory	string					The vendor of the product generating the event. The value should be one of the values listed in Vendors and Products. (e.g. Microsoft)	Common
Hostname	Alias			Device	Src	SrcHostname		Schema
IpAddr	Alias			Device	Src	SrcIpAddr		Schema
NetworkProtocol	Optional	string	Enumerated				The transport protocol used by the network resolution event. The value can be UDP or TCP, and is most commonly set to UDP for DNS. (e.g. UDP)	Schema
NetworkProtocolVersion	Optional	string	Enumerated Values (1) IPv4				The version of NetworkProtocol. When using it to distinguish between IP version, use the values `IPv4` and `IPv6`	Schema
Process	Alias			Process	Src	SrcProcessName	(e.g. C:\Windows\System32\rundll32.exe)	Schema
Rule	Alias	string				Either of RuleName, RuleNumber	Either the value of RuleName or the value of RuleNumber. If the value of RuleNumber is used, the type should be converted to string	Schema
RuleName	Optional	string					The name or ID of the rule which identified the threat. (e.g. AnyAnyDrop)	Schema
RuleNumber	Optional	int					The number of the rule which identified the threat. (e.g. 23)	Schema
SessionId	Alias					DnsSessionId		Schema
Src	Alias	string		Device	Src	Either of SrcDvcId, SrcHostname, SrcIpAddr	A unique identifier of the source device. This field can alias the SrcDvcId, SrcHostname, or SrcIpAddr fields. (e.g. 192.168.12.1)	Schema
SrcDescription	Optional	string		Device	Src		A descriptive text associated with the device. (e.g. Primary Domain Controller)	Schema
SrcDeviceType	Optional	string	Enumerated Values (4) Computer, Mobile Device, IOT Device, Other	Device	Src		The type of the source device. Possible values include: - `Computer` - `Mobile Device` - `IOT Device` - `Other`	Schema
SrcDNUsername	Optional	string		User	Src		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
SrcDomain	Recommended	string	Domain	Device	Src		The domain of the source device. (e.g. Contoso)	Schema
SrcDomainType	Conditional	string	Enumerated Values (3) Windows, contoso, FQDN	Device	Src	SrcDomain	The type of SrcDomain, if known. Possible values include: - `Windows` (such as: `contoso`) - `FQDN` (such as: `microsoft.com`) Required if SrcDomain is used	Schema
SrcDvcAction	Optional	string		Device	Src		For reporting security systems, the action taken by the system, if applicable. (e.g. Blocked)	Entity Extension
SrcDvcAwsVpcId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcAzureResourceId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcId	Optional	string		Device	Src		The ID of the source device as reported in the record. For (e.g. ac7e9755-8eae-4ffc-8a02-50ed7a2216c3)	Schema
SrcDvcIdType	Conditional	string	Enumerated Values (2) AzureResourceId, MDEid	Device	Src	SrcDvcId	The type of SrcDvcId, if known. Possible values include: - `AzureResourceId` - `MDEid` If multiple IDs are available, use the first one from the list, and store the others in the SrcDvcAzureResourceId and SrcDvcMDEid, respectively	Schema
SrcDvcMD4IoTid	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcMDEid	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcOriginalAction	Optional	string		Device	Src		The original DvcAction as provided by the reporting device.	Entity Extension
SrcDvcOs	Optional	string		Device	Src		The operating system running on the device on which the event occurred or which reported the event. (e.g. Windows)	Entity Extension
SrcDvcOsVersion	Optional	string		Device	Src		The version of the operating system on the device on which the event occurred or which reported the event. (e.g. 10)	Entity Extension
SrcDvcScope	Optional	string		Device	Src		The cloud platform scope the device belongs to. SrcDvcScope map to a subscription ID on Azure and to an account ID on AWS.	Schema
SrcDvcScopeId	Optional	string		Device	Src		The cloud platform scope ID the device belongs to. SrcDvcScopeId map to a subscription ID on Azure and to an account ID on AWS.	Schema
SrcDvcVectraId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcVMConnectionId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcFQDN	Optional	string	FQDN	Device	Src		The source device hostname, including domain information when available. (e.g. Contoso\DESKTOP-1282V4D)	Schema
SrcGeoCity	Optional	string	City	Device	Src		The city associated with the source IP address. (e.g. Burlington)	Schema
SrcGeoCountry	Optional	string	Country	Device	Src		The country/region associated with the source IP address. (e.g. USA)	Schema
SrcGeoLatitude	Optional	real	Latitude	Device	Src		The latitude of the geographical coordinate associated with the source IP address. (e.g. 44.475833)	Schema
SrcGeoLongitude	Optional	real	Longitude	Device	Src		The longitude of the geographical coordinate associated with the source IP address. (e.g. 73.211944)	Schema
SrcGeoRegion	Optional	string	Region	Device	Src		The region associated with the source IP address. (e.g. Vermont)	Schema
SrcHostname	Recommended	string	Hostname	Device	Src		The source device hostname, excluding domain information. (e.g. DESKTOP-1282V4D)	Schema
SrcInterface	Optional	string		Device	Src		The network interface on which data was captured. This field is typically relevant to network related activity captured by an intermediate or tap device.	Entity Extension
SrcIpAddr	Recommended	string	IP Address	Device	Src		The IP address of the client that sent the DNS request. For a recursive DNS request, this value would typically be the reporting device, and in most cases set to `127.0.0.1`. (e.g. 192.168.12.1)	Schema
SrcMacAddr	Optional	string	MAC	Device	Src		The MAC address of the device on which the event occurred or which reported the event. (e.g. 00:1B:44:11:3A:B7)	Entity Extension
SrcOriginalRiskLevel	Optional	string		Device	Src		The risk level associated with the source, as reported by the reporting device. (e.g. Suspicious)	Schema
SrcOriginalUserType	Optional	string		User	Src		The original source user type, if provided by the source.	Schema
SrcPortNumber	Optional	int		Device	Src		Source port of the DNS query. (e.g. 54312)	Schema
SrcProcessGuid	Optional	string	GUID	Process	Src		A generated unique identifier (GUID) of the process that initiated the DNS request. (e.g. EF3BD0BD-2B74-60C5-AF5C-010000001E00)	Schema
SrcProcessId	Optional	string		Process	Src		The process ID (PID) of the process that initiated the DNS request. (e.g. 48610176)	Schema
SrcProcessName	Optional	string		Process	Src		The file name of the process that initiated the DNS request. This name is typically considered to be the process name. (e.g. C:\Windows\explorer.exe)	Schema
SrcRiskLevel	Optional	int		Device	Src		The risk level associated with the source. The value should be adjusted to a range of `0` to `100`, with `0` for benign and `100` for a high risk. (e.g. 90)	Schema
SrcSimpleUsername	Optional	string		User	Src		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
SrcUserAadId	Optional	string		User	Src		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
SrcUserAADTenant	Optional	string		User	Src		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
SrcUserAWSAccount	Optional	string		User	Src		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
SrcUserAWSId	Optional	string		User	Src		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
SrcUserId	Optional	string		User	Src		A machine-readable, alphanumeric, unique representation of the source user. For more information, and for alternative fields for additional IDs, see The User entity. (e.g. S-1-12-1-4141952679-1282074057-627758481-2916039507)	Schema
SrcUserIdType	Conditional	string	UserIdType Values (7) SID, UID, AADID, OktaId, AWSId, PUID, SalesforceId	User	Src	SrcUserId	The type of the ID stored in the SrcUserId field. For more information and list of allowed values, see UserIdType in the Schema Overview article.	Schema
SrcUsername	Optional	string	Username	User	Src		The source username, including domain information when available. For more information, see The User entity. (e.g. AlbertE)	Schema
SrcUsernameType	Conditional	string	UsernameType	User	Src	SrcUsername	Specifies the type of the user name stored in the SrcUsername field. For more information, and list of allowed values, see UsernameType in the Schema Overview article. (e.g. Windows)	Schema
SrcUserOktaId	Optional	string		User	Src		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
SrcUserPuid	Optional	string		User	Src		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
SrcUserScope	Optional	string		User	Src		The scope, such as Microsoft Entra tenant, in which SrcUserId and SrcUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article	Schema
SrcUserScopeId	Optional	string		User	Src		The scope ID, such as Microsoft Entra Directory ID, in which SrcUserId and SrcUsername are defined. for more information and list of allowed values, see UserScopeId in the Schema Overview article	Schema
SrcUserSessionId	Optional	string		User	Src		The unique ID of the sign-in session of the Actor. (e.g. 102pTUgC3p8RIqHvzxLCHnFlg)	Schema
SrcUserSid	Optional	string		User	Src		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
SrcUserType	Optional	string	UserType	User	Src		The type of the source user. For more information, and list of allowed values, see UserType in the Schema Overview article. For (e.g. Guest)	Schema
SrcUserUid	Optional	string		User	Src		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
SrcUserUPN	Optional	string		User	Src		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
SrcWindowsUsername	Optional	string		User	Src		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
SrcZone	Optional	string		Device	Src		The network on which the event occurred or which reported the event, depending on the schema. The reporting device defines the zone. (e.g. Dmz)	Entity Extension
TargetDNUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetSimpleUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetUserAadId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserAWSId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserOktaId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserPuid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserSid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserUid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserUpn	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetWindowsUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ThreatCategory	Optional	string					If a DNS event source also provides DNS security, it may also evaluate the DNS event. (e.g. it can search for the IP address or domain in a threat intelligence database, and assign the domain or IP address with a Threat Category)	Schema
ThreatConfidence	Optional	int	ConfidenceLevel				The confidence level of the threat identified, normalized to a value between 0 and a 100.	Schema
ThreatField	Conditional	string	Enumerated Values (4) SrcIpAddr, DstIpAddr, Domain, DnsResponseName				The field for which a threat was identified. The value is either `SrcIpAddr`, `DstIpAddr`, `Domain`, or `DnsResponseName`	Schema
ThreatFirstReportedTime	Optional	datetime					The first time the IP address or domain were identified as a threat.	Schema
ThreatFirstReportedTime_d		datetime						Physical Table Only
ThreatId	Optional	string					The ID of the threat or malware identified in the network session. (e.g. Tr.124)	Schema
ThreatIpAddr	Optional	string	IP Address				An IP address for which a threat was identified. The field ThreatField contains the name of the field ThreatIpAddr represents. If a threat is identified in the Domain field, this field should be empty.	Schema
ThreatIsActive	Optional	boolean					True if the threat identified is considered an active threat.	Schema
ThreatLastReportedTime	Optional	datetime					The last time the IP address or domain were identified as a threat.	Schema
ThreatLastReportedTime_d		datetime						Physical Table Only
ThreatName	Optional	string					The name of the threat identified, as reported by the reporting device.	Schema
ThreatOriginalConfidence	Optional	string					The original confidence level of the threat identified, as reported by the reporting device.	Schema
ThreatOriginalRiskLevel	Optional	string					The original risk level associated with the threat identified, as reported by the reporting device.	Schema
ThreatOriginalRiskLevel_s		string						Physical Table Only
ThreatRiskLevel	Optional	int	RiskLevel				The risk level associated with the threat identified, normalized to a value between 0 and a 100.	Schema
TimeGenerated	Mandatory	datetime					The time the event was generated by the reporting device.	Common (Implicit)
TransactionIdHex	Recommended	string	Hexadecimal				The DNS query unique ID as assigned by the DNS client, in hexadecimal format. Note that this value is part of the DNS protocol and different from DnsSessionId, the network layer session ID, typically assigned by the reporting device.	Schema
Type	Mandatory	string					The original table from which the record was fetched. This field is useful when the same event can be received through multiple channels to different tables, and have the same EventVendor and EventProduct values. (e.g. a Sysmon event can be collected either to the Event table or to the WindowsEvent table)	Common (Implicit)
UrlCategory	Optional	string					A DNS event source may also look up the category of the requested Domains. The field is called UrlCategory to align with the Microsoft Sentinel network schema. DomainCategory is added as an alias that's fitting to DNS. (e.g. Educational \\ Phishing)	Schema
User	Alias			User	Src	SrcUsername		Schema

Parser	Version	Product	Tables	Solutions

ASimDnsAzureFirewall	0.4.0	Azure Firewall	AZFWDnsQuery, AzureDiagnostics	Azure Firewall
ASimDnsCiscoUmbrella	0.3	Cisco Umbrella	Cisco_Umbrella_dns_CL	CiscoUmbrella
ASimDnsCorelightZeek	0.5.0	Corelight Zeek	Corelight_CL	Corelight
ASimDnsFortinetFortiGate	0.1.2	Fortinet FortiGate	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimDnsGcp	0.4	GCP Cloud DNS	GCP_DNS_CL
ASimDnsInfobloxBloxOne	0.1.0	Infoblox BloxOne	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimDnsInfobloxNIOS	0.6.1	Infoblox NIOS	Syslog	Syslog
ASimDnsMicrosoftNXlog	0.5.0	MS DNS Events	NXLog_DNS_Server_CL	NXLogDNSLogs
ASimDnsMicrosoftOMS	0.4	MS DNS Events	DnsEvents	Windows Server DNS
ASimDnsMicrosoftSysmon	0.5.1	Microsoft Windows Events Sysmon	Event
ASimDnsMicrosoftSysmonWindowsEvent	0.5.1	Microsoft Windows Events Sysmon	WindowsEvent	Windows Forwarded Events
ASimDnsNative	0.8.0	Native	ASimDnsActivityLogs	SynqlyIntegrationConnector
ASimDnsSentinelOne	0.1.0	SentinelOne	SentinelOne_CL
ASimDnsVectraAI	0.1.1	Vectra AI Streams	VectraStream_CL	CustomLogsAma, Vectra AI Stream
ASimDnsZscalerZIA	0.6	Zscaler ZIA DNS	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access

Field	Class	Type	Logical Type	Entity	Role	Refers To	Description	Source

ActingAppId	Optional	string		Application	Acting		The ID of the acting application, as reported by the reporting device.	Schema
ActingAppName	Optional	string		Application	Acting		The name of the acting application. (e.g. Facebook)	Schema
ActingAppType	Optional	string	AppType Values (7) Process, Service, Resource, URL, SaaS application, CSP, Other	Application	Acting		The type of the destination application. For a list of allowed values and further information, refer to AppType in the Schema Overview article. This field is mandatory if TargetAppName or TargetAppId are used.	Schema
ActingProcessCommandLine	Optional	string		Process	Acting		The command line used to run the acting process. (e.g. "choco.exe" -v)	Schema
ActingProcessGuid	Optional	string	GUID	Process	Acting		A generated unique identifier (GUID) of the acting process. Enables identifying the process across systems. (e.g. EF3BD0BD-2B74-60C5-AF5C-010000001E00)	Schema
ActingProcessId	Optional	string		Process	Acting		The process ID (PID) of the acting process. (e.g. 48610176)	Schema
ActingProcessName	Optional	string		Process	Acting		The name of the acting process. This name is commonly derived from the image or executable file that's used to define the initial code and data that's mapped into the process' virtual address space. (e.g. C:\Windows\explorer.exe)	Schema
ActorDNUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorOriginalUserType	Optional	string		User	Actor		The original destination user type, if provided by the reporting device.	Schema
ActorScope	Optional	string		User	Actor		The scope, such as Microsoft Entra tenant, in which ActorUserId and ActorUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article	Schema
ActorScopeId	Optional	string		User	Actor		The scope ID, such as Microsoft Entra Directory ID, in which ActorUserId and ActorUsername are defined. or more information and list of allowed values, see UserScopeId in the Schema Overview article	Schema
ActorSessionId	Optional	string		User	Actor		The unique ID of the login session of the Actor. (e.g. 999)	Schema
ActorSimpleUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorUpn	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorUserAadId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserAADTenant	Optional	string		User	Actor		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
ActorUserAWSAccount	Optional	string		User	Actor		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
ActorUserAWSId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserId	Recommended	string		User	Actor		A machine-readable, alphanumeric, unique representation of the Actor. For the supported format for different ID types, refer to the User entity. (e.g. S-1-12)	Schema
ActorUserIdType	Conditional	string	UserIdType Values (7) SID, UID, AADID, OktaId, AWSId, PUID, SalesforceId	User	Actor	ActorUserId	The type of the ID stored in the ActorUserId field. For a list of allowed values and further information, refer to UserIdType in the Schema Overview article.	Schema
ActorUsername	Mandatory	string	Username	User	Actor		The Actor username, including domain information when available. For the supported format for different ID types, refer to the User entity. Use the simple form only if domain information isn't available. Store the Username type in the ActorUsernameType field. If other username formats are available, store them in the fields `ActorUsername`. (e.g. AlbertE)	Schema
ActorUsernameType	Conditional	string	UsernameType Values (5) UPN, Windows, DN, Simple, AWSId	User	Actor	ActorUsername	Specifies the type of the user name stored in the ActorUsername field. For a list of allowed values and further information, refer to UsernameType in the Schema Overview article. (e.g. Windows)	Schema
ActorUserOktaId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserPuid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserSid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserType	Optional	string	UserType Values (9) Regular, Machine, Admin, System, Application, Service Principal, Service, Anonymous, Other	User	Actor		The type of Actor. For a list of allowed values and further information, refer to UserType in the Schema Overview article.	Schema
ActorUserUid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserUpn	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorWindowsUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
AdditionalFields	Optional	dynamic					If your source provides additional information worth preserving, either keep it with the original field names or create the dynamic AdditionalFields field, and add the extra information as key/value pairs.	Common
Application	Alias			Application	Target	TargetAppName		Schema
Dvc	Alias	string		Device	Dvc	Either of DvcFQDN, DvcId, DvcHostname, DvcIpAddr	A unique identifier of the device on which the event occurred or which reported the event, depending on the schema. This field might alias the DvcFQDN, DvcId, DvcHostname, or DvcIpAddr fields. For cloud sources, for which there's no apparent device, use the same value as the Event Product field	Common
DvcAction	Optional	string		Device	Dvc		For reporting security systems, the action taken by the system, if applicable. (e.g. Blocked)	Common
DvcAwsVpcId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcAzureResourceId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcDescription	Optional	string		Device	Dvc		A descriptive text associated with the device. (e.g. Primary Domain Controller)	Common
DvcDomain	Recommended	string	Domain	Device	Dvc		The domain of the device on which the event occurred or which reported the event, depending on the schema. (e.g. Contoso)	Common
DvcDomainType	Conditional	string	DomainType Values (2) FQDN, Windows	Device	Dvc	DvcDomain	The type of DvcDomain. For a list of allowed values and further information, refer to DomainType.	Common
DvcFQDN	Optional	string	FQDN	Device	Dvc		The hostname of the device on which the event occurred or which reported the event, depending on the schema. (e.g. Contoso\DESKTOP-1282V4D)	Common
DvcHostname	Recommended	string	Hostname	Device	Dvc		The hostname of the device on which the event occurred or which reported the event, depending on the schema. (e.g. ContosoDc)	Common
DvcId	Optional	string		Device	Dvc		The unique ID of the device on which the event occurred or which reported the event, depending on the schema. (e.g. 41502da5-21b7-48ec-81c9-baeea8d7d669 If multiple IDs are available, use the first one from the list, and store the others by using the field names DvcAzureResourceId, DvcMDEid, etc)	Common
DvcIdType	Conditional	string	Enumerated Values (9) AzureResourceId, MDEid, MD4IoTid, VMConnectionId, AwsVpcId, VectraId, AppGateId, FQDN, Other	Device	Dvc	DvcId	The type of DvcId. The list of allowed values is `AzureResourceId`, `MDEid`, `MD4IoTid`, `VMConnectionId`, `AwsVpcId`, `VectraId`, `AppGateId`, `FQDN`, and `Other`. Using `FQDN` as a device ID, implies reusing the hostname. Use it only as a last resort	Common
DvcInterface	Optional	string		Device	Dvc		The network interface on which data was captured. This field is typically relevant to network related activity, which is captured by an intermediate or tap device.	Common
DvcIpAddr	Recommended	string	IP address	Device	Dvc		The IP address of the device on which the event occurred or which reported the event, depending on the schema. (e.g. 45.21.42.12)	Common
DvcMacAddr	Optional	string	MAC address	Device	Dvc		The MAC address of the device on which the event occurred or which reported the event. (e.g. 00:1B:44:11:3A:B7)	Common
DvcMD4IoTid	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcMDEid	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcOriginalAction	Optional	string		Device	Dvc		The original DvcAction as provided by the reporting device.	Common
DvcOs	Optional	string		Device	Dvc		The operating system running on the device on which the event occurred or which reported the event. (e.g. Windows)	Common
DvcOsVersion	Optional	string		Device	Dvc		The version of the operating system on the device on which the event occurred or which reported the event. (e.g. 10)	Common
DvcScope	Optional	string		Device	Dvc		The cloud platform scope the device belongs to. DvcScope map to a subscription ID on Azure and to an account ID on AWS.	Common
DvcScopeId	Optional	string		Device	Dvc		The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS.	Common
DvcVectraId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcVMConnectionId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcZone	Optional	string		Device	Dvc		The network on which the event occurred or which reported the event, depending on the schema. The zone is defined by the reporting device. (e.g. Dmz)	Common
EventCount	Mandatory	int					The number of events described by the record. This value is used when the source supports aggregation, and a single record might represent multiple events. For other sources, set to `1`.	Common
EventEndTime	Mandatory	datetime					The time when the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field	Common
EventMessage	Optional	string					A general message or description, either included in or generated from the record.	Common
EventOriginalResultDetails	Optional	string					The original result details provided by the source. This value is used to derive EventResultDetails, which should have only one of the values documented for each schema.	Common
EventOriginalSeverity	Optional	string					The original severity as provided by the reporting device. This value is used to derive EventSeverity.	Common
EventOriginalSubType	Optional	string					The original event subtype or ID, if provided by the source. For example, this field is used to store the original Windows logon type. This value is used to derive EventSubType, which should have only one of the values documented for each schema. (e.g. 2)	Common
EventOriginalType	Optional	string					The original event type or ID, if provided by the source. For example, this field is used to store the original Windows event ID. This value is used to derive EventType, which should have only one of the values documented for each schema. (e.g. 4624)	Common
EventOriginalUid	Optional	string					A unique ID of the original record, if provided by the source. (e.g. 69f37748-ddcd-4331-bf0f-b137f1ea83b)	Common
EventOwner	Optional	string					The owner of the event, which is usually the department or subsidiary in which it was generated.	Common
EventProduct	Mandatory	string					The product generating the event. The value should be one of the values listed in Vendors and Products. (e.g. Sysmon)	Common
EventProductVersion	Optional	string					The version of the product generating the event. (e.g. 12.1)	Common
EventReportUrl	Optional	string	URL				A URL provided in the event for a resource that provides more information about the event.	Common
EventResult	Mandatory	string	Enumerated Values (4) Success, Partial, Failure, NA				The value might be provided in the source record by using different terms, which should be normalized to these values. Alternatively, the source might provide only the EventResultDetails field, which should be analyzed to derive the EventResult value. (e.g. Success)	Common
EventResultDetails	Recommended	string	Enumerated				Reason or details for the result reported in the EventResult field. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the EventOriginalResultDetails field. (e.g. NXDOMAIN)	Common
EventSchema	Mandatory	string	Enumerated Values (1) FileEvent				The name of the schema documented here is FileEvent	Schema
EventSchemaVersion	Mandatory	string	SchemaVersion				The version of the schema. The version of the schema documented here is `0.2.2`	Schema
EventSeverity	Recommended	string	Enumerated Values (4) Informational, Low, Medium, High				The severity of the event	Common
EventStartTime	Mandatory	datetime					The time when the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field	Common
EventSubType	Optional	string	Enumerated Values (14) FileCreated, Upload, Checkin, FileModified, FileCreatedOrModified, FileAccessed, Download, Preview, Checkout, Extended, FileDeleted, Recycled, Versions, Site				Describes details about the operation reported in EventType. Supported values per event type include: - `FileCreated` - `Upload`, `Checkin` - `FileModified` - `Checkin` - `FileCreatedOrModified` - `Checkin` - `FileAccessed` - `Download`, `Preview`, `Checkout`, `Extended` - `FileDeleted` - `Recycled`, `Versions`, `Site`	Schema
EventType	Mandatory	string	Enumerated Values (12) FileAccessed, FileCreated, FileModified, FileDeleted, FileRenamed, FileCopied, FileMoved, FolderCreated, FolderDeleted, FolderMoved, FolderModified, FileCreatedOrModified				Describes the operation reported by the record.	Schema
EventUid	Recommended	string					The unique ID of the record, as assigned by Microsoft Sentinel. This field is typically mapped to the `_ItemId` Log Analytics field.	Common
EventVendor	Mandatory	string					The vendor of the product generating the event. The value should be one of the values listed in Vendors and Products. (e.g. Microsoft)	Common
FileName	Alias			User	Target	TargetFileName	field	Schema
FilePath	Alias			User	Target	TargetFilePath	field	Schema
Hash	Alias			User	Target	Either of SrcFileMD5, SrcFileSHA1, SrcFileSHA256, SrcFileSHA512, TargetFileMD5, TargetFileSHA1, TargetFileSHA256, TargetFileSHA512	Alias to the best available Target File hash	Schema
HashType	Conditional	string	Enumerated Values (6) MD5, SHA, SHA256, SHA512, IMPHASH, Hash	User	Target	Hash	The type of hash stored in the HASH alias field, allowed values are `MD5`, `SHA`, `SHA256`, `SHA512` and `IMPHASH`. Mandatory if `Hash` is populated	Schema
HttpUserAgent	Optional	string		Application	Acting		When the operation is initiated by a remote system using HTTP or HTTPS, the user agent used. For (e.g. Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246)	Schema
IpAddr	Alias			Device	Src	SrcIpAddr		Schema
NetworkApplicationProtocol	Optional	string		Application	Acting		When the operation is initiated by a remote system, this value is the application layer protocol used in the OSI model. While this field is not enumerated, and any value is accepted, preferable values include: `HTTP`, `HTTPS`, `SMB`,`FTP`, and `SSH` (e.g. SMB)	Schema
Process	Alias			Process	Acting	ActingProcessName		Schema
Rule	Conditional	string					Either the value of kRuleName or the value of RuleNumber. If the value of RuleNumber is used, the type should be converted to string.	Schema
RuleName	Optional	string					The name or ID of the rule by associated with the inspection results.	Schema
RuleNumber	Optional	int					The number of the rule associated with the inspection results.	Schema
Src	Alias			Device	Src	SrcIpAddr		Schema
SrcDescription	Optional	string		Device	Src		A descriptive text associated with the device. (e.g. Primary Domain Controller)	Schema
SrcDeviceType	Optional	string	DeviceType Values (4) Computer, Mobile Device, IOT Device, Other	Device	Src		The type of the source device. For a list of allowed values and further information, refer to DeviceType in the Schema Overview article.	Schema
SrcDomain	Optional	string	Domain	Device	Src		The domain of the source device. (e.g. Contoso)	Schema
SrcDomainType	Conditional	string	DomainType Values (2) FQDN, Windows	Device	Src	SrcDomain	The type of SrcDomain. For a list of allowed values and further information, refer to DomainType in the Schema Overview article. Required if SrcDomain is used.	Schema
SrcDvcAction	Optional	string		Device	Src		For reporting security systems, the action taken by the system, if applicable. (e.g. Blocked)	Entity Extension
SrcDvcAwsVpcId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcAzureResourceId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcId	Optional	string		Device	Src		The ID of the source device. If multiple IDs are available, use the most important one, and store the others in the fields `SrcDvc`. (e.g. ac7e9755-8eae-4ffc-8a02-50ed7a2216c3)	Schema
SrcDvcIdType	Conditional	string	DvcIdType Values (7) MDEid, AzureResourceId, MD4IoTid, VMConnectionId, AwsVpcId, VectraId, Other	Device	Src	SrcDvcId	The type of SrcDvcId. For a list of allowed values and further information, refer to DvcIdType in the Schema Overview article.	Schema
SrcDvcMD4IoTid	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcMDEid	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcOriginalAction	Optional	string		Device	Src		The original DvcAction as provided by the reporting device.	Entity Extension
SrcDvcOs	Optional	string		Device	Src		The operating system running on the device on which the event occurred or which reported the event. (e.g. Windows)	Entity Extension
SrcDvcOsVersion	Optional	string		Device	Src		The version of the operating system on the device on which the event occurred or which reported the event. (e.g. 10)	Entity Extension
SrcDvcScope	Optional	string		Device	Src		The cloud platform scope the device belongs to. SrcDvcScope map to a subscription ID on Azure and to an account ID on AWS.	Schema
SrcDvcScopeId	Optional	string		Device	Src		The cloud platform scope ID the device belongs to. SrcDvcScopeId map to a subscription ID on Azure and to an account ID on AWS.	Schema
SrcDvcVectraId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcVMConnectionId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcFileCreationTime	Optional	datetime		Device	Src		The time at which the source file was created.	Schema
SrcFileDirectory	Optional	string		Device	Src		The source file folder or location. This field should be similar to the SrcFilePath field, without the final element.	Schema
SrcFileExtension	Optional	string		Device	Src		The source file extension.	Schema
SrcFileMD5	Optional	string	MD5	Device	Src		The MD5 hash of the source file. (e.g. 75a599802f1fa166cdadb360960b1dd0)	Schema
SrcFileMimeType	Optional	string		Device	Src		The Mime or Media type of the source file. Supported values are listed in the IANA Media Types repository	Schema
SrcFileName	Recommended	string		Device	Src		The name of the source file, without a path or a location, but with an extension if relevant. This field should be similar to the last element in the SrcFilePath field.	Schema
SrcFilePath	Recommended	string		Device	Src		The full, normalized path of the source file, including the folder or location, the file name, and the extension. For more information, see Path structure. (e.g. /etc/init.d/networking)	Schema
SrcFilePathType	Recommended	string	Enumerated	Device	Src		The type of SrcFilePath. For more information, see Path structure	Schema
SrcFileSHA1	Optional	string	SHA1	Device	Src		The SHA-1 hash of the source file. (e.g. d55c5a4df19b46db8c54 c801c4665d3338acdab0)	Schema
SrcFileSHA256	Optional	string	SHA256	Device	Src		The SHA-256 hash of the source file. (e.g. e81bb824c4a09a811af17deae22f22dd 2e1ec8cbb00b22629d2899f7c68da274)	Schema
SrcFileSHA512	Optional	string	SHA512	Device	Src		The SHA-512 hash of the source file.	Schema
SrcFileSize	Optional	long		Device	Src		The size of the source file in bytes.	Schema
SrcFQDN	Optional	string	FQDN	Device	Src		The source device hostname, including domain information when available. (e.g. Contoso\DESKTOP-1282V4D)	Schema
SrcGeoCity	Optional	string	City	Device	Src		The city associated with the source IP address. (e.g. Burlington)	Schema
SrcGeoCountry	Optional	string	Country	Device	Src		The country/region associated with the source IP address. (e.g. USA)	Schema
SrcGeoLatitude	Optional	real	Latitude	Device	Src		The latitude of the geographical coordinate associated with the source IP address. (e.g. 44.475833)	Schema
SrcGeoLongitude	Optional	real	Longitude	Device	Src		The longitude of the geographical coordinate associated with the source IP address. (e.g. 73.211944)	Schema
SrcGeoRegion	Optional	string	Region	Device	Src		The region associated with the source IP address. (e.g. Vermont)	Schema
SrcHostname	Optional	string	Hostname	Device	Src		The source device hostname, excluding domain information. If no device name is available, store the relevant IP address in this field. (e.g. DESKTOP-1282V4D)	Schema
SrcInterface	Optional	string		Device	Src		The network interface on which data was captured. This field is typically relevant to network related activity captured by an intermediate or tap device.	Entity Extension
SrcIpAddr	Recommended	string	IP Address	Device	Src		When the operation is initiated by a remote system, the IP address of this system. (e.g. 185.175.35.214)	Schema
SrcMacAddr	Optional	string	MAC	Device	Src		The MAC address of the device on which the event occurred or which reported the event. (e.g. 00:1B:44:11:3A:B7)	Entity Extension
SrcOriginalRiskLevel		string						Physical Table Only
SrcPortNumber	Optional	int		Device	Src		When the operation is initiated by a remote system, the port number from which the connection was initiated. (e.g. 2335)	Schema
SrcRiskLevel		int						Physical Table Only
SrcZone	Optional	string		Device	Src		The network on which the event occurred or which reported the event, depending on the schema. The reporting device defines the zone. (e.g. Dmz)	Entity Extension
TargetAppId	Optional	string		Application	Target		The ID of the destination application, as reported by the reporting device.	Schema
TargetAppName	Optional	string		Application	Target		The name of the destination application. (e.g. Facebook)	Schema
TargetAppType	Conditional	string	AppType Values (7) Process, Service, Resource, URL, SaaS application, CSP, Other	Application	Target		The type of the destination application. For a list of allowed values and further information, refer to AppType in the Schema Overview article. This field is mandatory if TargetAppName or TargetAppId are used.	Schema
TargetDNUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetFileCreationTime	Optional	datetime		User	Target		The time at which the target file was created.	Schema
TargetFileDirectory	Optional	string		User	Target		The target file folder or location. This field should be similar to the TargetFilePath field, without the final element.	Schema
TargetFileExtension	Optional	string		User	Target		The target file extension.	Schema
TargetFileMD5	Optional	string	MD5	User	Target		The MD5 hash of the target file. (e.g. 75a599802f1fa166cdadb360960b1dd0)	Schema
TargetFileMimeType	Optional	string		User	Target		The Mime, or Media, type of the target file. Allowed values are listed in the IANA Media Types repository	Schema
TargetFileName	Recommended	string		User	Target		The name of the target file, without a path or a location, but with an extension if relevant. This field should be similar to the final element in the TargetFilePath field.	Schema
TargetFilePath	Mandatory	string		User	Target		The full, normalized path of the target file, including the folder or location, the file name, and the extension. For more information, see Path structure. (e.g. C:\Windows\System32\notepad.exe)	Schema
TargetFilePathType	Mandatory	string	Enumerated	User	Target		The type of TargetFilePath. For more information, see Path structure	Schema
TargetFileSHA1	Optional	string	SHA1	User	Target		The SHA-1 hash of the target file. (e.g. d55c5a4df19b46db8c54 c801c4665d3338acdab0)	Schema
TargetFileSHA256	Optional	string	SHA256	User	Target		The SHA-256 hash of the target file. (e.g. e81bb824c4a09a811af17deae22f22dd 2e1ec8cbb00b22629d2899f7c68da274)	Schema
TargetFileSHA512	Optional	string	SHA512	User	Target		The SHA-512 hash of the source file.	Schema
TargetFileSize	Optional	long		User	Target		The size of the target file in bytes.	Schema
TargetOriginalAppType	Optional	string		Application	Target		The type of the destination application as reported by the reporting device.	Schema
TargetOriginalUserType	Optional	string		User	Target		The original destination user type, if provided by the reporting device.	Entity Extension
TargetProcessGuid	Optional	string		Application	Target		A generated unique identifier (GUID) of the process used by the application. (e.g. 01234567-89AB-CDEF-0123-456789ABCDEF)	Entity Extension
TargetProcessId	Optional	string		Application	Target		The process ID (PID) of the process the application is using. (e.g. 48610176)	Entity Extension
TargetProcessName	Optional	string		Application	Target		The file name of the process used by the application. (e.g. C:\Windows\explorer.exe)	Entity Extension
TargetSimpleUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetUrl	Optional	string	URL	Application	Target		When the operation is initiated using HTTP or HTTPS, the URL used. (e.g. https://onedrive.live.com/?authkey=..)	Schema
TargetUserAadId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserAADTenant	Optional	string		User	Target		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
TargetUserAWSAccount	Optional	string		User	Target		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
TargetUserAWSId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserId	Optional	string		User	Target		A machine-readable, alphanumeric, unique representation of the user.	Entity Extension
TargetUserIdType	Optional	string	UserIdType	User	Target		The type of the ID stored in the UserId field.	Entity Extension
TargetUsername	Optional	string		User	Target		The source username, including domain information when available. Use the simple form only if domain information isn't available. Store the Username type in the UsernameType field.	Entity Extension
TargetUsernameType	Optional	string	UsernameType	User	Target		Specifies the type of the username stored in the Username field.	Entity Extension
TargetUserOktaId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserPuid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserScope	Optional	string		User	Target		The scope in which UserId and Username are defined. (e.g. a Microsoft Entra tenant domain name. The [UserIdType](#useridtype) field represents also the type of the associated with this field)	Entity Extension
TargetUserScopeId	Optional	string		User	Target		The ID of the scope in which UserId and Username are defined. (e.g. a Microsoft Entra tenant directory ID. The [UserIdType](#useridtype) field represents also the type of the associated with this field)	Entity Extension
TargetUserSid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserType	Optional	string	UserType Values (9) Regular, Machine, Admin, System, Application, Service Principal, Service, Anonymous, Other	User	Target		The type of source user. The value might be provided in the source record by using different terms, which should be normalized to these values. Store the original value in the OriginalUserType field	Entity Extension
TargetUserUid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserUpn	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetWindowsUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ThreatCategory	Optional	string					The category of the threat or malware identified in the file activity. (e.g. Trojan)	Schema
ThreatConfidence	Optional	int	ConfidenceLevel				The confidence level of the threat identified, normalized to a value between 0 and a 100.	Schema
ThreatField	Conditional	string	Enumerated Values (2) SrcFilePath, DstFilePath				The field for which a threat was identified. The value is either `SrcFilePath` or `DstFilePath`	Schema
ThreatFilePath	Optional	string					A file path for which a threat was identified. The field ThreatField contains the name of the field ThreatFilePath represents.	Schema
ThreatFirstReportedTime	Optional	datetime					The first time the IP address or domain were identified as a threat.	Schema
ThreatId	Optional	string					The ID of the threat or malware identified in the file activity.	Schema
ThreatIsActive	Optional	boolean					True if the threat identified is considered an active threat.	Schema
ThreatLastReportedTime	Optional	datetime					The last time the IP address or domain were identified as a threat.	Schema
ThreatName	Optional	string					The name of the threat or malware identified in the file activity. (e.g. EICAR Test File)	Schema
ThreatOriginalConfidence	Optional	string					The original confidence level of the threat identified, as reported by the reporting device.	Schema
ThreatOriginalRiskLevel	Optional	string					The risk level as reported by the reporting device.	Schema
ThreatRiskLevel	Optional	int	RiskLevel				The risk level associated with the identified threat. The level should be a number between 0 and 100.	Schema
TimeGenerated	Mandatory	datetime					The time the event was generated by the reporting device.	Common (Implicit)
Type	Mandatory	string					The original table from which the record was fetched. This field is useful when the same event can be received through multiple channels to different tables, and have the same EventVendor and EventProduct values. (e.g. a Sysmon event can be collected either to the Event table or to the WindowsEvent table)	Common (Implicit)
Url	Alias			Application	Target	TargetUrl		Schema
User	Alias			User	Actor	ActorUsername	field. (e.g. CONTOSO\dadmin)	Schema

Parser	Version	Product	Tables	Solutions

ASimFileEventAWSCloudTrail	0.1.0	AWS Cloud Trail	AWSCloudTrail	Amazon Web Services
ASimFileEventAzureBlobStorage	0.1.1	Microsoft Azure Blob Storage	StorageBlobLogs	Azure Storage
ASimFileEventAzureFileStorage	0.1.1	Microsoft Azure File Storage	StorageFileLogs	Azure Storage
ASimFileEventAzureQueueStorage	0.1.1	Microsoft Azure Queue Storage	StorageQueueLogs	Azure Storage
ASimFileEventAzureTableStorage	0.1.1	Microsoft Azure Table Storage	StorageTableLogs	Azure Storage
ASimFileEventGoogleWorkspace	0.1.0	Google Workspace	GWorkspace_ReportsAPI_drive_CL
ASimFileEventLinuxSysmonFileCreated	0.2.1	Microsoft Sysmon for Linux	Syslog	Syslog
ASimFileEventLinuxSysmonFileDeleted	0.2.1	Microsoft Sysmon for Linux	Syslog	Syslog
ASimFileEventMicrosoft365D	0.2.1	Microsoft 365 Defender for EndPoint	DeviceFileEvents
ASimFileEventMicrosoftSecurityEvents	0.2.0	Microsoft Windows Events	SecurityEvent	Windows Security Events
ASimFileEventMicrosoftSharePoint	0.3.1	Microsoft SharePoint	OfficeActivity, Operation
ASimFileEventMicrosoftSysmon	0.5.1	Windows Sysmon	Event
ASimFileEventMicrosoftSysmonWindowsEvent	0.4.1	Windows Sysmon	WindowsEvent	Windows Forwarded Events
ASimFileEventMicrosoftWindowsEvents	0.2.0	Microsoft Windows Events	WindowsEvent	Windows Forwarded Events
ASimFileEventNative	0.1.1	Native	ASimFileEventLogs	SynqlyIntegrationConnector, VMware Carbon Black Cloud
ASimFileEventSentinelOne	0.1.0	SentinelOne	SentinelOne_CL
ASimFileEventVMwareCarbonBlackCloud	0.1.1	VMware Carbon Black Cloud	CarbonBlackEvents_CL

Field	Class	Type	Logical Type	Entity	Role	Refers To	Description	Source

ActorDNUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorSimpleUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorUserAadId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserAWSId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserOktaId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserPuid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserSid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserUid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserUpn	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorWindowsUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
AdditionalFields	Optional	dynamic					If your source provides additional information worth preserving, either keep it with the original field names or create the dynamic AdditionalFields field, and add the extra information as key/value pairs.	Common
ASimMatchingHostname	Recommended	string	Enumerated Values (3) SrcHostname, DstHostname, Both				When a parser uses the `hostname_has_any` filtering parameters, this field is set with the one of the values `SrcHostname`, `DstHostname`, or `Both` to reflect the matching fields or fields	Schema
ASimMatchingIpAddr	Recommended	string	Enumerated Values (3) SrcIpAddr, DstIpAddr, Both				When a parser uses the `ipaddr_has_any_prefix` filtering parameters, this field is set with the one of the values `SrcIpAddr`, `DstIpAddr`, or `Both` to reflect the matching fields or fields	Schema
Dst	Alias			Device	Dst	Either of DstDvcId, DstHostname, DstIpAddr	A unique identifier of the server receiving the DNS request. This field might alias the DstDvcId, DstHostname, or DstIpAddr fields. (e.g. 192.168.12.1)	Schema
DstAppId	Optional	string		Application	Dst		The ID of the destination application, as reported by the reporting device. If DstAppType is `Process`, `DstAppId` and `DstProcessId` should have the same value. (e.g. 124)	Schema
DstAppName	Optional	string		Application	Dst		The name of the destination application. (e.g. Facebook)	Schema
DstAppType	Optional	string	AppType Values (7) Process, Service, Resource, URL, SaaS application, CSP, Other	Application	Dst		The type of the destination application. For a list of allowed values and further information, refer to AppType in the Schema Overview article. This field is mandatory if DstAppName or DstAppId are used.	Schema
DstBytes	Recommended	long		Device	Dst		The number of bytes sent from the destination to the source for the connection or session. If the event is aggregated, DstBytes should be the sum over all aggregated sessions. (e.g. 32455)	Schema
DstDescription	Optional	string		Device	Dst		A descriptive text associated with the device. (e.g. Primary Domain Controller)	Schema
DstDeviceType	Optional	string	DeviceType Values (4) Computer, Mobile Device, IOT Device, Other	Device	Dst		The type of the destination device. For a list of allowed values and further information, refer to DeviceType in the Schema Overview article.	Schema
DstDNUsername	Optional	string		User	Dst		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
DstDomain	Recommended	string	Domain	Device	Dst		The domain of the destination device. (e.g. Contoso)	Schema
DstDomainType	Conditional	string	DomainType Values (2) FQDN, Windows	Device	Dst	DstDomain	The type of DstDomain. For a list of allowed values and further information, refer to DomainType in the Schema Overview article. Required if DstDomain is used.	Schema
DstDvcAction	Optional	string		Device	Dst		For reporting security systems, the action taken by the system, if applicable. (e.g. Blocked)	Entity Extension
DstDvcAwsVpcId	Optional	string		Device	Dst		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DstDvcAzureResourceId	Optional	string		Device	Dst		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DstDvcId	Optional	string		Device	Dst		The ID of the destination device. If multiple IDs are available, use the most important one, and store the others in the fields `DstDvc`. (e.g. ac7e9755-8eae-4ffc-8a02-50ed7a2216c3)	Schema
DstDvcIdType	Conditional	string	DvcIdType Values (7) MDEid, AzureResourceId, MD4IoTid, VMConnectionId, AwsVpcId, VectraId, Other	Device	Dst		The type of DstDvcId. For a list of allowed values and further information, refer to DvcIdType in the Schema Overview article. Required if DstDeviceId is used.	Schema
DstDvcMD4IoTid	Optional	string		Device	Dst		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DstDvcMDEid	Optional	string		Device	Dst		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DstDvcOriginalAction	Optional	string		Device	Dst		The original DvcAction as provided by the reporting device.	Entity Extension
DstDvcOs	Optional	string		Device	Dst		The operating system running on the device on which the event occurred or which reported the event. (e.g. Windows)	Entity Extension
DstDvcOsVersion	Optional	string		Device	Dst		The version of the operating system on the device on which the event occurred or which reported the event. (e.g. 10)	Entity Extension
DstDvcScope	Optional	string		Device	Dst		The cloud platform scope the device belongs to. DstDvcScope map to a subscription ID on Azure and to an account ID on AWS.	Schema
DstDvcScopeId	Optional	string		Device	Dst		The cloud platform scope ID the device belongs to. DstDvcScopeId map to a subscription ID on Azure and to an account ID on AWS.	Schema
DstDvcVectraId	Optional	string		Device	Dst		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DstDvcVMConnectionId	Optional	string		Device	Dst		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DstFQDN	Optional	string	FQDN	Device	Dst		The destination device hostname, including domain information when available. (e.g. Contoso\DESKTOP-1282V4D)	Schema
DstGeoCity	Optional	string	City	Device	Dst		The city associated with the destination IP address. For more information, see Logical types. (e.g. Burlington)	Schema
DstGeoCountry	Optional	string	Country	Device	Dst		The country/region associated with the destination IP address. For more information, see Logical types. (e.g. USA)	Schema
DstGeoLatitude	Optional	real	Latitude	Device	Dst		The latitude of the geographical coordinate associated with the destination IP address. For more information, see Logical types. (e.g. 44.475833)	Schema
DstGeoLongitude	Optional	real	Longitude	Device	Dst		The longitude of the geographical coordinate associated with the destination IP address. For more information, see Logical types. (e.g. 73.211944)	Schema
DstGeoRegion	Optional	string	Region	Device	Dst		The region, or state, associated with the destination IP address. For more information, see Logical types. (e.g. Vermont)	Schema
DstHostname	Recommended	string	Hostname	Device	Dst		The destination device hostname, excluding domain information. If no device name is available, store the relevant IP address in this field. (e.g. DESKTOP-1282V4D)	Schema
DstInterface	Optional	string		Device	Dst		The network interface on which data was captured. This field is typically relevant to network related activity captured by an intermediate or tap device.	Entity Extension
DstInterfaceGuid	Optional	string	GUID	Device	Dst		The GUID of the network interface used on the destination device. (e.g. 46ad544b-eaf0-47ef- 827c-266030f545a6)	Schema
DstInterfaceName	Optional	string		Device	Dst		The network interface used for the connection or session by the destination device. (e.g. Microsoft Hyper-V Network Adapter)	Schema
DstIpAddr	Recommended	string	IP address	Device	Dst		The IP address of the connection or session destination. If the session uses network address translation, `DstIpAddr` is the publicly visible address, and not the original address of the source, which is stored in DstNatIpAddr (e.g. 2001:db8::ff00:42:8329)	Schema
DstMacAddr	Optional	string	MAC Address	Device	Dst		The MAC address of the network interface used for the connection or session by the destination device. (e.g. 06:10:9f:eb:8f:14)	Schema
DstNatIpAddr	Optional	string	IP address	Device	Intermediary		The DstNatIpAddr represents either of: - The original address of the destination device if network address translation was used. - The IP address used by the intermediary device for communication with the source. (e.g. 2::1)	Schema
DstNatPortNumber	Optional	int		Device	Intermediary		If reported by an intermediary NAT device, the port used by the NAT device for communication with the source. (e.g. 443)	Schema
DstOriginalUserType	Optional	string		User	Dst		The original destination user type, if provided by the source.	Schema
DstPackets	Optional	long		Device	Dst		The number of packets sent from the destination to the source for the connection or session. The meaning of a packet is defined by the reporting device. If the event is aggregated, DstPackets should be the sum over all aggregated sessions. (e.g. 446)	Schema
DstPortNumber	Optional	int		Device	Dst		The destination IP port. (e.g. 443)	Schema
DstProcessGuid	Optional	string		Application	Dst		A generated unique identifier (GUID) of the process that terminated the network session. (e.g. EF3BD0BD-2B74-60C5-AF5C-010000001E00)	Schema
DstProcessId	Optional	string		Application	Dst		The process ID (PID) of the process that terminated the network session. (e.g. 48610176)	Schema
DstProcessName	Optional	string		Application	Dst		The file name of the process that terminated the network session. This name is typically considered to be the process name. (e.g. C:\Windows\explorer.exe)	Schema
DstSimpleUsername	Optional	string		User	Dst		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
DstSubscriptionId		string						Physical Table Only
DstUserAadId	Optional	string		User	Dst		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
DstUserAADTenant	Optional	string		User	Dst		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
DstUserAWSAccount	Optional	string		User	Dst		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
DstUserAWSId	Optional	string		User	Dst		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
DstUserId	Optional	string		User	Dst		A machine-readable, alphanumeric, unique representation of the destination user. For the supported format for different ID types, refer to the User entity. (e.g. S-1-12)	Schema
DstUserIdType	Conditional	string	UserIdType Values (7) SID, UID, AADID, OktaId, AWSId, PUID, SalesforceId	User	Dst	DstUserId	The type of the ID stored in the DstUserId field. For a list of allowed values and further information, refer to UserIdType in the Schema Overview article.	Schema
DstUsername	Optional	string	Username	User	Dst		The destination username, including domain information when available. For the supported format for different ID types, refer to the User entity. Use the simple form only if domain information isn't available. Store the Username type in the DstUsernameType field. If other username formats are available, store them in the fields `DstUsername`. (e.g. AlbertE)	Schema
DstUsernameType	Conditional	string	UsernameType Values (5) UPN, Windows, DN, Simple, AWSId	User	Dst	DstUsername	Specifies the type of the username stored in the DstUsername field. For a list of allowed values and further information, refer to UsernameType in the Schema Overview article. (e.g. Windows)	Schema
DstUserOktaId	Optional	string		User	Dst		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
DstUserPuid	Optional	string		User	Dst		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
DstUserScope	Optional	string		User	Dst		The scope, such as Microsoft Entra tenant, in which DstUserId and DstUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article	Schema
DstUserScopeId	Optional	string		User	Dst		The scope ID, such as Microsoft Entra Directory ID, in which DstUserId and DstUsername are defined. for more information and list of allowed values, see UserScopeId in the Schema Overview article	Schema
DstUserSid	Optional	string		User	Dst		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
DstUserType	Optional	string	UserType Values (9) Regular, Machine, Admin, System, Application, Service Principal, Service, Anonymous, Other	User	Dst		The type of destination user. For a list of allowed values and further information, refer to UserType in the Schema Overview article.	Schema
DstUserUid	Optional	string		User	Dst		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
DstUserUPN	Optional	string		User	Dst		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
DstVlanId	Optional	string		Device	Dst		The VLAN ID related to the destination device. (e.g. 130)	Schema
DstWindowsUsername	Optional	string		User	Dst		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
DstZone	Optional	string		Device	Dst		The network zone of the destination, as defined by the reporting device. (e.g. Dmz)	Schema
Duration	Alias					NetworkDuration		Schema
Dvc	Alias	string		Device	Dvc	Either of DvcFQDN, DvcId, DvcHostname, DvcIpAddr	A unique identifier of the device on which the event occurred or which reported the event, depending on the schema. This field might alias the DvcFQDN, DvcId, DvcHostname, or DvcIpAddr fields. For cloud sources, for which there's no apparent device, use the same value as the Event Product field	Common
DvcAction	Recommended	string	Enumerated Values (10) Allow, Deny, Drop, Drop ICMP, Reset, Reset Source, Reset Destination, Encrypt, Decrypt, VPNroute	Device	Dvc		The action taken on the network session (e.g. drop)	Schema
DvcAwsVpcId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcAzureResourceId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcDescription	Optional	string		Device	Dvc		A descriptive text associated with the device. (e.g. Primary Domain Controller)	Common
DvcDomain	Recommended	string	Domain	Device	Dvc		The domain of the device on which the event occurred or which reported the event, depending on the schema. (e.g. Contoso)	Common
DvcDomainType	Conditional	string	DomainType Values (2) FQDN, Windows	Device	Dvc	DvcDomain	The type of DvcDomain. For a list of allowed values and further information, refer to DomainType.	Common
DvcFQDN	Optional	string	FQDN	Device	Dvc		The hostname of the device on which the event occurred or which reported the event, depending on the schema. (e.g. Contoso\DESKTOP-1282V4D)	Common
DvcHostname	Recommended	string	Hostname	Device	Dvc		The hostname of the device on which the event occurred or which reported the event, depending on the schema. (e.g. ContosoDc)	Common
DvcId	Optional	string		Device	Dvc		The unique ID of the device on which the event occurred or which reported the event, depending on the schema. (e.g. 41502da5-21b7-48ec-81c9-baeea8d7d669 If multiple IDs are available, use the first one from the list, and store the others by using the field names DvcAzureResourceId, DvcMDEid, etc)	Common
DvcIdType	Conditional	string	Enumerated Values (9) AzureResourceId, MDEid, MD4IoTid, VMConnectionId, AwsVpcId, VectraId, AppGateId, FQDN, Other	Device	Dvc	DvcId	The type of DvcId. The list of allowed values is `AzureResourceId`, `MDEid`, `MD4IoTid`, `VMConnectionId`, `AwsVpcId`, `VectraId`, `AppGateId`, `FQDN`, and `Other`. Using `FQDN` as a device ID, implies reusing the hostname. Use it only as a last resort	Common
DvcInboundInterface	Optional	string		Device	Intermediary		If reported by an intermediary device, the network interface used by the NAT device for the connection to the source device. (e.g. eth0)	Schema
DvcInterface	Optional	string		Device	Dvc		The network interface on which data was captured. This field is typically relevant to network related activity, which is captured by an intermediate or tap device.	Common
DvcIpAddr	Recommended	string	IP address	Device	Dvc		The IP address of the device on which the event occurred or which reported the event, depending on the schema. (e.g. 45.21.42.12)	Common
DvcMacAddr	Optional	string	MAC address	Device	Dvc		The MAC address of the device on which the event occurred or which reported the event. (e.g. 00:1B:44:11:3A:B7)	Common
DvcMD4IoTid	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcMDEid	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcOriginalAction	Optional	string		Device	Dvc		The original DvcAction as provided by the reporting device.	Common
DvcOs	Optional	string		Device	Dvc		The operating system running on the device on which the event occurred or which reported the event. (e.g. Windows)	Common
DvcOsVersion	Optional	string		Device	Dvc		The version of the operating system on the device on which the event occurred or which reported the event. (e.g. 10)	Common
DvcOutboundInterface	Optional	string		Device	Intermediary		If reported by an intermediary device, the network interface used by the NAT device for the connection to the destination device. (e.g. Ethernet adapter Ethernet 4e)	Schema
DvcScope	Optional	string		Device	Dvc		The cloud platform scope the device belongs to. DvcScope map to a subscription ID on Azure and to an account ID on AWS.	Common
DvcScopeId	Optional	string		Device	Dvc		The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS.	Common
DvcSubscriptionId		string						Physical Table Only
DvcVectraId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcVMConnectionId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcZone	Optional	string		Device	Dvc		The network on which the event occurred or which reported the event, depending on the schema. The zone is defined by the reporting device. (e.g. Dmz)	Common
EventCount	Mandatory	int					Netflow sources support aggregation, and the EventCount field should be set to the value of the Netflow FLOWS field. For other sources, the value is typically set to `1`.	Schema
EventEndTime	Mandatory	datetime					The time when the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field	Common
EventMessage	Optional	string					A general message or description, either included in or generated from the record.	Common
EventOriginalResultDetails	Optional	string					The original result details provided by the source. This value is used to derive EventResultDetails, which should have only one of the values documented for each schema.	Common
EventOriginalSeverity	Optional	string					The original severity as provided by the reporting device. This value is used to derive EventSeverity.	Common
EventOriginalSubType	Optional	string					The original event subtype or ID, if provided by the source. For example, this field is used to store the original Windows logon type. This value is used to derive EventSubType, which should have only one of the values documented for each schema. (e.g. 2)	Common
EventOriginalType	Optional	string					The original event type or ID, if provided by the source. For example, this field is used to store the original Windows event ID. This value is used to derive EventType, which should have only one of the values documented for each schema. (e.g. 4624)	Common
EventOriginalUid	Optional	string					A unique ID of the original record, if provided by the source. (e.g. 69f37748-ddcd-4331-bf0f-b137f1ea83b)	Common
EventOwner	Optional	string					The owner of the event, which is usually the department or subsidiary in which it was generated.	Common
EventProduct	Mandatory	string					The product generating the event. The value should be one of the values listed in Vendors and Products. (e.g. Sysmon)	Common
EventProductVersion	Optional	string					The version of the product generating the event. (e.g. 12.1)	Common
EventReportUrl	Optional	string	URL				A URL provided in the event for a resource that provides more information about the event.	Common
EventResult	Mandatory	string	Enumerated Values (8) Deny, Drop, Drop ICMP, Reset, Reset Source, Reset Destination, Failure, Success				If the source device does not provide an event result, EventResult should be based on the value of DvcAction. If DvcAction is `Deny`, `Drop`, `Drop ICMP`, `Reset`, `Reset Source`, or `Reset Destination` , EventResult should be `Failure`. Otherwise, EventResult should be `Success`	Schema
EventResultDetails	Recommended	string	Enumerated Values (12) Failover, Invalid TCP, Invalid Tunnel, Maximum Retry, Reset, Routing issue, Simulation, Terminated, Timeout, Transient error, Unknown, NA				Reason or details for the result reported in the EventResult field. The original, source specific, value is stored in the EventOriginalResultDetails field	Schema
EventSchema	Mandatory	string	Enumerated Values (1) NetworkSession				The name of the schema documented here is `NetworkSession`	Schema
EventSchemaVersion	Mandatory	string	SchemaVersion				The version of the schema. The version of the schema documented here is `0.2.7`.	Schema
EventSeverity	Optional	string	Enumerated Values (8) Deny, Drop, Drop ICMP, Reset, Reset Source, Reset Destination, Low, Informational				If the source device does not provide an event severity, EventSeverity should be based on the value of DvcAction. If DvcAction is `Deny`, `Drop`, `Drop ICMP`, `Reset`, `Reset Source`, or `Reset Destination` , EventSeverity should be `Low`. Otherwise, EventSeverity should be `Informational`	Schema
EventStartTime	Mandatory	datetime					The time when the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field	Common
EventSubType	Optional	string	Enumerated Values (2) Start, End				Additional description of the event type, if applicable. For Network Session records, This is field is not relevant for `Flow` events	Schema
EventType	Mandatory	string	Enumerated Values (5) EndpointNetworkSession, NetworkSession, L2NetworkSession, IDS, Flow				Describes the scenario reported by the record. For Network Session records, the allowed values are: - `EndpointNetworkSession` - `NetworkSession` - `L2NetworkSession` - `IDS` - `Flow` For more information on event types, refer to the schema overview	Schema
EventUid	Recommended	string					The unique ID of the record, as assigned by Microsoft Sentinel. This field is typically mapped to the `_ItemId` Log Analytics field.	Common
EventVendor	Mandatory	string					The vendor of the product generating the event. The value should be one of the values listed in Vendors and Products. (e.g. Microsoft)	Common
Hostname	Alias					Either of DstHostname, RemoteHostname, SrcHostName, NetworkDirection	If the event type is `NetworkSession`, `Flow` or `L2NetworkSession`, Hostname is an - If the event type is `EndpointNetworkSession`, Hostname is an , which can alias either DstHostname or SrcHostName, depending on NetworkDirection	Schema
InnerVlanId	Alias			Device	Src	SrcVlanId	In many cases, the VLAN can't be determined as a source or a destination but is characterized as inner or outer. This alias to signifies that SrcVlanId should be used when the VLAN is characterized as inner	Schema
IpAddr	Alias					Either of SrcIpAddr, LocalIpAddr, DstIpAddr, NetworkDirection	If the event type is `NetworkSession`, `Flow` or `L2NetworkSession`, IpAddr is an - If the event type is `EndpointNetworkSession`, IpAddr is an , which can alias either SrcIpAddr or DstIpAddr, depending on NetworkDirection	Schema
NetworkApplicationProtocol	Optional	string					The application layer protocol used by the connection or session. The value should be in all uppercase. (e.g. FTP)	Schema
NetworkBytes	Optional	long					Number of bytes sent in both directions. If both BytesReceived and BytesSent exist, BytesTotal should equal their sum. If the event is aggregated, NetworkBytes should be the sum over all aggregated sessions. (e.g. 78991)	Schema
NetworkConnectionHistory	Optional	string					TCP flags and other potential IP header information.	Schema
NetworkDirection	Optional	string	Enumerated Values (5) Inbound, Outbound, Local, External, NA				The direction of the connection or session: - For the EventType `NetworkSession`, `Flow` or `L2NetworkSession`, NetworkDirection represents the direction relative to the organization or cloud environment boundary. - For the EventType `EndpointNetworkSession`, NetworkDirection represents the direction relative to the endpoint	Schema
NetworkDuration	Optional	int					The amount of time, in milliseconds, for the completion of the network session or connection. (e.g. 1500)	Schema
NetworkIcmpCode	Optional	int					For an ICMP message, the ICMP code number as described in RFC 2780 for IPv4 network connections, or in RFC 4443 for IPv6 network connections.	Schema
NetworkIcmpType	Optional	string					For an ICMP message, ICMP type name associated with the numerical value, as described in RFC 2780 for IPv4 network connections, or in RFC 4443 for IPv6 network connections. (e.g. Destination Unreachable for NetworkIcmpCode 3)	Schema
NetworkPackets	Optional	long					The number of packets sent in both directions. If both PacketsReceived and PacketsSent exist, PacketsTotal should equal their sum. The meaning of a packet is defined by the reporting device. If the event is aggregated, NetworkPackets should be the sum over all aggregated sessions. (e.g. 6924)	Schema
NetworkProtocol	Optional	string	Enumerated				The IP protocol used by the connection or session as listed in IANA protocol assignment, which is typically `TCP`, `UDP`, or `ICMP`. (e.g. TCP)	Schema
NetworkProtocolVersion	Optional	string	Enumerated Values (1) IPv4				The version of NetworkProtocol. When using it to distinguish between IP version, use the values `IPv4` and `IPv6`	Schema
NetworkRuleName	Optional	string					The name or ID of the rule by which DvcAction was decided upon. (e.g. AnyAnyDrop)	Schema
NetworkRuleNumber	Optional	int					The number of the rule by which DvcAction was decided upon. (e.g. 23)	Schema
NetworkSessionId	Optional	string					The session identifier as reported by the reporting device. (e.g. 172\_12\_53\_32\_4322\_\_123\_64\_207\_1\_80)	Schema
OuterVlanId	Alias			Device	Dst	DstVlanId	In many cases, the VLAN can't be determined as a source or a destination but is characterized as inner or outer. This alias to signifies that DstVlanId should be used when the VLAN is characterized as outer	Schema
Process	Alias			Application	Dst	DstProcessName	(e.g. C:\Windows\System32\rundll32.exe)	Schema
Rule	Alias	string				Either of NetworkRuleName, NetworkRuleNumber	Either the value of NetworkRuleName or the value of NetworkRuleNumber. If the value of NetworkRuleNumber is used, the type should be converted to string	Schema
SessionId	Alias	string				NetworkSessionId		Schema
Src	Alias			Device	Src	Either of SrcDvcId, SrcHostname, SrcIpAddr	A unique identifier of the source device. This field might alias the SrcDvcId, SrcHostname, or SrcIpAddr fields. (e.g. 192.168.12.1)	Schema
SrcAppId	Optional	string		Application	Src		The ID of the source application, as reported by the reporting device. If SrcAppType is `Process`, `SrcAppId` and `SrcProcessId` should have the same value. (e.g. 124)	Schema
SrcAppName	Optional	string		Application	Src		The name of the source application. (e.g. filezilla.exe)	Schema
SrcAppType	Optional	string	AppType Values (7) Process, Service, Resource, URL, SaaS application, CSP, Other	Application	Src		The type of the source application. For a list of allowed values and further information, refer to AppType in the Schema Overview article. This field is mandatory if SrcAppName or SrcAppId are used.	Schema
SrcBytes	Recommended	long		Device	Src		The number of bytes sent from the source to the destination for the connection or session. If the event is aggregated, SrcBytes should be the sum over all aggregated sessions. (e.g. 46536)	Schema
SrcDescription	Optional	string		Device	Src		A descriptive text associated with the device. (e.g. Primary Domain Controller)	Schema
SrcDeviceType	Optional	string	DeviceType Values (4) Computer, Mobile Device, IOT Device, Other	Device	Src		The type of the source device. For a list of allowed values and further information, refer to DeviceType in the Schema Overview article.	Schema
SrcDNUsername	Optional	string		User	Src		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
SrcDomain	Recommended	string	Domain	Device	Src		The domain of the source device. (e.g. Contoso)	Schema
SrcDomainType	Conditional	string	DomainType Values (2) FQDN, Windows	Device	Src	SrcDomain	The type of SrcDomain. For a list of allowed values and further information, refer to DomainType in the Schema Overview article. Required if SrcDomain is used.	Schema
SrcDvcAction	Optional	string		Device	Src		For reporting security systems, the action taken by the system, if applicable. (e.g. Blocked)	Entity Extension
SrcDvcAwsVpcId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcAzureResourceId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcId	Optional	string		Device	Src		The ID of the source device. If multiple IDs are available, use the most important one, and store the others in the fields `SrcDvc`. (e.g. ac7e9755-8eae-4ffc-8a02-50ed7a2216c3)	Schema
SrcDvcIdType	Conditional	string	DvcIdType Values (7) MDEid, AzureResourceId, MD4IoTid, VMConnectionId, AwsVpcId, VectraId, Other	Device	Src	SrcDvcId	The type of SrcDvcId. For a list of allowed values and further information, refer to DvcIdType in the Schema Overview article.	Schema
SrcDvcMD4IoTid	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcMDEid	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcOriginalAction	Optional	string		Device	Src		The original DvcAction as provided by the reporting device.	Entity Extension
SrcDvcOs	Optional	string		Device	Src		The operating system running on the device on which the event occurred or which reported the event. (e.g. Windows)	Entity Extension
SrcDvcOsVersion	Optional	string		Device	Src		The version of the operating system on the device on which the event occurred or which reported the event. (e.g. 10)	Entity Extension
SrcDvcScope	Optional	string		Device	Src		The cloud platform scope the device belongs to. SrcDvcScope map to a subscription ID on Azure and to an account ID on AWS.	Schema
SrcDvcScopeId	Optional	string		Device	Src		The cloud platform scope ID the device belongs to. SrcDvcScopeId map to a subscription ID on Azure and to an account ID on AWS.	Schema
SrcDvcVectraId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcVMConnectionId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcFQDN	Optional	string	FQDN	Device	Src		The source device hostname, including domain information when available. (e.g. Contoso\DESKTOP-1282V4D)	Schema
SrcGeoCity	Optional	string	City	Device	Src		The city associated with the source IP address. (e.g. Burlington)	Schema
SrcGeoCountry	Optional	string	Country	Device	Src		The country/region associated with the source IP address. (e.g. USA)	Schema
SrcGeoLatitude	Optional	real	Latitude	Device	Src		The latitude of the geographical coordinate associated with the source IP address. (e.g. 44.475833)	Schema
SrcGeoLongitude	Optional	real	Longitude	Device	Src		The longitude of the geographical coordinate associated with the source IP address. (e.g. 73.211944)	Schema
SrcGeoRegion	Optional	string	Region	Device	Src		The region associated with the source IP address. (e.g. Vermont)	Schema
SrcHostname	Recommended	string	Hostname	Device	Src		The source device hostname, excluding domain information. If no device name is available, store the relevant IP address in this field. (e.g. DESKTOP-1282V4D)	Schema
SrcInterface	Optional	string		Device	Src		The network interface on which data was captured. This field is typically relevant to network related activity captured by an intermediate or tap device.	Entity Extension
SrcInterfaceGuid	Optional	string	GUID	Device	Src		The GUID of the network interface used on the source device. (e.g. 46ad544b-eaf0-47ef- 827c-266030f545a6)	Schema
SrcInterfaceName	Optional	string		Device	Src		The network interface used for the connection or session by the source device. (e.g. eth01)	Schema
SrcIpAddr	Recommended	string	IP address	Device	Src		The IP address from which the connection or session originated. This value is mandatory if SrcHostname is specified. If the session uses network address translation, `SrcIpAddr` is the publicly visible address, and not the original address of the source, which is stored in SrcNatIpAddr (e.g. 77.138.103.108)	Schema
SrcMacAddr	Optional	string	MAC Address	Device	Src		The MAC address of the network interface from which the connection or session originated. (e.g. 06:10:9f:eb:8f:14)	Schema
SrcNatIpAddr	Optional	string	IP address	Device	Intermediary		The SrcNatIpAddr represents either of: - The original address of the source device if network address translation was used. - The IP address used by the intermediary device for communication with the destination. (e.g. 4.3.2.1)	Schema
SrcNatPortNumber	Optional	int		Device	Intermediary		If reported by an intermediary NAT device, the port used by the NAT device for communication with the destination. (e.g. 345)	Schema
SrcOriginalUserType	Optional	string		User	Src		The original destination user type, if provided by the reporting device.	Schema
SrcPackets	Optional	long		Device	Src		The number of packets sent from the source to the destination for the connection or session. The meaning of a packet is defined by the reporting device. If the event is aggregated, SrcPackets should be the sum over all aggregated sessions. (e.g. 6478)	Schema
SrcPortNumber	Optional	int		Device	Src		The IP port from which the connection originated. Might not be relevant for a session comprising multiple connections. (e.g. 2335)	Schema
SrcProcessGuid	Optional	string		Application	Src		A generated unique identifier (GUID) of the process that initiated the network session. (e.g. EF3BD0BD-2B74-60C5-AF5C-010000001E00)	Schema
SrcProcessId	Optional	string		Application	Src		The process ID (PID) of the process that initiated the network session. (e.g. 48610176)	Schema
SrcProcessName	Optional	string		Application	Src		The file name of the process that initiated the network session. This name is typically considered to be the process name. (e.g. C:\Windows\explorer.exe)	Schema
SrcSimpleUsername	Optional	string		User	Src		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
SrcSubscriptionId		string						Physical Table Only
SrcUserAadId	Optional	string		User	Src		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
SrcUserAADTenant	Optional	string		User	Src		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
SrcUserAWSAccount	Optional	string		User	Src		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
SrcUserAWSId	Optional	string		User	Src		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
SrcUserId	Optional	string		User	Src		A machine-readable, alphanumeric, unique representation of the source user. For the supported format for different ID types, refer to the User entity. (e.g. S-1-12)	Schema
SrcUserIdType	Conditional	string	UserIdType Values (7) SID, UID, AADID, OktaId, AWSId, PUID, SalesforceId	User	Src	SrcUserId	The type of the ID stored in the SrcUserId field. For a list of allowed values and further information, refer to UserIdType in the Schema Overview article.	Schema
SrcUsername	Optional	string	Username	User	Src		The source username, including domain information when available. For the supported format for different ID types, refer to the User entity. Use the simple form only if domain information isn't available. Store the Username type in the SrcUsernameType field. If other username formats are available, store them in the fields `SrcUsername`. (e.g. AlbertE)	Schema
SrcUsernameType	Conditional	string	UsernameType Values (5) UPN, Windows, DN, Simple, AWSId	User	Src	SrcUsername	Specifies the type of the username stored in the SrcUsername field. For a list of allowed values and further information, refer to UsernameType in the Schema Overview article. (e.g. Windows)	Schema
SrcUserOktaId	Optional	string		User	Src		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
SrcUserPuid	Optional	string		User	Src		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
SrcUserScope	Optional	string		User	Src		The scope, such as Microsoft Entra tenant, in which SrcUserId and SrcUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article	Schema
SrcUserScopeId	Optional	string		User	Src		The scope ID, such as Microsoft Entra Directory ID, in which SrcUserId and SrcUsername are defined. for more information and list of allowed values, see UserScopeId in the Schema Overview article	Schema
SrcUserSid	Optional	string		User	Src		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
SrcUserType	Optional	string	UserType Values (9) Regular, Machine, Admin, System, Application, Service Principal, Service, Anonymous, Other	User	Src		The type of source user. For a list of allowed values and further information, refer to UserType in the Schema Overview article.	Schema
SrcUserUid	Optional	string		User	Src		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
SrcUserUPN	Optional	string		User	Src		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
SrcVlanId	Optional	string		Device	Src		The VLAN ID related to the source device. (e.g. 130)	Schema
SrcWindowsUsername	Optional	string		User	Src		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
SrcZone	Optional	string		Device	Src		The network zone of the source, as defined by the reporting device. (e.g. Internet)	Schema
TargetDNUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetSimpleUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetUserAadId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserAWSId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserOktaId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserPuid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserSid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserUid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserUpn	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetWindowsUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TcpFlagsAck	Optional	boolean					The TCP ACK Flag reported. The acknowledgment flag is used to acknowledge the successful receipt of a packet. As we can see from the diagram above, the receiver sends an ACK and a SYN in the second step of the three way handshake process to tell the sender that it received its initial packet.	Schema
TcpFlagsCwr	Optional	boolean					The TCP CWR Flag reported. The congestion window reduced flag is used by the sending host to indicate it received a packet with the ECE flag set. See RFC 3168 for more details.	Schema
TcpFlagsEce	Optional	boolean					The TCP ECE Flag reported. This flag is responsible for indicating if the TCP peer is ECN capable. See RFC 3168 for more details.	Schema
TcpFlagsFin	Optional	boolean					The TCP FIN Flag reported. The finished flag means there is no more data from the sender. Therefore, it is used in the last packet sent from the sender.	Schema
TcpFlagsNs	Optional	boolean					The TCP NS Flag reported. The nonce sum flag is still an experimental flag used to help protect against accidental malicious concealment of packets from the sender. See RFC 3540 for more details	Schema
TcpFlagsPsh	Optional	boolean					The TCP PSH Flag reported. The push flag is similar to the URG flag and tells the receiver to process these packets as they are received instead of buffering them.	Schema
TcpFlagsRst	Optional	boolean					The TCP RST Flag reported. The reset flag gets sent from the receiver to the sender when a packet is sent to a particular host that was not expecting it.	Schema
TcpFlagsSyn	Optional	boolean					The TCP SYN Flag reported. The synchronization flag is used as a first step in establishing a three way handshake between two hosts. Only the first packet from both the sender and receiver should have this flag set.	Schema
TcpFlagsUrg	Optional	boolean					The TCP URG Flag reported. The urgent flag is used to notify the receiver to process the urgent packets before processing all other packets. The receiver will be notified when all known urgent data has been received. See RFC 6093 for more details.	Schema
ThreatCategory	Optional	string					The category of the threat or malware identified in the network session. (e.g. Trojan)	Schema
ThreatConfidence	Optional	int	ConfidenceLevel				The confidence level of the threat identified, normalized to a value between 0 and a 100.	Schema
ThreatField	Conditional	string	Enumerated Values (2) SrcIpAddr, DstIpAddr				The field for which a threat was identified. The value is either `SrcIpAddr` or `DstIpAddr`	Schema
ThreatFirstReportedTime	Optional	datetime					The first time the IP address or domain were identified as a threat.	Schema
ThreatId	Optional	string					The ID of the threat or malware identified in the network session. (e.g. Tr.124)	Schema
ThreatIpAddr	Optional	string	IP Address				An IP address for which a threat was identified. The field ThreatField contains the name of the field ThreatIpAddr represents.	Schema
ThreatIsActive	Optional	boolean					True if the threat identified is considered an active threat.	Schema
ThreatLastReportedTime	Optional	datetime					The last time the IP address or domain were identified as a threat.	Schema
ThreatName	Optional	string					The name of the threat or malware identified in the network session. (e.g. EICAR Test File)	Schema
ThreatOriginalConfidence	Optional	string					The original confidence level of the threat identified, as reported by the reporting device.	Schema
ThreatOriginalRiskLevel	Optional	string					The risk level as reported by the reporting device.	Schema
ThreatRiskLevel	Optional	int	RiskLevel				The risk level associated with the session. The level should be a number between 0 and 100.	Schema
TimeGenerated	Mandatory	datetime					The time the event was generated by the reporting device.	Common (Implicit)
Type	Mandatory	string					The original table from which the record was fetched. This field is useful when the same event can be received through multiple channels to different tables, and have the same EventVendor and EventProduct values. (e.g. a Sysmon event can be collected either to the Event table or to the WindowsEvent table)	Common (Implicit)
User	Alias			User	Dst	DstUsername		Schema

Parser	Version	Product	Tables	Solutions

ASimNetworkSessionAppGateSDP	0.2.0	AppGate SDP	Syslog	Syslog
ASimNetworkSessionAWSVPC	0.3	AWS VPC	AWSVPCFlow	AWS VPC Flow Logs
ASimNetworkSessionAzureFirewall	0.2.0	Azure Firewall	AZFWIdpsSignature, AZFWNatRule, AZFWNetworkRule, AZFWThreatIntel, AzureDiagnostics	Azure Firewall
ASimNetworkSessionAzureNSG	0.1.1	Azure NSG flows	AzureNetworkAnalytics_CL
ASimNetworkSessionBarracudaCEF	0.2.1	Barracuda WAF	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimNetworkSessionBarracudaWAF	0.2.1	Barracuda WAF	barracuda_CL
ASimNetworkSessionCheckPointFirewall	1.2.0	CheckPointFirewall	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimNetworkSessionCheckPointSmartDefense	0.1.0	CheckPointSmartDefense	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimNetworkSessionCiscoASA	1.1.0	CiscoASA	CommonSecurityLog	CiscoASA, Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimNetworkSessionCiscoFirepower	0.1.0	Cisco Firepower	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimNetworkSessionCiscoISE	1.1.0	Cisco ISE	Syslog	Syslog
ASimNetworkSessionCiscoMeraki	1.2.2	Cisco Meraki	meraki_CL	CiscoMeraki, CustomLogsAma
ASimNetworkSessionCiscoMerakiSyslog	1.2.2	Cisco Meraki	Syslog	Syslog
ASimNetworkSessionCorelightZeek	0.2	Corelight Zeek	Corelight_CL	Corelight
ASimNetworkSessionCrowdStrikeFalconHost	0.1.0	CrowdStrike Falcon Endpoint Protection	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimNetworkSessionForcePointFirewall	0.1	ForcePointFirewall	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimNetworkSessionFortinetFortiGate	0.6.0	Fortinet FortiGate	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimNetworkSessionIllumioSaaSCore	0.1.0	Illumio SaaS Core	Illumio_Flow_Events_CL	IllumioSaaS
ASimNetworkSessionLinuxSysmon	0.3.1	Sysmon for Linux	Syslog	Syslog
ASimNetworkSessionMD4IoTAgent	0.2.1	Microsoft Defender for IoT	SecurityIoTRawEvent
ASimNetworkSessionMD4IoTSensor	0.1	Microsoft Defender for IoT
ASimNetworkSessionMicrosoft365Defender	0.4	M365 Defender for Endpoint	DeviceNetworkEvents
ASimNetworkSessionMicrosoftSecurityEventFirewall	0.5.0	Windows Firewall	Event, SecurityEvent	Microsoft Exchange Security - Exchange On-Premises, Windows Security Events
ASimNetworkSessionMicrosoftSysmon	0.2.0	Windows Sysmon	Event
ASimNetworkSessionMicrosoftSysmonWindowsEvent	0.2.1	Windows Sysmon	WindowsEvent	Windows Forwarded Events
ASimNetworkSessionMicrosoftWindowsEventFirewall	0.5.0	Windows Firewall	WindowsEvent	Windows Forwarded Events
ASimNetworkSessionNative	0.3	Native	ASimNetworkSessionLogs	Cisco Meraki Events via REST API, SynqlyIntegrationConnector, VMware Carbon Black Cloud
ASimNetworkSessionNTANetAnalytics	0.1.1	Azure NTANetAnalytics	NTANetAnalytics
ASimNetworkSessionPaloAltoCEF	0.7.1	Palo Alto PanOS	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimNetworkSessionPaloAltoCortexDataLake	0.1.1	Palo Alto Cortex Data Lake	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimNetworkSessionSentinelOne	0.1.0	SentinelOne	SentinelOne_CL
ASimNetworkSessionSonicWallFirewall	0.1.0	SonicWall	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimNetworkSessionVectraAI	0.2	Vectra AI Streams	VectraStream_CL	CustomLogsAma, Vectra AI Stream
ASimNetworkSessionVMConnection	0.2.1	VMConnection	VMConnection
ASimNetworkSessionVMwareCarbonBlackCloud	0.1.1	VMware Carbon Black Cloud	CarbonBlackEvents_CL, CarbonBlackNotifications_CL
ASimNetworkSessionWatchGuardFirewareOS	0.1.4	WatchGuard Fireware OS	Syslog	Syslog
ASimNetworkSessionZscalerZIA	0.4	Zscaler ZIA Firewall	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access

Field	Class	Type	Logical Type	Entity	Role	Refers To	Description	Source

ActingProcessCommandLine	Optional	string		Process	Acting		The command line used to run the acting process. (e.g. "choco.exe" -v)	Schema
ActingProcessCreationTime	Optional	datetime		Process	Acting		The date and time when the acting process was started.	Schema
ActingProcessFileCompany	Optional	string		Process	Acting		The company that created the acting process image file. (e.g. Microsoft)	Schema
ActingProcessFileDescription	Optional	string		Process	Acting		The description embedded in the version information of the acting process image file. (e.g. Notepad++ : a free (GPL) source code editor)	Schema
ActingProcessFileInternalName	Optional	string		Process	Acting		The product internal file name from the version information of the acting process image file.	Schema
ActingProcessFilename	Optional	string		Process	Acting		The file name part of the `ActingProcessName`, without folder information. (e.g. explorer.exe)	Schema
ActingProcessFileOriginalName	Optional	string		Process	Acting		The product original file name from the version information of the acting process image file. (e.g. Notepad++.exe)	Schema
ActingProcessFileProduct	Optional	string		Process	Acting		The product name from the version information in the acting process image file. (e.g. Notepad++)	Schema
ActingProcessFileSize	Optional	long		Process	Acting		The size of the file that ran the acting process.	Schema
ActingProcessFileVersion	Optional	string		Process	Acting		The product version from the version information of the acting process image file. (e.g. 7.9.5.0)	Schema
ActingProcessGuid	Optional	string	GUID	Process	Acting		A generated unique identifier (GUID) of the acting process. Enables identifying the process across systems. (e.g. EF3BD0BD-2B74-60C5-AF5C-010000001E00)	Schema
ActingProcessId	Mandatory	string		Process	Acting		The process ID (PID) of the acting process. (e.g. 48610176)	Schema
ActingProcessIMPHASH	Optional	string		Process	Acting		The Import Hash of all the library DLLs that are used by the acting process.	Schema
ActingProcessInjectedAddress	Optional	string		Process	Acting		The memory address in which the responsible acting process is stored.	Schema
ActingProcessIntegrityLevel	Optional	string		Process	Acting		Every process has an integrity level that is represented in its token. Integrity levels determine the process level of protection or access. Windows defines the following integrity levels: low, medium, high, and system. Standard users receive a medium integrity level and elevated users receive a high integrity level. For more information, see Mandatory Integrity Control - Win32 apps.	Schema
ActingProcessIsHidden	Optional	boolean		Process	Acting		An indication of whether the acting process is in hidden mode.	Schema
ActingProcessMD5	Optional	string		Process	Acting		The MD5 hash of the acting process image file. (e.g. 75a599802f1fa166cdadb360960b1dd0)	Schema
ActingProcessName	Optional	string		Process	Acting		The name of the acting process. This name is commonly derived from the image or executable file that's used to define the initial code and data that's mapped into the process' virtual address space. (e.g. C:\Windows\explorer.exe)	Schema
ActingProcessSHA1	Optional	string	SHA1	Process	Acting		The SHA-1 hash of the acting process image file. (e.g. d55c5a4df19b46db8c54c801c4665d3338acdab0)	Schema
ActingProcessSHA256	Optional	string	SHA256	Process	Acting		The SHA-256 hash of the acting process image file. (e.g. e81bb824c4a09a811af17deae22f22dd 2e1ec8cbb00b22629d2899f7c68da274)	Schema
ActingProcessSHA512	Optional	string	SHA512	Process	Acting		The SHA-512 hash of the acting process image file.	Schema
ActingProcessTokenElevation	Optional	string		Process	Acting		A token indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the acting process. (e.g. None)	Schema
ActorDNUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorOriginalUserType	Optional	string		User	Actor		The original destination user type, if provided by the reporting device.	Schema
ActorScope	Optional	string		User	Actor		The scope, such as Microsoft Entra tenant, in which ActorUserId and ActorUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article	Schema
ActorScopeId	Optional	string		User	Actor		The scope ID, such as Microsoft Entra Directory ID, in which ActorUserId and ActorUsername are defined. or more information and list of allowed values, see UserScopeId in the Schema Overview article	Schema
ActorSessionId	Optional	string		User	Actor		The unique ID of the login session of the Actor. (e.g. 999)	Schema
ActorSimpleUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorUserAadId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserAADTenant	Optional	string		User	Actor		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
ActorUserAWSAccount	Optional	string		User	Actor		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
ActorUserAWSId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserId	Recommended	string		User	Actor		A machine-readable, alphanumeric, unique representation of the Actor. For the supported format for different ID types, refer to the User entity. (e.g. S-1-12)	Schema
ActorUserIdType	Conditional	string	UserIdType Values (7) SID, UID, AADID, OktaId, AWSId, PUID, SalesforceId	User	Actor	ActorUserId	The type of the ID stored in the ActorUserId field. For a list of allowed values and further information refer to UserIdType in the Schema Overview article.	Schema
ActorUsername	Mandatory	string	Username	User	Actor		The Actor username, including domain information when available. For the supported format for different ID types, refer to the User entity. Use the simple form only if domain information isn't available. Store the Username type in the ActorUsernameType field. If other username formats are available, store them in the fields `ActorUsername`. (e.g. AlbertE)	Schema
ActorUsernameType	Conditional	string	UsernameType Values (5) UPN, Windows, DN, Simple, AWSId	User	Actor	ActorUsername	Specifies the type of the user name stored in the ActorUsername field. For a list of allowed values and further information refer to UsernameType in the Schema Overview article. (e.g. Windows)	Schema
ActorUserOktaId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserPuid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserSid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserType	Optional	string	UserType Values (9) Regular, Machine, Admin, System, Application, Service Principal, Service, Anonymous, Other	User	Actor		The type of Actor. For a list of allowed values and further information refer to UserType in the Schema Overview article.	Schema
ActorUserUid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserUpn	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorWindowsUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
AdditionalFields	Optional	dynamic					If your source provides additional information worth preserving, either keep it with the original field names or create the dynamic AdditionalFields field, and add the extra information as key/value pairs.	Common
CommandLine	Alias					TargetProcessCommandLine		Schema
Dvc	Alias	string		Device	Dvc	Either of DvcFQDN, DvcId, DvcHostname, DvcIpAddr	A unique identifier of the device on which the event occurred or which reported the event, depending on the schema. This field might alias the DvcFQDN, DvcId, DvcHostname, or DvcIpAddr fields. For cloud sources, for which there's no apparent device, use the same value as the Event Product field	Common
DvcAction	Optional	string		Device	Dvc		For reporting security systems, the action taken by the system, if applicable. (e.g. Blocked)	Common
DvcAwsVpcId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcAzureResourceId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcDescription	Optional	string		Device	Dvc		A descriptive text associated with the device. (e.g. Primary Domain Controller)	Common
DvcDomain	Recommended	string	Domain	Device	Dvc		The domain of the device on which the event occurred or which reported the event, depending on the schema. (e.g. Contoso)	Common
DvcDomainType	Conditional	string	DomainType Values (2) FQDN, Windows	Device	Dvc	DvcDomain	The type of DvcDomain. For a list of allowed values and further information, refer to DomainType.	Common
DvcFQDN	Optional	string	FQDN	Device	Dvc		The hostname of the device on which the event occurred or which reported the event, depending on the schema. (e.g. Contoso\DESKTOP-1282V4D)	Common
DvcHostname	Recommended	string	Hostname	Device	Dvc		The hostname of the device on which the event occurred or which reported the event, depending on the schema. (e.g. ContosoDc)	Common
DvcId	Optional	string		Device	Dvc		The unique ID of the device on which the event occurred or which reported the event, depending on the schema. (e.g. 41502da5-21b7-48ec-81c9-baeea8d7d669 If multiple IDs are available, use the first one from the list, and store the others by using the field names DvcAzureResourceId, DvcMDEid, etc)	Common
DvcIdType	Conditional	string	Enumerated Values (9) AzureResourceId, MDEid, MD4IoTid, VMConnectionId, AwsVpcId, VectraId, AppGateId, FQDN, Other	Device	Dvc	DvcId	The type of DvcId. The list of allowed values is `AzureResourceId`, `MDEid`, `MD4IoTid`, `VMConnectionId`, `AwsVpcId`, `VectraId`, `AppGateId`, `FQDN`, and `Other`. Using `FQDN` as a device ID, implies reusing the hostname. Use it only as a last resort	Common
DvcInterface	Optional	string		Device	Dvc		The network interface on which data was captured. This field is typically relevant to network related activity, which is captured by an intermediate or tap device.	Common
DvcIpAddr	Recommended	string	IP address	Device	Dvc		The IP address of the device on which the event occurred or which reported the event, depending on the schema. (e.g. 45.21.42.12)	Common
DvcMacAddr	Optional	string	MAC address	Device	Dvc		The MAC address of the device on which the event occurred or which reported the event. (e.g. 00:1B:44:11:3A:B7)	Common
DvcMD4IoTid	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcMDEid	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcOriginalAction	Optional	string		Device	Dvc		The original DvcAction as provided by the reporting device.	Common
DvcOs	Optional	string		Device	Dvc		The operating system running on the device on which the event occurred or which reported the event. (e.g. Windows)	Common
DvcOsVersion	Optional	string		Device	Dvc		The version of the operating system on the device on which the event occurred or which reported the event. (e.g. 10)	Common
DvcScope	Optional	string		Device	Dvc		The cloud platform scope the device belongs to. DvcScope map to a subscription ID on Azure and to an account ID on AWS.	Common
DvcScopeId	Optional	string		Device	Dvc		The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS.	Common
DvcVectraId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcVMConnectionId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcZone	Optional	string		Device	Dvc		The network on which the event occurred or which reported the event, depending on the schema. The zone is defined by the reporting device. (e.g. Dmz)	Common
EventCount	Mandatory	int					The number of events described by the record. This value is used when the source supports aggregation, and a single record might represent multiple events. For other sources, set to `1`.	Common
EventEndTime	Mandatory	datetime					The time when the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field	Common
EventMessage	Optional	string					A general message or description, either included in or generated from the record.	Common
EventOriginalResultDetails	Optional	string					The original result details provided by the source. This value is used to derive EventResultDetails, which should have only one of the values documented for each schema.	Common
EventOriginalSeverity	Optional	string					The original severity as provided by the reporting device. This value is used to derive EventSeverity.	Common
EventOriginalSubType	Optional	string					The original event subtype or ID, if provided by the source. For example, this field is used to store the original Windows logon type. This value is used to derive EventSubType, which should have only one of the values documented for each schema. (e.g. 2)	Common
EventOriginalType	Optional	string					The original event type or ID, if provided by the source. For example, this field is used to store the original Windows event ID. This value is used to derive EventType, which should have only one of the values documented for each schema. (e.g. 4624)	Common
EventOriginalUid	Optional	string					A unique ID of the original record, if provided by the source. (e.g. 69f37748-ddcd-4331-bf0f-b137f1ea83b)	Common
EventOwner	Optional	string					The owner of the event, which is usually the department or subsidiary in which it was generated.	Common
EventProduct	Mandatory	string					The product generating the event. The value should be one of the values listed in Vendors and Products. (e.g. Sysmon)	Common
EventProductVersion	Optional	string					The version of the product generating the event. (e.g. 12.1)	Common
EventReportUrl	Optional	string	URL				A URL provided in the event for a resource that provides more information about the event.	Common
EventResult	Mandatory	string	Enumerated Values (4) Success, Partial, Failure, NA				The value might be provided in the source record by using different terms, which should be normalized to these values. Alternatively, the source might provide only the EventResultDetails field, which should be analyzed to derive the EventResult value. (e.g. Success)	Common
EventResultDetails	Recommended	string	Enumerated				Reason or details for the result reported in the EventResult field. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the EventOriginalResultDetails field. (e.g. NXDOMAIN)	Common
EventSchema	Mandatory	string	Enumerated Values (1) ProcessEvent				The name of the schema documented here is `ProcessEvent`.	Schema
EventSchemaVersion	Mandatory	string	SchemaVersion				The version of the schema. The version of the schema documented here is `0.1.4`	Schema
EventSeverity	Recommended	string	Enumerated Values (4) Informational, Low, Medium, High				The severity of the event	Common
EventStartTime	Mandatory	datetime					The time when the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field	Common
EventSubType	Optional	string	Enumerated				Describes a subdivision of the operation reported in the EventType field. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the EventOriginalSubType field	Common
EventType	Mandatory	string	Enumerated Values (2) ProcessCreated, ProcessTerminated				Describes the operation reported by the record. For Process records	Schema
EventUid	Recommended	string					The unique ID of the record, as assigned by Microsoft Sentinel. This field is typically mapped to the `_ItemId` Log Analytics field.	Common
EventVendor	Mandatory	string					The vendor of the product generating the event. The value should be one of the values listed in Vendors and Products. (e.g. Microsoft)	Common
Hash	Alias					Either of ActingProcessSHA1, ActingProcessSHA256, ActingProcessSHA512, ParentProcessMD5, ParentProcessSHA1, ParentProcessSHA256, ParentProcessSHA512, TargetProcessMD5, TargetProcessSHA1, TargetProcessSHA256, TargetProcessSHA512	Alias to the best available hash for the target process	Schema
HashType	Conditional	string	Enumerated Values (5) MD5, SHA, SHA256, SHA512, IMPHASH	Process	Target	HASH	The type of hash stored in the HASH alias field, allowed values are `MD5`, `SHA`, `SHA256`, `SHA512` and `IMPHASH`	Schema
ParentProcessCreationTime	Optional	datetime		Process	Parent		The date and time when the parent process was started.	Schema
ParentProcessFileCompany	Optional	string		Process	Parent		The name of the company that created the parent process image file. (e.g. Microsoft)	Schema
ParentProcessFileDescription	Optional	string		Process	Parent		The description from the version information in the parent process image file. (e.g. Notepad++ : a free (GPL) source code editor)	Schema
ParentProcessFileProduct	Optional	string		Process	Parent		The product name from the version information in parent process image file. (e.g. Notepad++)	Schema
ParentProcessFileVersion	Optional	string		Process	Parent		The product version from the version information in parent process image file. (e.g. 7.9.5.0)	Schema
ParentProcessGuid	Optional	string		Process	Parent		A generated unique identifier (GUID) of the parent process. Enables identifying the process across systems. (e.g. EF3BD0BD-2B74-60C5-AF5C-010000001E00)	Schema
ParentProcessId	Recommended	string		Process	Parent		The process ID (PID) of the parent process. (e.g. 48610176)	Schema
ParentProcessIMPHASH	Optional	string		Process	Parent		The Import Hash of all the library DLLs that are used by the parent process.	Schema
ParentProcessInjectedAddress	Optional	string		Process	Parent		The memory address in which the responsible parent process is stored.	Schema
ParentProcessIntegrityLevel	Optional	string		Process	Parent		Every process has an integrity level that is represented in its token. Integrity levels determine the process level of protection or access. Windows defines the following integrity levels: low, medium, high, and system. Standard users receive a medium integrity level and elevated users receive a high integrity level. For more information, see Mandatory Integrity Control - Win32 apps.	Schema
ParentProcessIsHidden	Optional	boolean		Process	Parent		An indication of whether the parent process is in hidden mode.	Schema
ParentProcessMD5	Optional	string	MD5	Process	Parent		The MD5 hash of the parent process image file. (e.g. 75a599802f1fa166cdadb360960b1dd0)	Schema
ParentProcessName	Optional	string		Process	Parent		The name of the parent process. This name is commonly derived from the image or executable file that's used to define the initial code and data that's mapped into the process' virtual address space. (e.g. C:\Windows\explorer.exe)	Schema
ParentProcessSHA1	Optional	string	SHA1	Process	Parent		The SHA-1 hash of the parent process image file. (e.g. d55c5a4df19b46db8c54c801c4665d3338acdab0)	Schema
ParentProcessSHA256	Optional	string	SHA256	Process	Parent		The SHA-256 hash of the parent process image file. (e.g. e81bb824c4a09a811af17deae22f22dd 2e1ec8cbb00b22629d2899f7c68da274)	Schema
ParentProcessSHA512	Optional	string	SHA512	Process	Parent		The SHA-512 hash of the parent process image file.	Schema
ParentProcessTokenElevation	Optional	string		Process	Parent		A token indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the parent process. (e.g. None)	Schema
Process	Alias					TargetProcessName	(e.g. C:\Windows\System32\rundll32.exe)	Schema
Rule	Conditional	string					Either the value of kRuleName or the value of RuleNumber. If the value of RuleNumber is used, the type should be converted to string.	Schema
RuleName	Optional	string					The name or ID of the rule by associated with the inspection results.	Schema
RuleNumber	Optional	int					The number of the rule associated with the inspection results.	Schema
TargetDNUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetOriginalUserType	Optional	string		User	Target		The original destination user type, if provided by the reporting device.	Schema
TargetProcessCommandLine	Mandatory	string		Process	Target		The command line used to run the target process. (e.g. "choco.exe" -v)	Schema
TargetProcessCreationTime	Recommended	datetime		Process	Target		The product version from the version information of the target process image file.	Schema
TargetProcessCurrentDirectory	Optional	string		Process	Target		The current directory in which the target process is executed. (e.g. c:\windows\system32)	Schema
TargetProcessFileCompany	Optional	string		Process	Target		The name of the company that created the target process image file. (e.g. Microsoft)	Schema
TargetProcessFileDescription	Optional	string		Process	Target		The description from the version information in the target process image file. (e.g. Notepad++ : a free (GPL) source code editor)	Schema
TargetProcessFileInternalName	Optional	string		Process	Target		The product internal file name from the version information of the image file of the target process.	Schema
TargetProcessFilename	Optional	string		Process	Target		The file name part of the `TargetProcessName`, without folder information. (e.g. explorer.exe)	Schema
TargetProcessFileOriginalName	Optional	string		Process	Target		The product original file name from the version information of the image file of the target process.	Schema
TargetProcessFileProduct	Optional	string		Process	Target		The product name from the version information in target process image file. (e.g. Notepad++)	Schema
TargetProcessFileSize	Optional	long		Process	Target		Size of the file that ran the process responsible for the event.	Schema
TargetProcessFileVersion	Optional	string		Process	Target		The product version from the version information in the target process image file. (e.g. 7.9.5.0)	Schema
TargetProcessGuid	Optional	string	GUID	Process	Target		A generated unique identifier (GUID) of the target process. Enables identifying the process across systems. (e.g. EF3BD0BD-2B74-60C5-AF5C-010000001E00)	Schema
TargetProcessId	Mandatory	string		Process	Target		The process ID (PID) of the target process. (e.g. 48610176)	Schema
TargetProcessIMPHASH	Optional	string		Process	Target		The Import Hash of all the library DLLs that are used by the target process.	Schema
TargetProcessInjectedAddress	Optional	string		Process	Target		The memory address in which the responsible target process is stored.	Schema
TargetProcessIntegrityLevel	Optional	string		Process	Target		Every process has an integrity level that is represented in its token. Integrity levels determine the process level of protection or access. Windows defines the following integrity levels: low, medium, high, and system. Standard users receive a medium integrity level and elevated users receive a high integrity level. For more information, see Mandatory Integrity Control - Win32 apps.	Schema
TargetProcessIsHidden	Optional	boolean		Process	Target		An indication of whether the target process is in hidden mode.	Schema
TargetProcessMD5	Optional	string	MD5	Process	Target		The MD5 hash of the target process image file. (e.g. 75a599802f1fa166cdadb360960b1dd0)	Schema
TargetProcessName	Mandatory	string		Process	Target		The name of the target process. This name is commonly derived from the image or executable file that's used to define the initial code and data that's mapped into the process' virtual address space. (e.g. C:\Windows\explorer.exe)	Schema
TargetProcessSHA1	Optional	string	SHA1	Process	Target		The SHA-1 hash of the target process image file. (e.g. d55c5a4df19b46db8c54c801c4665d3338acdab0)	Schema
TargetProcessSHA256	Optional	string	SHA256	Process	Target		The SHA-256 hash of the target process image file. (e.g. e81bb824c4a09a811af17deae22f22dd 2e1ec8cbb00b22629d2899f7c68da274)	Schema
TargetProcessSHA512	Optional	string	SHA512	Process	Target		The SHA-512 hash of the target process image file.	Schema
TargetProcessStatusCode	Optional	string		Process	Target		The exit code returned by the target process when terminated. This field is valid only for process termination events. For consistency, the field type is string, even if value provided by the operating system is numeric.	Schema
TargetProcessTokenElevation	Optional	string		Process	Target		Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that was created or terminated. (e.g. None)	Schema
TargetScope		string						Physical Table Only
TargetScopeId		string						Physical Table Only
TargetSimpleUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetUserAadId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserAADTenant	Optional	string		User	Target		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
TargetUserAWSAccount	Optional	string		User	Target		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
TargetUserAWSId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserId	Recommended	string		User	Target		A machine-readable, alphanumeric, unique representation of the target user. For the supported format for different ID types, refer to the User entity. (e.g. S-1-12)	Schema
TargetUserIdType	Conditional	string	UserIdType Values (7) SID, UID, AADID, OktaId, AWSId, PUID, SalesforceId	User	Target	TargetUserId	The type of the ID stored in the TargetUserId field. For a list of allowed values and further information refer to UserIdType in the Schema Overview article.	Schema
TargetUsername	Mandatory	string		User	Target		The source username, including domain information when available. Use the simple form only if domain information isn't available. Store the Username type in the UsernameType field.	Entity Extension
TargetUsernameType	Conditional	string	UsernameType Values (5) UPN, Windows, DN, Simple, AWSId	User	Target	TargetUsername	Specifies the type of the user name stored in the TargetUsername field. For a list of allowed values and further information refer to UsernameType in the Schema Overview article. (e.g. Windows)	Schema
TargetUserOktaId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserPuid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserScope	Optional	string		User	Target		The scope, such as Microsoft Entra tenant, in which TargetUserId and TargetUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article	Schema
TargetUserScopeId	Optional	string		User	Target		The scope ID, such as Microsoft Entra Directory ID, in which TargetUserId and TargetUsername are defined. for more information and list of allowed values, see UserScopeId in the Schema Overview article	Schema
TargetUserSessionGuid	Optional	string		User	Target		The unique GUID of the target user's login session, as reported by the reporting device. (e.g. {12345678-1234-1234-1234-123456789012})	Schema
TargetUserSessionId	Optional	string		User	Target		The unique ID of the target user's login session. (e.g. 999)	Schema
TargetUserSid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserType	Optional	string	UserType Values (9) Regular, Machine, Admin, System, Application, Service Principal, Service, Anonymous, Other	User	Target		The type of Actor. For a list of allowed values and further information refer to UserType in the Schema Overview article.	Schema
TargetUserUid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserUpn	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetWindowsUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ThreatCategory	Optional	string					The category of the threat or malware identified in the file activity. (e.g. Trojan)	Schema
ThreatConfidence	Optional	int	ConfidenceLevel				The confidence level of the threat identified, normalized to a value between 0 and a 100.	Schema
ThreatField	Optional	string					The field for which a threat was identified.	Schema
ThreatFirstReportedTime	Optional	datetime					The first time the IP address or domain were identified as a threat.	Schema
ThreatId	Optional	string					The ID of the threat or malware identified in the file activity.	Schema
ThreatIsActive	Optional	boolean					True if the threat identified is considered an active threat.	Schema
ThreatLastReportedTime	Optional	datetime					The last time the IP address or domain were identified as a threat.	Schema
ThreatName	Optional	string					The name of the threat or malware identified in the file activity. (e.g. EICAR Test File)	Schema
ThreatOriginalConfidence	Optional	string					The original confidence level of the threat identified, as reported by the reporting device.	Schema
ThreatOriginalRiskLevel	Optional	string					The risk level as reported by the reporting device.	Schema
ThreatRiskLevel	Optional	int	RiskLevel				The risk level associated with the identified threat. The level should be a number between 0 and 100.	Schema
TimeGenerated	Mandatory	datetime					The time the event was generated by the reporting device.	Common (Implicit)
Type	Mandatory	string					The original table from which the record was fetched. This field is useful when the same event can be received through multiple channels to different tables, and have the same EventVendor and EventProduct values. (e.g. a Sysmon event can be collected either to the Event table or to the WindowsEvent table)	Common (Implicit)
User	Alias					TargetUsername	(e.g. CONTOSO\dadmin)	Schema

Parser	Version	Product	Tables	Solutions

ASimProcessCreateLinuxSysmon	0.2.1	Sysmon for Linux	Syslog	Syslog
ASimProcessCreateMicrosoftSecurityEvents	0.1.1	Security Events	SecurityEvent	Windows Security Events
ASimProcessCreateMicrosoftWindowsEvents	0.3.0	Security Events	WindowsEvent	Windows Forwarded Events
ASimProcessCreateSentinelOne	0.1.0	SentinelOne	SentinelOne_CL
ASimProcessCreateTrendMicroVisionOne	0.1.0	Trend Micro Vision One	TrendMicro_XDR_OAT_CL	Trend Micro Vision One
ASimProcessCreateVMwareCarbonBlackCloud	0.1.1	VMware Carbon Black Cloud	CarbonBlackEvents_CL, CarbonBlackNotifications_CL
ASimProcessEventCreateMicrosoftSysmon	0.4.1	Sysmon	Event
ASimProcessEventCreateMicrosoftSysmonWindowsEvent	0.4.1	Sysmon	WindowsEvent	Windows Forwarded Events
ASimProcessEventMD4IoT	0.1.1	Microsoft Defender for IoT	SecurityIoTRawEvent
ASimProcessEventMicrosoft365D	0.3.0	Microsoft 365 Defender for endpoint	DeviceProcessEvents
ASimProcessEventNative	0.1.0	Native	ASimProcessEventLogs	SynqlyIntegrationConnector, VMware Carbon Black Cloud
ASimProcessEventTerminateMicrosoftSysmon	0.3.1	Microsoft Windows Events Sysmon	Event
ASimProcessEventTerminateMicrosoftSysmonWindowsEvent	0.4.1	Microsoft Windows Events Sysmon	WindowsEvent	Windows Forwarded Events
ASimProcessTerminateLinuxSysmon	0.1.1	Sysmon for Linux	Syslog	Syslog
ASimProcessTerminateMicrosoftSecurityEvents	0.2	Security Events	SecurityEvent	Windows Security Events
ASimProcessTerminateMicrosoftWindowsEvents	0.2	Security Events	WindowsEvent	Windows Forwarded Events
ASimProcessTerminateVMwareCarbonBlackCloud	0.1.0	VMware Carbon Black Cloud	CarbonBlackEvents_CL

Field	Class	Type	Logical Type	Entity	Role	Refers To	Description	Source

ActingProcessCommandLine		string						Physical Table Only
ActingProcessGuid	Optional	string	GUID	Process	Acting		A generated unique identifier (GUID) of the acting process. (e.g. EF3BD0BD-2B74-60C5-AF5C-010000001E00)	Schema
ActingProcessId	Mandatory	string		Process	Acting		The process ID (PID) of the acting process. (e.g. 48610176)	Schema
ActingProcessName	Optional	string		Process	Acting		The file name of the acting process image file. This name is typically considered to be the process name. (e.g. C:\Windows\explorer.exe)	Schema
ActorDNUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorOriginalUserType	Optional	string		User	Actor		The original destination user type, if provided by the reporting device.	Entity Extension
ActorScope	Optional	string		User	Actor		The scope, such as Microsoft Entra tenant, in which ActorUserId and ActorUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article	Schema
ActorScopeId		string						Physical Table Only
ActorSessionId	Optional	string		User	Actor		The unique ID of the login session of the Actor. (e.g. 999)	Schema
ActorSimpleUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorUserAadId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserAADTenant	Optional	string		User	Actor		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
ActorUserAWSAccount	Optional	string		User	Actor		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
ActorUserAWSId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserId	Recommended	string		User	Actor		A unique ID of the Actor. The specific ID depends on the system generating the event. For more information, see The User entity. (e.g. S-1-5-18)	Schema
ActorUserIdType	Conditional	string	Enumerated	User	Actor	ActorUserId	The type of the ID stored in the ActorUserId field. For more information, see The User entity. (e.g. SID)	Schema
ActorUsername	Mandatory	string	Username	User	Actor		The user name of the user who initiated the event. (e.g. CONTOSO\WIN-GG82ULGC9GO$)	Schema
ActorUsernameType	Conditional	string	Enumerated	User	Actor	ActorUsername	Specifies the type of the user name stored in the ActorUsername field. For more information, see The User entity. (e.g. Windows)	Schema
ActorUserOktaId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserPuid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserScopeId	Optional	string		User	Actor		The ID of the scope in which UserId and Username are defined. (e.g. a Microsoft Entra tenant directory ID. The [UserIdType](#useridtype) field represents also the type of the associated with this field)	Entity Extension
ActorUserSid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserType	Optional	string	UserType Values (9) Regular, Machine, Admin, System, Application, Service Principal, Service, Anonymous, Other	User	Actor		The type of source user. The value might be provided in the source record by using different terms, which should be normalized to these values. Store the original value in the OriginalUserType field	Entity Extension
ActorUserUid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserUpn	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorWindowsUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
AdditionalFields	Optional	dynamic					If your source provides additional information worth preserving, either keep it with the original field names or create the dynamic AdditionalFields field, and add the extra information as key/value pairs.	Common
Dvc	Alias	string		Device	Dvc	Either of DvcFQDN, DvcId, DvcHostname, DvcIpAddr	A unique identifier of the device on which the event occurred or which reported the event, depending on the schema. This field might alias the DvcFQDN, DvcId, DvcHostname, or DvcIpAddr fields. For cloud sources, for which there's no apparent device, use the same value as the Event Product field	Common
DvcAction	Optional	string		Device	Dvc		For reporting security systems, the action taken by the system, if applicable. (e.g. Blocked)	Common
DvcAwsVpcId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcAzureResourceId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcDescription	Optional	string		Device	Dvc		A descriptive text associated with the device. (e.g. Primary Domain Controller)	Common
DvcDomain	Recommended	string	Domain	Device	Dvc		The domain of the device on which the event occurred or which reported the event, depending on the schema. (e.g. Contoso)	Common
DvcDomainType	Conditional	string	DomainType Values (2) FQDN, Windows	Device	Dvc	DvcDomain	The type of DvcDomain. For a list of allowed values and further information, refer to DomainType.	Common
DvcFQDN	Optional	string	FQDN	Device	Dvc		The hostname of the device on which the event occurred or which reported the event, depending on the schema. (e.g. Contoso\DESKTOP-1282V4D)	Common
DvcHostname	Recommended	string	Hostname	Device	Dvc		The hostname of the device on which the event occurred or which reported the event, depending on the schema. (e.g. ContosoDc)	Common
DvcId	Optional	string		Device	Dvc		The unique ID of the device on which the event occurred or which reported the event, depending on the schema. (e.g. 41502da5-21b7-48ec-81c9-baeea8d7d669 If multiple IDs are available, use the first one from the list, and store the others by using the field names DvcAzureResourceId, DvcMDEid, etc)	Common
DvcIdType	Conditional	string	Enumerated Values (9) AzureResourceId, MDEid, MD4IoTid, VMConnectionId, AwsVpcId, VectraId, AppGateId, FQDN, Other	Device	Dvc	DvcId	The type of DvcId. The list of allowed values is `AzureResourceId`, `MDEid`, `MD4IoTid`, `VMConnectionId`, `AwsVpcId`, `VectraId`, `AppGateId`, `FQDN`, and `Other`. Using `FQDN` as a device ID, implies reusing the hostname. Use it only as a last resort	Common
DvcInterface	Optional	string		Device	Dvc		The network interface on which data was captured. This field is typically relevant to network related activity, which is captured by an intermediate or tap device.	Common
DvcIpAddr	Recommended	string	IP address	Device	Dvc		The IP address of the device on which the event occurred or which reported the event, depending on the schema. (e.g. 45.21.42.12)	Common
DvcMacAddr	Optional	string	MAC address	Device	Dvc		The MAC address of the device on which the event occurred or which reported the event. (e.g. 00:1B:44:11:3A:B7)	Common
DvcMD4IoTid	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcMDEid	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcOriginalAction	Optional	string		Device	Dvc		The original DvcAction as provided by the reporting device.	Common
DvcOs	Optional	string		Device	Dvc		The operating system running on the device on which the event occurred or which reported the event. (e.g. Windows)	Common
DvcOsVersion	Optional	string		Device	Dvc		The version of the operating system on the device on which the event occurred or which reported the event. (e.g. 10)	Common
DvcScope	Optional	string		Device	Dvc		The cloud platform scope the device belongs to. DvcScope map to a subscription ID on Azure and to an account ID on AWS.	Common
DvcScopeId	Optional	string		Device	Dvc		The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS.	Common
DvcVectraId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcVMConnectionId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcZone	Optional	string		Device	Dvc		The network on which the event occurred or which reported the event, depending on the schema. The zone is defined by the reporting device. (e.g. Dmz)	Common
EventCount	Mandatory	int					The number of events described by the record. This value is used when the source supports aggregation, and a single record might represent multiple events. For other sources, set to `1`.	Common
EventEndTime	Mandatory	datetime					The time when the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field	Common
EventMessage	Optional	string					A general message or description, either included in or generated from the record.	Common
EventOriginalResultDetails	Optional	string					The original result details provided by the source. This value is used to derive EventResultDetails, which should have only one of the values documented for each schema.	Common
EventOriginalSeverity	Optional	string					The original severity as provided by the reporting device. This value is used to derive EventSeverity.	Common
EventOriginalSubType	Optional	string					The original event subtype or ID, if provided by the source. For example, this field is used to store the original Windows logon type. This value is used to derive EventSubType, which should have only one of the values documented for each schema. (e.g. 2)	Common
EventOriginalType	Optional	string					The original event type or ID, if provided by the source. For example, this field is used to store the original Windows event ID. This value is used to derive EventType, which should have only one of the values documented for each schema. (e.g. 4624)	Common
EventOriginalUid	Optional	string					A unique ID of the original record, if provided by the source. (e.g. 69f37748-ddcd-4331-bf0f-b137f1ea83b)	Common
EventOwner	Optional	string					The owner of the event, which is usually the department or subsidiary in which it was generated.	Common
EventProduct	Mandatory	string					The product generating the event. The value should be one of the values listed in Vendors and Products. (e.g. Sysmon)	Common
EventProductVersion	Optional	string					The version of the product generating the event. (e.g. 12.1)	Common
EventReportUrl	Optional	string	URL				A URL provided in the event for a resource that provides more information about the event.	Common
EventResult	Mandatory	string	Enumerated Values (4) Success, Partial, Failure, NA				The value might be provided in the source record by using different terms, which should be normalized to these values. Alternatively, the source might provide only the EventResultDetails field, which should be analyzed to derive the EventResult value. (e.g. Success)	Common
EventResultDetails	Recommended	string	Enumerated				Reason or details for the result reported in the EventResult field. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the EventOriginalResultDetails field. (e.g. NXDOMAIN)	Common
EventSchema	Mandatory	string	Enumerated Values (1) RegistryEvent				The name of the schema documented here is `RegistryEvent`.	Schema
EventSchemaVersion	Mandatory	string	SchemaVersion				The version of the schema. The version of the schema documented here is `0.1.3`	Schema
EventSeverity	Recommended	string	Enumerated Values (4) Informational, Low, Medium, High				The severity of the event	Common
EventStartTime	Mandatory	datetime					The time when the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field	Common
EventSubType	Optional	string	Enumerated				Describes a subdivision of the operation reported in the EventType field. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the EventOriginalSubType field	Common
EventType	Mandatory	string	Enumerated Values (5) RegistryKeyCreated, RegistryKeyDeleted, RegistryKeyRenamed, RegistryValueDeleted, RegistryValueSet				Describes the operation reported by the record. For Registry records	Schema
EventUid	Recommended	string					The unique ID of the record, as assigned by Microsoft Sentinel. This field is typically mapped to the `_ItemId` Log Analytics field.	Common
EventVendor	Mandatory	string					The vendor of the product generating the event. The value should be one of the values listed in Vendors and Products. (e.g. Microsoft)	Common
ParentProcessCommandLine		string						Physical Table Only
ParentProcessGuid	Optional	string		Process	Parent		A generated unique identifier (GUID) of the parent process. (e.g. EF3BD0BD-2B74-60C5-AF5C-010000001E00)	Schema
ParentProcessId	Mandatory	string		Process	Parent		The process ID (PID) of the parent process. (e.g. 48610176)	Schema
ParentProcessName	Optional	string		Process	Parent		The file name of the parent process image file. This value is typically considered to be the process name. (e.g. C:\Windows\explorer.exe)	Schema
Process	Alias					ActingProcessName	field. (e.g. C:\Windows\System32\rundll32.exe)	Schema
RegistryKey	Mandatory	string					The registry key associated with the operation, normalized to standard root key naming conventions. For more information, see Root Keys. Registry keys are similar to folders in file systems. For (e.g. HKEY_LOCAL_MACHINE\SOFTWARE\MTG)	Schema
RegistryPreviousKey	Recommended	string					For operations that modify the registry, the original registry key, normalized to standard root key naming. For more information, see Root Keys. (e.g. HKEY_LOCAL_MACHINE\SOFTWARE\MTG)	Schema
RegistryPreviousValue	Recommended	string					For operations that modify the registry, the original value type, normalized to the standard form. For more information, see Value Types. If the type was not changed, this field has the same value as the RegistryValueType field. (e.g. Path)	Schema
RegistryPreviousValueData	Recommended	string					The original registry data, for operations that modify the registry. (e.g. C:\Windows\system32;C:\Windows;)	Schema
RegistryPreviousValueType	Recommended	string					For operations that modify the registry, the original value type. If the type was not changed, this field will have the same value as the RegistryValueType field, normalized to the standard form. For more information, see Value types. (e.g. Reg_Expand_Sz)	Schema
RegistryValue	Recommended	string					The registry value associated with the operation. Registry values are similar to files in file systems. For (e.g. Path)	Schema
RegistryValueData	Recommended	string					The data stored in the registry value. (e.g. C:\Windows\system32;C:\Windows;)	Schema
RegistryValueType	Recommended	string					The type of registry value, normalized to standard form. For more information, see Value Types. For (e.g. Reg_Expand_Sz)	Schema
Rule	Conditional	string					Either the value of kRuleName or the value of RuleNumber. If the value of RuleNumber is used, the type should be converted to string.	Schema
RuleName	Optional	string					The name or ID of the rule by associated with the inspection results.	Schema
RuleNumber	Optional	int					The number of the rule associated with the inspection results.	Schema
TargetDNUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetSimpleUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetUserAadId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserAWSId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserOktaId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserPuid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserSid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserUid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserUpn	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetWindowsUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ThreatCategory	Optional	string					The category of the threat or malware identified in the file activity. (e.g. Trojan)	Schema
ThreatConfidence	Optional	int	ConfidenceLevel				The confidence level of the threat identified, normalized to a value between 0 and a 100.	Schema
ThreatField	Optional	string					The field for which a threat was identified.	Schema
ThreatFirstReportedTime	Optional	datetime					The first time the IP address or domain were identified as a threat.	Schema
ThreatId	Optional	string					The ID of the threat or malware identified in the file activity.	Schema
ThreatIsActive	Optional	boolean					True if the threat identified is considered an active threat.	Schema
ThreatLastReportedTime	Optional	datetime					The last time the IP address or domain were identified as a threat.	Schema
ThreatName	Optional	string					The name of the threat or malware identified in the file activity. (e.g. EICAR Test File)	Schema
ThreatOriginalConfidence	Optional	string					The original confidence level of the threat identified, as reported by the reporting device.	Schema
ThreatOriginalRiskLevel	Optional	string					The risk level as reported by the reporting device.	Schema
ThreatRiskLevel	Optional	int	RiskLevel				The risk level associated with the identified threat. The level should be a number between 0 and 100.	Schema
TimeGenerated	Mandatory	datetime					The time the event was generated by the reporting device.	Common (Implicit)
Type	Mandatory	string					The original table from which the record was fetched. This field is useful when the same event can be received through multiple channels to different tables, and have the same EventVendor and EventProduct values. (e.g. a Sysmon event can be collected either to the Event table or to the WindowsEvent table)	Common (Implicit)
User	Alias					ActorUsername	field. (e.g. CONTOSO\ dadmin)	Schema

Parser	Version	Product	Tables	Solutions

ASimRegistryEventMicrosoft365D	0.1.3	Microsoft 365 Defender for Endpoint	DeviceRegistryEvents	Microsoft Defender XDR
ASimRegistryEventMicrosoftSecurityEvent	0.3.1	Security Events	SecurityEvent	Windows Security Events
ASimRegistryEventMicrosoftSysmon	0.3.1	Microsoft Sysmon	Event
ASimRegistryEventMicrosoftSysmonWindowsEvent	0.3.1	Microsoft Sysmon	WindowsEvent	Windows Forwarded Events
ASimRegistryEventMicrosoftWindowsEvent	0.2.1	Security Events	WindowsEvent	Windows Forwarded Events
ASimRegistryEventNative	0.1.0	Native	ASimRegistryEventLogs	SynqlyIntegrationConnector, VMware Carbon Black Cloud
ASimRegistryEventSentinelOne	0.1.0	SentinelOne	SentinelOne_CL
ASimRegistryEventTrendMicroVisionOne	0.1.0	Trend Micro Vision One	TrendMicro_XDR_OAT_CL	Trend Micro Vision One
ASimRegistryEventVMwareCarbonBlackCloud	0.1.1	VMware Carbon Black Cloud	CarbonBlackEvents_CL

Field	Class	Type	Logical Type	Entity	Role	Refers To	Description	Source

ActingAppId	Optional	string		Application	Acting		The ID of the application used by the actor to perform the activity, including a process, browser, or service. For (e.g. 0x12ae8)	Schema
ActingAppName	Optional	string		Application	Acting		The name of the application used by the actor to perform the activity, including a process, browser, or service. For (e.g. C:\Windows\System32\svchost.exe)	Schema
ActingAppType	Optional	string	Enumerated Values (4) Process, Browser, Resource, Other	Application	Acting		The type of acting application	Schema
ActingOriginalAppType	Optional	string		Application	Acting		The type of the application that initiated the activity as reported by the reporting device.	Schema
ActingProcessGuid	Optional	string		Application	Acting		A generated unique identifier (GUID) of the process used by the application. (e.g. 01234567-89AB-CDEF-0123-456789ABCDEF)	Entity Extension
ActingProcessId	Optional	string		Application	Acting		The process ID (PID) of the process the application is using. (e.g. 48610176)	Entity Extension
ActingProcessName	Optional	string		Application	Acting		The file name of the process used by the application. (e.g. C:\Windows\explorer.exe)	Entity Extension
ActorDNUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorOriginalUserType	Optional	string		User	Actor		The original destination user type, if provided by the reporting device.	Schema
ActorScope	Optional	string		User	Actor		The scope, such as Microsoft Entra tenant, in which ActorUserId and ActorUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article	Schema
ActorScopeId	Optional	string		User	Actor		The scope ID, such as Microsoft Entra Directory ID, in which ActorUserId and ActorUsername are defined. or more information and list of allowed values, see UserScopeId in the Schema Overview article	Schema
ActorSessionId	Optional	string		User	Actor		The unique ID of the login session of the Actor. (e.g. 999)	Schema
ActorSimpleUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorUserAadId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserAADTenant	Optional	string		User	Actor		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
ActorUserAWSAccount	Optional	string		User	Actor		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
ActorUserAWSId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserId	Optional	string		User	Actor		A machine-readable, alphanumeric, unique representation of the Actor. Supported formats and types include: - SID (Windows): `S-1-5-21-1377283216-344919071-3415362939-500` - UID (Linux): `4578` - AADID (Microsoft Entra ID): `9267d02c-5f76-40a9-a9eb-b686f3ca47aa` - OktaId: `00urjk4znu3BcncfY0h7` - AWSId: `72643944673` Store the ID type in the ActorUserIdType field. If other IDs are available, we recommend that you normalize the field names to ActorUserSid, ActorUserUid, ActorUserAadId, ActorUserOktaId, and ActorAwsId, respectively. For more information, see The User entity. (e.g. S-1-12)	Schema
ActorUserIdType	Conditional	string	Enumerated Values (5) SID, UID, AADID, OktaId, AWSId	User	Actor	ActorUserId	The type of the ID stored in the ActorUserId field	Schema
ActorUsername	Mandatory	string	Username	User	Actor		The Actor username, including domain information when available. Use one of the following formats and in the following order of priority: - Upn/Email: `johndow@contoso.com` - Windows: `Contoso\johndow` - DN: `CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM` - Simple: `johndow`. Use the Simple form only if domain information isn't available. Store the Username type in the ActorUsernameType field. If other IDs are available, we recommend that you normalize the field names to ActorUserUpn, ActorUserWindows, and ActorUserDn. For more information, see The User entity. (e.g. AlbertE)	Schema
ActorUsernameType	Conditional	string	Enumerated Values (4) UPN, Windows, DN, Simple	User	Actor	ActorUsername	Specifies the type of the username stored in the ActorUsername field. (e.g. Windows)	Schema
ActorUserOktaId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserPuid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserSid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserType	Optional	string	Enumerated Values (7) Regular, Machine, Admin, System, Application, Service Principal, Other	User	Actor		The type of the Actor. Allowed values are: - `Regular` - `Machine` - `Admin` - `System` - `Application` - `Service Principal` - `Other`	Schema
ActorUserUid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserUpn	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorWindowsUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
AdditionalFields	Optional	dynamic					If your source provides additional information worth preserving, either keep it with the original field names or create the dynamic AdditionalFields field, and add the extra information as key/value pairs.	Common
Dvc	Alias	string		Device	Dvc	Either of DvcFQDN, DvcId, DvcHostname, DvcIpAddr	A unique identifier of the device on which the event occurred or which reported the event, depending on the schema. This field might alias the DvcFQDN, DvcId, DvcHostname, or DvcIpAddr fields. For cloud sources, for which there's no apparent device, use the same value as the Event Product field	Common
DvcAction	Optional	string		Device	Dvc		For reporting security systems, the action taken by the system, if applicable. (e.g. Blocked)	Common
DvcAwsVpcId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcAzureResourceId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcDescription	Optional	string		Device	Dvc		A descriptive text associated with the device. (e.g. Primary Domain Controller)	Common
DvcDomain	Recommended	string	Domain	Device	Dvc		The domain of the device on which the event occurred or which reported the event, depending on the schema. (e.g. Contoso)	Common
DvcDomainType	Conditional	string	DomainType Values (2) FQDN, Windows	Device	Dvc	DvcDomain	The type of DvcDomain. For a list of allowed values and further information, refer to DomainType.	Common
DvcFQDN	Optional	string	FQDN	Device	Dvc		The hostname of the device on which the event occurred or which reported the event, depending on the schema. (e.g. Contoso\DESKTOP-1282V4D)	Common
DvcHostname	Recommended	string	Hostname	Device	Dvc		The hostname of the device on which the event occurred or which reported the event, depending on the schema. (e.g. ContosoDc)	Common
DvcId	Optional	string		Device	Dvc		The unique ID of the device on which the event occurred or which reported the event, depending on the schema. (e.g. 41502da5-21b7-48ec-81c9-baeea8d7d669 If multiple IDs are available, use the first one from the list, and store the others by using the field names DvcAzureResourceId, DvcMDEid, etc)	Common
DvcIdType	Conditional	string	Enumerated Values (9) AzureResourceId, MDEid, MD4IoTid, VMConnectionId, AwsVpcId, VectraId, AppGateId, FQDN, Other	Device	Dvc	DvcId	The type of DvcId. The list of allowed values is `AzureResourceId`, `MDEid`, `MD4IoTid`, `VMConnectionId`, `AwsVpcId`, `VectraId`, `AppGateId`, `FQDN`, and `Other`. Using `FQDN` as a device ID, implies reusing the hostname. Use it only as a last resort	Common
DvcInterface	Optional	string		Device	Dvc		The network interface on which data was captured. This field is typically relevant to network related activity, which is captured by an intermediate or tap device.	Common
DvcIpAddr	Recommended	string	IP address	Device	Dvc		The IP address of the device on which the event occurred or which reported the event, depending on the schema. (e.g. 45.21.42.12)	Common
DvcMacAddr	Optional	string	MAC address	Device	Dvc		The MAC address of the device on which the event occurred or which reported the event. (e.g. 00:1B:44:11:3A:B7)	Common
DvcMD4IoTid	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcMDEid	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcOriginalAction	Optional	string		Device	Dvc		The original DvcAction as provided by the reporting device.	Common
DvcOs	Optional	string		Device	Dvc		The operating system running on the device on which the event occurred or which reported the event. (e.g. Windows)	Common
DvcOsVersion	Optional	string		Device	Dvc		The version of the operating system on the device on which the event occurred or which reported the event. (e.g. 10)	Common
DvcScope	Optional	string		Device	Dvc		The cloud platform scope the device belongs to. DvcScope map to a subscription ID on Azure and to an account ID on AWS.	Common
DvcScopeId	Optional	string		Device	Dvc		The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS.	Common
DvcVectraId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcVMConnectionId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcZone	Optional	string		Device	Dvc		The network on which the event occurred or which reported the event, depending on the schema. The zone is defined by the reporting device. (e.g. Dmz)	Common
EventCount	Mandatory	int					The number of events described by the record. This value is used when the source supports aggregation, and a single record might represent multiple events. For other sources, set to `1`.	Common
EventEndTime	Mandatory	datetime					The time when the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field	Common
EventMessage	Optional	string					A general message or description, either included in or generated from the record.	Common
EventOriginalResultDetails	Optional	string					The original result details provided by the source. This value is used to derive EventResultDetails, which should have only one of the values documented for each schema.	Common
EventOriginalSeverity	Optional	string					The original severity as provided by the reporting device. This value is used to derive EventSeverity.	Common
EventOriginalSubType	Optional	string					The original event subtype or ID, if provided by the source. For example, this field is used to store the original Windows logon type. This value is used to derive EventSubType, which should have only one of the values documented for each schema. (e.g. 2)	Common
EventOriginalType	Optional	string					The original event type or ID, if provided by the source. For example, this field is used to store the original Windows event ID. This value is used to derive EventType, which should have only one of the values documented for each schema. (e.g. 4624)	Common
EventOriginalUid	Optional	string					A unique ID of the original record, if provided by the source. (e.g. 69f37748-ddcd-4331-bf0f-b137f1ea83b)	Common
EventOwner	Optional	string					The owner of the event, which is usually the department or subsidiary in which it was generated.	Common
EventProduct	Mandatory	string					The product generating the event. The value should be one of the values listed in Vendors and Products. (e.g. Sysmon)	Common
EventProductVersion	Optional	string					The version of the product generating the event. (e.g. 12.1)	Common
EventReportUrl	Optional	string	URL				A URL provided in the event for a resource that provides more information about the event.	Common
EventResult	Mandatory	string	Enumerated Values (1) Success				While failure is possible, most systems report only successful user management events. The expected value for successful events is `Success`	Schema
EventResultDetails	Recommended	string	Enumerated Values (2) NotAuthorized, Other				The	Schema
EventSchema	Mandatory	string	Enumerated Values (1) UserManagement				The name of the schema documented here is `UserManagement`	Schema
EventSchemaVersion	Mandatory	string	SchemaVersion				The version of the schema. The version of the schema documented here is `0.1.2`.	Schema
EventSeverity	Mandatory	string	Enumerated Values (1) Informational				While any valid severity value is allowed, the severity of user management events is typically `Informational`	Schema
EventStartTime	Mandatory	datetime					The time when the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field	Common
EventSubType	Optional	string	Enumerated Values (5) UserRead, UserCreated, GroupCreated, UserModified, GroupModified				The following sub-types are supported: - `UserRead`: Password, Hash - `UserCreated`, `GroupCreated`, `UserModified`, `GroupModified`. For more information, see UpdatedPropertyName	Schema
EventType	Mandatory	string	Enumerated Values (17) UserCreated, UserDeleted, UserModified, UserLocked, UserUnlocked, UserDisabled, UserEnabled, PasswordChanged, PasswordReset, GroupCreated, GroupDeleted, GroupModified, UserAddedToGroup, UserRemovedFromGroup, GroupEnumerated, UserRead, GroupRead				Describes the operation reported by the record. For User Management activity, the	Schema
EventUid	Recommended	string					The unique ID of the record, as assigned by Microsoft Sentinel. This field is typically mapped to the `_ItemId` Log Analytics field.	Common
EventVendor	Mandatory	string					The vendor of the product generating the event. The value should be one of the values listed in Vendors and Products. (e.g. Microsoft)	Common
GroupId	Optional	string					A machine-readable, alphanumeric, unique representation of the group, for activities involving a group. Supported formats and types include: - SID (Windows): `S-1-5-21-1377283216-344919071-3415362939-500` - UID (Linux): `4578` Store the ID type in the GroupIdType field. If other IDs are available, we recommend that you normalize the field names to GroupSid or GroupUid, respectively. For more information, see The User entity. (e.g. S-1-12)	Schema
GroupIdType	Optional	string	Enumerated Values (2) SID, UID				The type of the ID stored in the GroupId field.	Schema
GroupName	Optional	string					The group name, including domain information when available, for activities involving a group. Use one of the following formats and in the following order of priority: - Upn/Email: `grp@contoso.com` - Windows: `Contoso\grp` - DN: `CN=grp,OU=Sales,DC=Fabrikam,DC=COM` - Simple: `grp`. Use the Simple form only if domain information isn't available. Store the group name type in the GroupNameType field. If other IDs are available, we recommend that you normalize the field names to GroupUpn, GroupNameWindows, and GroupDn. (e.g. Contoso\Finance)	Schema
GroupNameType	Optional	string	Enumerated Values (4) UPN, Windows, DN, Simple				Specifies the type of the group name stored in the GroupName field. (e.g. Windows)	Schema
GroupOriginalType	Optional	string					The original group type, if provided by the source.	Schema
GroupType	Optional	string	Enumerated Values (7) Local Distribution, Local Security Enabled, Global Distribution, Global Security Enabled, Universal Distribution, Universal Security Enabled, Other				The type of the group, for activities involving a group	Schema
Hostname	Alias					DvcHostname		Schema
HttpUserAgent	Optional	string		Application	Acting		When authentication is performed over HTTP or HTTPS, this field's value is the user_agent HTTP header provided by the acting application when performing the authentication. For (e.g. Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1)	Schema
IpAddr	Alias			Device	Src	SrcIpAddr		Schema
NewPropertyValue	Optional	string					The new value stored in the specified property.	Schema
PreviousPropertyValue	Optional	string					The previous value that was stored in the specified property.	Schema
Rule	Conditional	string					Either the value of kRuleName or the value of RuleNumber. If the value of RuleNumber is used, the type should be converted to string.	Schema
RuleName	Optional	string					The name or ID of the rule by associated with the inspection results.	Schema
RuleNumber	Optional	int					The number of the rule associated with the inspection results.	Schema
Src	Recommended	string		Device	Src		A unique identifier of the source device. This field might alias the SrcDvcId, SrcHostname, or SrcIpAddr fields. (e.g. 192.168.12.1)	Schema
SrcDescription	Optional	string		Device	Src		A descriptive text associated with the device. (e.g. Primary Domain Controller)	Schema
SrcDeviceType	Optional	string	Enumerated Values (4) Computer, Mobile Device, IOT Device, Other	Device	Src		The type of the source device. Possible values include: - `Computer` - `Mobile Device` - `IOT Device` - `Other`	Schema
SrcDomain	Recommended	string	Domain	Device	Src		The domain of the source device. (e.g. Contoso)	Schema
SrcDomainType	Recommended	string	Enumerated Values (3) Windows, contoso, FQDN	Device	Src		The type of SrcDomain, if known. Possible values include: - `Windows` (such as `contoso`) - `FQDN` (such as `microsoft.com`) Required if SrcDomain is used	Schema
SrcDvcAction	Optional	string		Device	Src		For reporting security systems, the action taken by the system, if applicable. (e.g. Blocked)	Entity Extension
SrcDvcAwsVpcId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcAzureResourceId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcId	Optional	string		Device	Src		The ID of the source device as reported in the record. (e.g. ac7e9755-8eae-4ffc-8a02-50ed7a2216c3)	Schema
SrcDvcIdType	Conditional	string	Enumerated Values (2) AzureResourceId, MDEid	Device	Src	SrcDvcId	The type of SrcDvcId, if known. Possible values include: - `AzureResourceId` - `MDEid` If multiple IDs are available, use the first one from the preceding list, and store the others in SrcDvcAzureResourceId and SrcDvcMDEid, respectively	Schema
SrcDvcMD4IoTid	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcMDEid	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcOriginalAction	Optional	string		Device	Src		The original DvcAction as provided by the reporting device.	Entity Extension
SrcDvcOs	Optional	string		Device	Src		The operating system running on the device on which the event occurred or which reported the event. (e.g. Windows)	Entity Extension
SrcDvcOsVersion	Optional	string		Device	Src		The version of the operating system on the device on which the event occurred or which reported the event. (e.g. 10)	Entity Extension
SrcDvcScope	Optional	string		Device	Src		The cloud platform scope the device belongs to. SrcDvcScope map to a subscription ID on Azure and to an account ID on AWS.	Schema
SrcDvcScopeId	Optional	string		Device	Src		The cloud platform scope ID the device belongs to. SrcDvcScopeId map to a subscription ID on Azure and to an account ID on AWS.	Schema
SrcDvcVectraId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcVMConnectionId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcFQDN	Optional	string	FQDN	Device	Src		The source device hostname, including domain information when available. (e.g. Contoso\DESKTOP-1282V4D)	Schema
SrcGeoCity	Optional	string	City	Device	Src		The city associated with the source IP address. (e.g. Burlington)	Schema
SrcGeoCountry	Optional	string	Country	Device	Src		The country/region associated with the source IP address. (e.g. USA)	Schema
SrcGeoLatitude	Optional	real	Latitude	Device	Src		The latitude of the geographical coordinate associated with the source IP address. (e.g. 44.475833)	Schema
SrcGeoLongitude	Optional	real	Longitude	Device	Src		The longitude of the geographical coordinate associated with the source IP address. (e.g. 73.211944)	Schema
SrcGeoRegion	Optional	string	Region	Device	Src		The region associated with the source IP address. (e.g. Vermont)	Schema
SrcHostname	Recommended	string		Device	Src		The source device hostname, excluding domain information. (e.g. DESKTOP-1282V4D)	Schema
SrcInterface	Optional	string		Device	Src		The network interface on which data was captured. This field is typically relevant to network related activity captured by an intermediate or tap device.	Entity Extension
SrcIpAddr	Recommended	string	IP address	Device	Src		The IP address of the source device. This value is mandatory if SrcHostname is specified. (e.g. 77.138.103.108)	Schema
SrcMacAddr	Optional	string	MAC Address	Device	Src		The MAC address of the network interface from which the connection or session originated. (e.g. 06:10:9f:eb:8f:14)	Schema
SrcOriginalRiskLevel	Optional	string		Device	Src		The risk level associated with the source, as reported by the reporting device. (e.g. Suspicious)	Schema
SrcPortNumber	Optional	int		Device	Src		The IP port from which the connection originated. Might not be relevant for a session comprising multiple connections. (e.g. 2335)	Schema
SrcRiskLevel	Optional	int		Device	Src		The risk level associated with the source. The value should be adjusted to a range of `0` to `100`, with `0` for benign and `100` for a high risk. (e.g. 90)	Schema
SrcZone	Optional	string		Device	Src		The network on which the event occurred or which reported the event, depending on the schema. The reporting device defines the zone. (e.g. Dmz)	Entity Extension
TargetDNUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetOriginalUserType	Optional	string		User	Target		The original destination user type, if provided by the source.	Schema
TargetSimpleUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetUserAadId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserAADTenant	Optional	string		User	Target		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
TargetUserAWSAccount	Optional	string		User	Target		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
TargetUserAWSId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserId	Optional	string		User	Target		A machine-readable, alphanumeric, unique representation of the target user. Supported formats and types include: - SID (Windows): `S-1-5-21-1377283216-344919071-3415362939-500` - UID (Linux): `4578` - AADID (Microsoft Entra ID): `9267d02c-5f76-40a9-a9eb-b686f3ca47aa` - OktaId: `00urjk4znu3BcncfY0h7` - AWSId: `72643944673` Store the ID type in the TargetUserIdType field. If other IDs are available, we recommend that you normalize the field names to TargetUserSid, TargetUserUid, TargetUserAADID, TargetUserOktaId, and TargetUserAwsId, respectively. For more information, see The User entity. (e.g. S-1-12)	Schema
TargetUserIdType	Conditional	string	Enumerated Values (5) SID, UID, AADID, OktaId, AWSId	User	Target	TargetUserId	The type of the ID stored in the TargetUserId field.	Schema
TargetUsername	Optional	string	Username	User	Target		The target username, including domain information when available. Use one of the following formats and in the following order of priority: - Upn/Email: `johndow@contoso.com` - Windows: `Contoso\johndow` - DN: `CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM` - Simple: `johndow`. Use the Simple form only if domain information isn't available. Store the Username type in the TargetUsernameType field. If other IDs are available, we recommend that you normalize the field names to TargetUserUpn, TargetUserWindows, and TargetUserDn. For more information, see The User entity. (e.g. AlbertE)	Schema
TargetUsernameType	Conditional	string	Enumerated Values (4) UPN, Windows, DN, Simple	User	Target	TargetUsername	Specifies the type of the username stored in the TargetUsername field. (e.g. Windows)	Schema
TargetUserOktaId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserPuid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserScope	Optional	string		User	Target		The scope, such as Microsoft Entra tenant, in which TargetUserId and TargetUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article	Schema
TargetUserScopeId	Optional	string		User	Target		The scope ID, such as Microsoft Entra Directory ID, in which TargetUserId and TargetUsername are defined. for more information and list of allowed values, see UserScopeId in the Schema Overview article	Schema
TargetUserSessionId	Optional	string		User	Target		The unique ID of the target user's login session. (e.g. 999)	Schema
TargetUserSid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserType	Optional	string	Enumerated Values (7) Regular, Machine, Admin, System, Application, Service Principal, Other	User	Target		The type of target user	Schema
TargetUserUid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserUpn	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetWindowsUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ThreatCategory	Optional	string					The category of the threat or malware identified in the file activity. (e.g. Trojan)	Schema
ThreatConfidence	Optional	int	ConfidenceLevel				The confidence level of the threat identified, normalized to a value between 0 and a 100.	Schema
ThreatField	Optional	string					The field for which a threat was identified.	Schema
ThreatFirstReportedTime	Optional	datetime					The first time the IP address or domain were identified as a threat.	Schema
ThreatId	Optional	string					The ID of the threat or malware identified in the file activity.	Schema
ThreatIsActive	Optional	boolean					True if the threat identified is considered an active threat.	Schema
ThreatLastReportedTime	Optional	datetime					The last time the IP address or domain were identified as a threat.	Schema
ThreatName	Optional	string					The name of the threat or malware identified in the file activity. (e.g. EICAR Test File)	Schema
ThreatOriginalConfidence	Optional	string					The original confidence level of the threat identified, as reported by the reporting device.	Schema
ThreatOriginalRiskLevel	Optional	string					The risk level as reported by the reporting device.	Schema
ThreatRiskLevel	Optional	int	RiskLevel				The risk level associated with the identified threat. The level should be a number between 0 and 100.	Schema
TimeGenerated	Mandatory	datetime					The time the event was generated by the reporting device.	Common (Implicit)
Type	Mandatory	string					The original table from which the record was fetched. This field is useful when the same event can be received through multiple channels to different tables, and have the same EventVendor and EventProduct values. (e.g. a Sysmon event can be collected either to the Event table or to the WindowsEvent table)	Common (Implicit)
UpdatedPropertyName	Alias		Values (5) MultipleProperties, Previous<PropertyName>, <PropertyName>, UpdatedPropertyName, New<PropertyName>			EventSubType	when the Event Type is `UserCreated`, `GroupCreated`, `UserModified`, or `GroupModified`.	Schema
User	Alias			User	Actor	ActorUsername		Schema

Parser	Version	Product	Tables	Solutions

ASimUserManagementAWSCloudTrail	0.1.0	AWS Cloud Trail	AWSCloudTrail	Amazon Web Services
ASimUserManagementCiscoISE	0.1.2	Cisco ISE	Syslog	Syslog
ASimUserManagementLinuxAuthpriv	0.1.1	Microsoft	Syslog	Syslog
ASimUserManagementMicrosoftSecurityEvent	0.2.0	Microsoft Security Event	SecurityEvent	Windows Security Events
ASimUserManagementMicrosoftWindowsEvent	0.2.1	Microsoft Windows Event	WindowsEvent	Windows Forwarded Events
ASimUserManagementNative	0.1.0	Native	ASimUserManagementActivityLogs	SynqlyIntegrationConnector
ASimUserManagementSentinelOne	0.1.1	SentinelOne	SentinelOne_CL

Field	Class	Type	Logical Type	Entity	Role	Refers To	Description	Source

ActorDNUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorSimpleUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorUserAadId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserAWSId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserOktaId	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserPuid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserSid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserUid	Optional	string		User	Actor		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
ActorUserUpn	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
ActorWindowsUsername	Optional	string		User	Actor		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
AdditionalFields	Optional	dynamic					If your source provides additional information worth preserving, either keep it with the original field names or create the dynamic AdditionalFields field, and add the extra information as key/value pairs.	Common
ASimMatchingHostname	Recommended	string	Enumerated Values (3) SrcHostname, DstHostname, Both				When a parser uses the `hostname_has_any` filtering parameters, this field is set with the one of the values `SrcHostname`, `DstHostname`, or `Both` to reflect the matching fields or fields	Inherited
ASimMatchingIpAddr	Recommended	string	Enumerated Values (3) SrcIpAddr, DstIpAddr, Both				When a parser uses the `ipaddr_has_any_prefix` filtering parameters, this field is set with the one of the values `SrcIpAddr`, `DstIpAddr`, or `Both` to reflect the matching fields or fields	Inherited
Dst	Alias			Device	Dst	Either of DstDvcId, DstHostname, DstIpAddr	A unique identifier of the server receiving the DNS request. This field might alias the DstDvcId, DstHostname, or DstIpAddr fields. (e.g. 192.168.12.1)	Inherited
DstAppId	Optional	string		Application	Dst		The ID of the destination application, as reported by the reporting device. If DstAppType is `Process`, `DstAppId` and `DstProcessId` should have the same value. (e.g. 124)	Inherited
DstAppName	Optional	string		Application	Dst		The name of the destination application. (e.g. Facebook)	Inherited
DstAppType	Optional	string	AppType Values (7) Process, Service, Resource, URL, SaaS application, CSP, Other	Application	Dst		The type of the destination application. For a list of allowed values and further information, refer to AppType in the Schema Overview article. This field is mandatory if DstAppName or DstAppId are used.	Inherited
DstBytes	Recommended	long		Device	Dst		The number of bytes sent from the destination to the source for the connection or session. If the event is aggregated, DstBytes should be the sum over all aggregated sessions. (e.g. 32455)	Inherited
DstDescription	Optional	string		Device	Dst		A descriptive text associated with the device. (e.g. Primary Domain Controller)	Inherited
DstDeviceType	Optional	string	DeviceType Values (4) Computer, Mobile Device, IOT Device, Other	Device	Dst		The type of the destination device. For a list of allowed values and further information, refer to DeviceType in the Schema Overview article.	Inherited
DstDNUsername	Optional	string		User	Dst		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
DstDomain	Recommended	string	Domain	Device	Dst		The domain of the destination device. (e.g. Contoso)	Inherited
DstDomainType	Conditional	string	DomainType Values (2) FQDN, Windows	Device	Dst	DstDomain	The type of DstDomain. For a list of allowed values and further information, refer to DomainType in the Schema Overview article. Required if DstDomain is used.	Inherited
DstDvcAction	Optional	string		Device	Dst		For reporting security systems, the action taken by the system, if applicable. (e.g. Blocked)	Entity Extension
DstDvcAwsVpcId	Optional	string		Device	Dst		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DstDvcAzureResourceId	Optional	string		Device	Dst		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DstDvcId	Optional	string		Device	Dst		The ID of the destination device. If multiple IDs are available, use the most important one, and store the others in the fields `DstDvc`. (e.g. ac7e9755-8eae-4ffc-8a02-50ed7a2216c3)	Inherited
DstDvcIdType	Conditional	string	DvcIdType Values (7) MDEid, AzureResourceId, MD4IoTid, VMConnectionId, AwsVpcId, VectraId, Other	Device	Dst		The type of DstDvcId. For a list of allowed values and further information, refer to DvcIdType in the Schema Overview article. Required if DstDeviceId is used.	Inherited
DstDvcMD4IoTid	Optional	string		Device	Dst		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DstDvcMDEid	Optional	string		Device	Dst		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DstDvcOriginalAction	Optional	string		Device	Dst		The original DvcAction as provided by the reporting device.	Entity Extension
DstDvcOs	Optional	string		Device	Dst		The operating system running on the device on which the event occurred or which reported the event. (e.g. Windows)	Entity Extension
DstDvcOsVersion	Optional	string		Device	Dst		The version of the operating system on the device on which the event occurred or which reported the event. (e.g. 10)	Entity Extension
DstDvcScope	Optional	string		Device	Dst		The cloud platform scope the device belongs to. DstDvcScope map to a subscription ID on Azure and to an account ID on AWS.	Inherited
DstDvcScopeId	Optional	string		Device	Dst		The cloud platform scope ID the device belongs to. DstDvcScopeId map to a subscription ID on Azure and to an account ID on AWS.	Inherited
DstDvcVectraId	Optional	string		Device	Dst		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DstDvcVMConnectionId	Optional	string		Device	Dst		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DstFQDN	Optional	string	FQDN	Device	Dst		The destination device hostname, including domain information when available. (e.g. Contoso\DESKTOP-1282V4D)	Inherited
DstGeoCity	Optional	string	City	Device	Dst		The city associated with the destination IP address. For more information, see Logical types. (e.g. Burlington)	Inherited
DstGeoCountry	Optional	string	Country	Device	Dst		The country/region associated with the destination IP address. For more information, see Logical types. (e.g. USA)	Inherited
DstGeoLatitude	Optional	real	Latitude	Device	Dst		The latitude of the geographical coordinate associated with the destination IP address. For more information, see Logical types. (e.g. 44.475833)	Inherited
DstGeoLongitude	Optional	real	Longitude	Device	Dst		The longitude of the geographical coordinate associated with the destination IP address. For more information, see Logical types. (e.g. 73.211944)	Inherited
DstGeoRegion	Optional	string	Region	Device	Dst		The region, or state, associated with the destination IP address. For more information, see Logical types. (e.g. Vermont)	Inherited
DstHostname	Recommended	string	Hostname	Device	Dst		The destination device hostname, excluding domain information. If no device name is available, store the relevant IP address in this field. (e.g. DESKTOP-1282V4D)	Inherited
DstInterface	Optional	string		Device	Dst		The network interface on which data was captured. This field is typically relevant to network related activity captured by an intermediate or tap device.	Entity Extension
DstInterfaceGuid	Optional	string	GUID	Device	Dst		The GUID of the network interface used on the destination device. (e.g. 46ad544b-eaf0-47ef- 827c-266030f545a6)	Inherited
DstInterfaceName	Optional	string		Device	Dst		The network interface used for the connection or session by the destination device. (e.g. Microsoft Hyper-V Network Adapter)	Inherited
DstIpAddr	Recommended	string	IP address	Device	Dst		The IP address of the connection or session destination. If the session uses network address translation, `DstIpAddr` is the publicly visible address, and not the original address of the source, which is stored in DstNatIpAddr (e.g. 2001:db8::ff00:42:8329)	Inherited
DstMacAddr	Optional	string	MAC Address	Device	Dst		The MAC address of the network interface used for the connection or session by the destination device. (e.g. 06:10:9f:eb:8f:14)	Inherited
DstNatIpAddr	Optional	string	IP address	Device	Intermediary		The DstNatIpAddr represents either of: - The original address of the destination device if network address translation was used. - The IP address used by the intermediary device for communication with the source. (e.g. 2::1)	Inherited
DstNatPortNumber	Optional	int		Device	Intermediary		If reported by an intermediary NAT device, the port used by the NAT device for communication with the source. (e.g. 443)	Inherited
DstOriginalUserType	Optional	string		User	Dst		The original destination user type, if provided by the source.	Inherited
DstPackets	Optional	long		Device	Dst		The number of packets sent from the destination to the source for the connection or session. The meaning of a packet is defined by the reporting device. If the event is aggregated, DstPackets should be the sum over all aggregated sessions. (e.g. 446)	Inherited
DstPortNumber	Optional	int		Device	Dst		The destination IP port. (e.g. 443)	Inherited
DstProcessGuid	Optional	string		Application	Dst		A generated unique identifier (GUID) of the process that terminated the network session. (e.g. EF3BD0BD-2B74-60C5-AF5C-010000001E00)	Inherited
DstProcessId	Optional	string		Application	Dst		The process ID (PID) of the process that terminated the network session. (e.g. 48610176)	Inherited
DstProcessName	Optional	string		Application	Dst		The file name of the process that terminated the network session. This name is typically considered to be the process name. (e.g. C:\Windows\explorer.exe)	Inherited
DstSimpleUsername	Optional	string		User	Dst		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
DstUserAadId	Optional	string		User	Dst		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
DstUserAADTenant	Optional	string		User	Dst		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
DstUserAWSAccount	Optional	string		User	Dst		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
DstUserAWSId	Optional	string		User	Dst		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
DstUserId	Optional	string		User	Dst		A machine-readable, alphanumeric, unique representation of the destination user. For the supported format for different ID types, refer to the User entity. (e.g. S-1-12)	Inherited
DstUserIdType	Conditional	string	UserIdType Values (7) SID, UID, AADID, OktaId, AWSId, PUID, SalesforceId	User	Dst	DstUserId	The type of the ID stored in the DstUserId field. For a list of allowed values and further information, refer to UserIdType in the Schema Overview article.	Inherited
DstUsername	Optional	string	Username	User	Dst		The destination username, including domain information when available. For the supported format for different ID types, refer to the User entity. Use the simple form only if domain information isn't available. Store the Username type in the DstUsernameType field. If other username formats are available, store them in the fields `DstUsername`. (e.g. AlbertE)	Inherited
DstUsernameType	Conditional	string	UsernameType Values (5) UPN, Windows, DN, Simple, AWSId	User	Dst	DstUsername	Specifies the type of the username stored in the DstUsername field. For a list of allowed values and further information, refer to UsernameType in the Schema Overview article. (e.g. Windows)	Inherited
DstUserOktaId	Optional	string		User	Dst		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
DstUserPuid	Optional	string		User	Dst		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
DstUserScope	Optional	string		User	Dst		The scope, such as Microsoft Entra tenant, in which DstUserId and DstUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article	Inherited
DstUserScopeId	Optional	string		User	Dst		The scope ID, such as Microsoft Entra Directory ID, in which DstUserId and DstUsername are defined. for more information and list of allowed values, see UserScopeId in the Schema Overview article	Inherited
DstUserSid	Optional	string		User	Dst		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
DstUserType	Optional	string	UserType Values (9) Regular, Machine, Admin, System, Application, Service Principal, Service, Anonymous, Other	User	Dst		The type of destination user. For a list of allowed values and further information, refer to UserType in the Schema Overview article.	Inherited
DstUserUid	Optional	string		User	Dst		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
DstUserUPN	Optional	string		User	Dst		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
DstVlanId	Optional	string		Device	Dst		The VLAN ID related to the destination device. (e.g. 130)	Inherited
DstWindowsUsername	Optional	string		User	Dst		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
DstZone	Optional	string		Device	Dst		The network zone of the destination, as defined by the reporting device. (e.g. Dmz)	Inherited
Duration	Alias					NetworkDuration		Inherited
Dvc	Alias	string		Device	Dvc	Either of DvcFQDN, DvcId, DvcHostname, DvcIpAddr	A unique identifier of the device on which the event occurred or which reported the event, depending on the schema. This field might alias the DvcFQDN, DvcId, DvcHostname, or DvcIpAddr fields. For cloud sources, for which there's no apparent device, use the same value as the Event Product field	Common
DvcAction	Optional	string		Device	Dvc		For reporting security systems, the action taken by the system, if applicable. (e.g. Blocked)	Common
DvcAwsVpcId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcAzureResourceId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcDescription	Optional	string		Device	Dvc		A descriptive text associated with the device. (e.g. Primary Domain Controller)	Common
DvcDomain	Recommended	string	Domain	Device	Dvc		The domain of the device on which the event occurred or which reported the event, depending on the schema. (e.g. Contoso)	Common
DvcDomainType	Conditional	string	DomainType Values (2) FQDN, Windows	Device	Dvc	DvcDomain	The type of DvcDomain. For a list of allowed values and further information, refer to DomainType.	Common
DvcFQDN	Optional	string	FQDN	Device	Dvc		The hostname of the device on which the event occurred or which reported the event, depending on the schema. (e.g. Contoso\DESKTOP-1282V4D)	Common
DvcHostname	Recommended	string	Hostname	Device	Dvc		The hostname of the device on which the event occurred or which reported the event, depending on the schema. (e.g. ContosoDc)	Common
DvcId	Optional	string		Device	Dvc		The unique ID of the device on which the event occurred or which reported the event, depending on the schema. (e.g. 41502da5-21b7-48ec-81c9-baeea8d7d669 If multiple IDs are available, use the first one from the list, and store the others by using the field names DvcAzureResourceId, DvcMDEid, etc)	Common
DvcIdType	Conditional	string	Enumerated Values (9) AzureResourceId, MDEid, MD4IoTid, VMConnectionId, AwsVpcId, VectraId, AppGateId, FQDN, Other	Device	Dvc	DvcId	The type of DvcId. The list of allowed values is `AzureResourceId`, `MDEid`, `MD4IoTid`, `VMConnectionId`, `AwsVpcId`, `VectraId`, `AppGateId`, `FQDN`, and `Other`. Using `FQDN` as a device ID, implies reusing the hostname. Use it only as a last resort	Common
DvcInboundInterface	Optional	string		Device	Intermediary		If reported by an intermediary device, the network interface used by the NAT device for the connection to the source device. (e.g. eth0)	Inherited
DvcInterface	Optional	string		Device	Dvc		The network interface on which data was captured. This field is typically relevant to network related activity, which is captured by an intermediate or tap device.	Common
DvcIpAddr	Recommended	string	IP address	Device	Dvc		The IP address of the device on which the event occurred or which reported the event, depending on the schema. (e.g. 45.21.42.12)	Common
DvcMacAddr	Optional	string	MAC address	Device	Dvc		The MAC address of the device on which the event occurred or which reported the event. (e.g. 00:1B:44:11:3A:B7)	Common
DvcMD4IoTid	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcMDEid	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcOriginalAction	Optional	string		Device	Dvc		The original DvcAction as provided by the reporting device.	Common
DvcOs	Optional	string		Device	Dvc		The operating system running on the device on which the event occurred or which reported the event. (e.g. Windows)	Common
DvcOsVersion	Optional	string		Device	Dvc		The version of the operating system on the device on which the event occurred or which reported the event. (e.g. 10)	Common
DvcOutboundInterface	Optional	string		Device	Intermediary		If reported by an intermediary device, the network interface used by the NAT device for the connection to the destination device. (e.g. Ethernet adapter Ethernet 4e)	Inherited
DvcScope	Optional	string		Device	Dvc		The cloud platform scope the device belongs to. DvcScope map to a subscription ID on Azure and to an account ID on AWS.	Common
DvcScopeId	Optional	string		Device	Dvc		The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS.	Common
DvcVectraId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcVMConnectionId	Optional	string		Device	Dvc		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
DvcZone	Optional	string		Device	Dvc		The network on which the event occurred or which reported the event, depending on the schema. The zone is defined by the reporting device. (e.g. Dmz)	Common
EventCount	Mandatory	int					The number of events described by the record. This value is used when the source supports aggregation, and a single record might represent multiple events. For other sources, set to `1`.	Common
EventEndTime	Mandatory	datetime					The time when the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field	Common
EventMessage	Optional	string					A general message or description, either included in or generated from the record.	Common
EventOriginalResultDetails	Optional	string					The original result details provided by the source. This value is used to derive EventResultDetails, which should have only one of the values documented for each schema.	Common
EventOriginalSeverity	Optional	string					The original severity as provided by the reporting device. This value is used to derive EventSeverity.	Common
EventOriginalSubType	Optional	string					The original event subtype or ID, if provided by the source. For example, this field is used to store the original Windows logon type. This value is used to derive EventSubType, which should have only one of the values documented for each schema. (e.g. 2)	Common
EventOriginalType	Optional	string					The original event type or ID, if provided by the source. For example, this field is used to store the original Windows event ID. This value is used to derive EventType, which should have only one of the values documented for each schema. (e.g. 4624)	Common
EventOriginalUid	Optional	string					A unique ID of the original record, if provided by the source. (e.g. 69f37748-ddcd-4331-bf0f-b137f1ea83b)	Common
EventOwner	Optional	string					The owner of the event, which is usually the department or subsidiary in which it was generated.	Common
EventProduct	Mandatory	string					The product generating the event. The value should be one of the values listed in Vendors and Products. (e.g. Sysmon)	Common
EventProductVersion	Optional	string					The version of the product generating the event. (e.g. 12.1)	Common
EventReportUrl	Optional	string	URL				A URL provided in the event for a resource that provides more information about the event.	Common
EventResult	Mandatory	string	Enumerated Values (4) Success, Partial, Failure, NA				Describes the event result, normalized to For an HTTP session, `Success` is defined as a status code lower than `400`, and `Failure` is defined as a status code higher than `400`. For a list of HTTP status codes, refer to W3 Org. The source may provide only a value for the EventResultDetails field, which must be analyzed to get the EventResult value	Schema
EventResultDetails	Recommended	string	Enumerated				The HTTP status code as defined by The World Wide Web Consortium	Schema
EventSchema	Mandatory	string	Enumerated Values (1) WebSession				The name of the schema documented here is `WebSession`	Schema
EventSchemaVersion	Mandatory	string	SchemaVersion				The version of the schema. The version of the schema documented here is `0.2.7`	Schema
EventSeverity	Recommended	string	Enumerated Values (4) Informational, Low, Medium, High				The severity of the event	Common
EventStartTime	Mandatory	datetime					The time when the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field	Common
EventSubType	Optional	string	Enumerated				Describes a subdivision of the operation reported in the EventType field. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the EventOriginalSubType field	Common
EventType	Mandatory	string	Enumerated Values (3) HTTPsession, WebServerSession, ApiRequest				Describes the operation reported by the record. Allowed values are: - `HTTPsession`: Denotes a network session used for HTTP or HTTPS, typically reported by an intermediary device, such as a proxy or a Web security gateway. - `WebServerSession`: Denotes an HTTP request reported by a web server. Such an event typically has less network related information. The URL reported should not include a schema and a server name, but only the path and parameters part of the URL. - `ApiRequest`: Denotes an HTTP request reported associated with an API call, typically reported by an application server. Such an event typically has less network related information. When reported by the application server, the URL reported should not include a schema and a server name, but only the path and parameters part of the URL	Schema
EventUid	Recommended	string					The unique ID of the record, as assigned by Microsoft Sentinel. This field is typically mapped to the `_ItemId` Log Analytics field.	Common
EventVendor	Mandatory	string					The vendor of the product generating the event. The value should be one of the values listed in Vendors and Products. (e.g. Microsoft)	Common
FileContentType	Optional	string					For HTTP uploads, the content type of the uploaded file.	Schema
FileMD5	Optional	string	MD5				For HTTP uploads, the MD5 hash of the uploaded file. (e.g. 75a599802f1fa166cdadb360960b1dd0)	Schema
FileName	Optional	string					For HTTP uploads, the name of the uploaded file.	Schema
FileSHA1	Optional	string	SHA1				For HTTP uploads, the SHA1 hash of the uploaded file. (e.g. d55c5a4df19b46db8c54 c801c4665d3338acdab0)	Schema
FileSHA256	Optional	string	SHA256				For HTTP uploads, the SHA256 hash of the uploaded file. (e.g. e81bb824c4a09a811af17deae22f22dd 2e1ec8cbb00b22629d2899f7c68da274)	Schema
FileSHA512	Optional	string	SHA512				For HTTP uploads, the SHA512 hash of the uploaded file.	Schema
FileSize	Optional	long					For HTTP uploads, the size in bytes of the uploaded file.	Schema
Hash	Alias					Either of FileMD5, FileSHA1, FileSHA256, FileSHA512	Alias to the available Hash field	Schema
HashType	Conditional	string	Enumerated Values (4) MD5, SHA1, SHA256, SHA512				The type of the hash in the Hash field. Possible values include: `MD5`, `SHA1`, `SHA256`, and `SHA512`	Schema
Hostname	Alias					Either of DstHostname, RemoteHostname, SrcHostName, NetworkDirection	If the event type is `NetworkSession`, `Flow` or `L2NetworkSession`, Hostname is an - If the event type is `EndpointNetworkSession`, Hostname is an , which can alias either DstHostname or SrcHostName, depending on NetworkDirection	Inherited
HttpContentFormat	Optional	string					The content format part of the HttpContentType (e.g. text/html)	Schema
HttpContentType	Optional	string					The HTTP Response content type header. (e.g. text/html; charset=ISO-8859-4)	Schema
HttpCookie	Optional	string					The content of the HTTP cookie header sent from the client to the server, containing name-value pairs of session data. (e.g. session_id=abc123; user_pref=dark_mode)	Schema
HttpHost	Optional	string					The virtual web server the HTTP request has targeted. This value is typically based on the HTTP Host header.	Schema
HttpIsProxied	Optional	boolean					Indicates whether the HTTP request was sent through a proxy server. (e.g. true)	Schema
HttpReferrer	Optional	string					The HTTP referrer header. (e.g. https://developer.mozilla.org/docs)	Schema
HttpRequestBodyBytes	Optional	long					The size of the HTTP request body in bytes, not including headers. (e.g. 1024)	Schema
HttpRequestCacheControl	Optional	string					The content of the HTTP Cache-Control request header, specifying caching directives from the client. (e.g. no-cache)	Schema
HttpRequestHeaderCount	Optional	int					The number of HTTP headers included in the request. (e.g. 12)	Schema
HttpRequestMethod	Recommended	string	Enumerated				The HTTP Method. The values are as defined in RFC 7231 and RFC 5789, and include `GET`, `HEAD`, `POST`, `PUT`, `DELETE`, `CONNECT`, `OPTIONS`, `TRACE`, and `PATCH`. (e.g. GET)	Schema
HttpRequestTime	Optional	int					The amount of time, in milliseconds, it took to send the request to the server, if applicable. (e.g. 700)	Schema
HttpRequestXff	Optional	string	IP Address				The HTTP X-Forwarded-For header. (e.g. 120.12.41.1)	Schema
HttpResponseBodyBytes	Optional	long					The size of the HTTP response body in bytes, not including headers. (e.g. 8192)	Schema
HttpResponseCacheControl	Optional	string					The content of the HTTP Cache-Control response header, specifying caching directives from the server. (e.g. max-age=3600, public)	Schema
HttpResponseExpires	Optional	string					The content of the HTTP Expires response header, indicating when the response content expires. (e.g. Thu, 01 Dec 2024 16:00:00 GMT)	Schema
HttpResponseHeaderCount	Optional	int					The number of HTTP headers included in the response. (e.g. 15)	Schema
HttpResponseTime	Optional	int					The amount of time, in milliseconds, it took to receive a response in the server, if applicable. (e.g. 800)	Schema
HttpStatusCode	Alias					EventResultDetails	The HTTP Status Code	Schema
HttpUserAgent	Optional	string					The HTTP user agent header. (e.g. Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36)	Schema
HttpVersion	Optional	string					The HTTP Request Version. (e.g. 2.0)	Schema
InnerVlanId	Alias			Device	Src	SrcVlanId	In many cases, the VLAN can't be determined as a source or a destination but is characterized as inner or outer. This alias to signifies that SrcVlanId should be used when the VLAN is characterized as inner	Inherited
IpAddr	Alias					Either of SrcIpAddr, LocalIpAddr, DstIpAddr, NetworkDirection	If the event type is `NetworkSession`, `Flow` or `L2NetworkSession`, IpAddr is an - If the event type is `EndpointNetworkSession`, IpAddr is an , which can alias either SrcIpAddr or DstIpAddr, depending on NetworkDirection	Inherited
NetworkApplicationProtocol	Optional	string					The application layer protocol used by the connection or session. The value should be in all uppercase. (e.g. FTP)	Inherited
NetworkBytes	Optional	long					Number of bytes sent in both directions. If both BytesReceived and BytesSent exist, BytesTotal should equal their sum. If the event is aggregated, NetworkBytes should be the sum over all aggregated sessions. (e.g. 78991)	Inherited
NetworkConnectionHistory	Optional	string					TCP flags and other potential IP header information.	Inherited
NetworkDirection	Optional	string	Enumerated Values (5) Inbound, Outbound, Local, External, NA				The direction of the connection or session: - For the EventType `NetworkSession`, `Flow` or `L2NetworkSession`, NetworkDirection represents the direction relative to the organization or cloud environment boundary. - For the EventType `EndpointNetworkSession`, NetworkDirection represents the direction relative to the endpoint	Inherited
NetworkDuration	Optional	int					The amount of time, in milliseconds, for the completion of the network session or connection. (e.g. 1500)	Inherited
NetworkIcmpCode	Optional	int					For an ICMP message, the ICMP code number as described in RFC 2780 for IPv4 network connections, or in RFC 4443 for IPv6 network connections.	Inherited
NetworkIcmpType	Optional	string					For an ICMP message, ICMP type name associated with the numerical value, as described in RFC 2780 for IPv4 network connections, or in RFC 4443 for IPv6 network connections. (e.g. Destination Unreachable for NetworkIcmpCode 3)	Inherited
NetworkPackets	Optional	long					The number of packets sent in both directions. If both PacketsReceived and PacketsSent exist, PacketsTotal should equal their sum. The meaning of a packet is defined by the reporting device. If the event is aggregated, NetworkPackets should be the sum over all aggregated sessions. (e.g. 6924)	Inherited
NetworkProtocol	Optional	string	Enumerated				The IP protocol used by the connection or session as listed in IANA protocol assignment, which is typically `TCP`, `UDP`, or `ICMP`. (e.g. TCP)	Inherited
NetworkProtocolVersion	Optional	string	Enumerated Values (1) IPv4				The version of NetworkProtocol. When using it to distinguish between IP version, use the values `IPv4` and `IPv6`	Inherited
NetworkSessionId	Optional	string					The session identifier as reported by the reporting device. (e.g. 172\_12\_53\_32\_4322\_\_123\_64\_207\_1\_80)	Inherited
OuterVlanId	Alias			Device	Dst	DstVlanId	In many cases, the VLAN can't be determined as a source or a destination but is characterized as inner or outer. This alias to signifies that DstVlanId should be used when the VLAN is characterized as outer	Inherited
Process	Alias			Application	Dst	DstProcessName	(e.g. C:\Windows\System32\rundll32.exe)	Inherited
Rule	Alias	string				Either of NetworkRuleName, NetworkRuleNumber	Either the value of NetworkRuleName or the value of NetworkRuleNumber. If the value of NetworkRuleNumber is used, the type should be converted to string	Inherited
RuleName	Optional	string					The name or ID of the rule by which DvcAction was decided upon. (e.g. AnyAnyDrop)	Inherited
RuleNumber	Optional	int					The number of the rule by which DvcAction was decided upon. (e.g. 23)	Inherited
SessionId	Alias	string				NetworkSessionId		Inherited
Src	Alias			Device	Src	Either of SrcDvcId, SrcHostname, SrcIpAddr	A unique identifier of the source device. This field might alias the SrcDvcId, SrcHostname, or SrcIpAddr fields. (e.g. 192.168.12.1)	Inherited
SrcAppId	Optional	string		Application	Src		The ID of the source application, as reported by the reporting device. If SrcAppType is `Process`, `SrcAppId` and `SrcProcessId` should have the same value. (e.g. 124)	Inherited
SrcAppName	Optional	string		Application	Src		The name of the source application. (e.g. filezilla.exe)	Inherited
SrcAppType	Optional	string	AppType Values (7) Process, Service, Resource, URL, SaaS application, CSP, Other	Application	Src		The type of the source application. For a list of allowed values and further information, refer to AppType in the Schema Overview article. This field is mandatory if SrcAppName or SrcAppId are used.	Inherited
SrcBytes	Recommended	long		Device	Src		The number of bytes sent from the source to the destination for the connection or session. If the event is aggregated, SrcBytes should be the sum over all aggregated sessions. (e.g. 46536)	Inherited
SrcDescription	Optional	string		Device	Src		A descriptive text associated with the device. (e.g. Primary Domain Controller)	Inherited
SrcDeviceType	Optional	string	DeviceType Values (4) Computer, Mobile Device, IOT Device, Other	Device	Src		The type of the source device. For a list of allowed values and further information, refer to DeviceType in the Schema Overview article.	Inherited
SrcDNUsername	Optional	string		User	Src		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
SrcDomain	Recommended	string	Domain	Device	Src		The domain of the source device. (e.g. Contoso)	Inherited
SrcDomainType	Conditional	string	DomainType Values (2) FQDN, Windows	Device	Src	SrcDomain	The type of SrcDomain. For a list of allowed values and further information, refer to DomainType in the Schema Overview article. Required if SrcDomain is used.	Inherited
SrcDvcAction	Optional	string		Device	Src		For reporting security systems, the action taken by the system, if applicable. (e.g. Blocked)	Entity Extension
SrcDvcAwsVpcId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcAzureResourceId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcId	Optional	string		Device	Src		The ID of the source device. If multiple IDs are available, use the most important one, and store the others in the fields `SrcDvc`. (e.g. ac7e9755-8eae-4ffc-8a02-50ed7a2216c3)	Inherited
SrcDvcIdType	Conditional	string	DvcIdType Values (7) MDEid, AzureResourceId, MD4IoTid, VMConnectionId, AwsVpcId, VectraId, Other	Device	Src	SrcDvcId	The type of SrcDvcId. For a list of allowed values and further information, refer to DvcIdType in the Schema Overview article.	Inherited
SrcDvcMD4IoTid	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcMDEid	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcOriginalAction	Optional	string		Device	Src		The original DvcAction as provided by the reporting device.	Entity Extension
SrcDvcOs	Optional	string		Device	Src		The operating system running on the device on which the event occurred or which reported the event. (e.g. Windows)	Entity Extension
SrcDvcOsVersion	Optional	string		Device	Src		The version of the operating system on the device on which the event occurred or which reported the event. (e.g. 10)	Entity Extension
SrcDvcScope	Optional	string		Device	Src		The cloud platform scope the device belongs to. SrcDvcScope map to a subscription ID on Azure and to an account ID on AWS.	Inherited
SrcDvcScopeId	Optional	string		Device	Src		The cloud platform scope ID the device belongs to. SrcDvcScopeId map to a subscription ID on Azure and to an account ID on AWS.	Inherited
SrcDvcVectraId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcDvcVMConnectionId	Optional	string		Device	Src		Fields used to store other device IDs, if the original event includes multiple device IDs. Select the device ID most associated with the event as the primary ID stored in DvcId.	Entity Extension
SrcFQDN	Optional	string	FQDN	Device	Src		The source device hostname, including domain information when available. (e.g. Contoso\DESKTOP-1282V4D)	Inherited
SrcGeoCity	Optional	string	City	Device	Src		The city associated with the source IP address. (e.g. Burlington)	Inherited
SrcGeoCountry	Optional	string	Country	Device	Src		The country/region associated with the source IP address. (e.g. USA)	Inherited
SrcGeoLatitude	Optional	real	Latitude	Device	Src		The latitude of the geographical coordinate associated with the source IP address. (e.g. 44.475833)	Inherited
SrcGeoLongitude	Optional	real	Longitude	Device	Src		The longitude of the geographical coordinate associated with the source IP address. (e.g. 73.211944)	Inherited
SrcGeoRegion	Optional	string	Region	Device	Src		The region associated with the source IP address. (e.g. Vermont)	Inherited
SrcHostname	Recommended	string	Hostname	Device	Src		The source device hostname, excluding domain information. If no device name is available, store the relevant IP address in this field. (e.g. DESKTOP-1282V4D)	Inherited
SrcInterface	Optional	string		Device	Src		The network interface on which data was captured. This field is typically relevant to network related activity captured by an intermediate or tap device.	Entity Extension
SrcInterfaceGuid	Optional	string	GUID	Device	Src		The GUID of the network interface used on the source device. (e.g. 46ad544b-eaf0-47ef- 827c-266030f545a6)	Inherited
SrcInterfaceName	Optional	string		Device	Src		The network interface used for the connection or session by the source device. (e.g. eth01)	Inherited
SrcIpAddr	Recommended	string	IP address	Device	Src		The IP address from which the connection or session originated. This value is mandatory if SrcHostname is specified. If the session uses network address translation, `SrcIpAddr` is the publicly visible address, and not the original address of the source, which is stored in SrcNatIpAddr (e.g. 77.138.103.108)	Inherited
SrcMacAddr	Optional	string	MAC Address	Device	Src		The MAC address of the network interface from which the connection or session originated. (e.g. 06:10:9f:eb:8f:14)	Inherited
SrcNatIpAddr	Optional	string	IP address	Device	Intermediary		The SrcNatIpAddr represents either of: - The original address of the source device if network address translation was used. - The IP address used by the intermediary device for communication with the destination. (e.g. 4.3.2.1)	Inherited
SrcNatPortNumber	Optional	int		Device	Intermediary		If reported by an intermediary NAT device, the port used by the NAT device for communication with the destination. (e.g. 345)	Inherited
SrcOriginalUserType	Optional	string		User	Src		The original destination user type, if provided by the reporting device.	Inherited
SrcPackets	Optional	long		Device	Src		The number of packets sent from the source to the destination for the connection or session. The meaning of a packet is defined by the reporting device. If the event is aggregated, SrcPackets should be the sum over all aggregated sessions. (e.g. 6478)	Inherited
SrcPortNumber	Optional	int		Device	Src		The IP port from which the connection originated. Might not be relevant for a session comprising multiple connections. (e.g. 2335)	Inherited
SrcProcessGuid	Optional	string		Application	Src		A generated unique identifier (GUID) of the process that initiated the network session. (e.g. EF3BD0BD-2B74-60C5-AF5C-010000001E00)	Inherited
SrcProcessId	Optional	string		Application	Src		The process ID (PID) of the process that initiated the network session. (e.g. 48610176)	Inherited
SrcProcessName	Optional	string		Application	Src		The file name of the process that initiated the network session. This name is typically considered to be the process name. (e.g. C:\Windows\explorer.exe)	Inherited
SrcSimpleUsername	Optional	string		User	Src		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
SrcUserAadId	Optional	string		User	Src		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
SrcUserAADTenant	Optional	string		User	Src		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
SrcUserAWSAccount	Optional	string		User	Src		Fields used to store specific scopes. Use the UserScope field for the scope associated with the ID stored in the UserId field. Populate the relevant specific scope field, in addition to UserScope, even if the event has only one ID.	Entity Extension
SrcUserAWSId	Optional	string		User	Src		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
SrcUserId	Optional	string		User	Src		A machine-readable, alphanumeric, unique representation of the source user. For the supported format for different ID types, refer to the User entity. (e.g. S-1-12)	Inherited
SrcUserIdType	Conditional	string	UserIdType Values (7) SID, UID, AADID, OktaId, AWSId, PUID, SalesforceId	User	Src	SrcUserId	The type of the ID stored in the SrcUserId field. For a list of allowed values and further information, refer to UserIdType in the Schema Overview article.	Inherited
SrcUsername	Optional	string	Username	User	Src		The source username, including domain information when available. For the supported format for different ID types, refer to the User entity. Use the simple form only if domain information isn't available. Store the Username type in the SrcUsernameType field. If other username formats are available, store them in the fields `SrcUsername`. (e.g. AlbertE)	Inherited
SrcUsernameType	Conditional	string	UsernameType Values (5) UPN, Windows, DN, Simple, AWSId	User	Src	SrcUsername	Specifies the type of the username stored in the SrcUsername field. For a list of allowed values and further information, refer to UsernameType in the Schema Overview article. (e.g. Windows)	Inherited
SrcUserOktaId	Optional	string		User	Src		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
SrcUserPuid	Optional	string		User	Src		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
SrcUserScope	Optional	string		User	Src		The scope, such as Microsoft Entra tenant, in which SrcUserId and SrcUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article	Inherited
SrcUserScopeId	Optional	string		User	Src		The scope ID, such as Microsoft Entra Directory ID, in which SrcUserId and SrcUsername are defined. for more information and list of allowed values, see UserScopeId in the Schema Overview article	Inherited
SrcUserSid	Optional	string		User	Src		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
SrcUserType	Optional	string	UserType Values (9) Regular, Machine, Admin, System, Application, Service Principal, Service, Anonymous, Other	User	Src		The type of source user. For a list of allowed values and further information, refer to UserType in the Schema Overview article.	Inherited
SrcUserUid	Optional	string		User	Src		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
SrcUserUPN	Optional	string		User	Src		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
SrcVlanId	Optional	string		Device	Src		The VLAN ID related to the source device. (e.g. 130)	Inherited
SrcWindowsUsername	Optional	string		User	Src		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
SrcZone	Optional	string		Device	Src		The network zone of the source, as defined by the reporting device. (e.g. Internet)	Inherited
TargetDNUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetSimpleUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetUserAadId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserAWSId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserOktaId	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserPuid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserSid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserUid	Optional	string		User	Target		Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in UserId. Populate the relevant specific ID field, in addition to UserId, even if the event has only one ID.	Entity Extension
TargetUserUpn	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TargetWindowsUsername	Optional	string		User	Target		Fields used to store additional usernames, if the original event includes multiple usernames. Select the username most associated with the event as the primary username stored in Username.	Entity Extension
TcpFlagsAck	Optional	boolean					The TCP ACK Flag reported. The acknowledgment flag is used to acknowledge the successful receipt of a packet. As we can see from the diagram above, the receiver sends an ACK and a SYN in the second step of the three way handshake process to tell the sender that it received its initial packet.	Inherited
TcpFlagsCwr	Optional	boolean					The TCP CWR Flag reported. The congestion window reduced flag is used by the sending host to indicate it received a packet with the ECE flag set. See RFC 3168 for more details.	Inherited
TcpFlagsEce	Optional	boolean					The TCP ECE Flag reported. This flag is responsible for indicating if the TCP peer is ECN capable. See RFC 3168 for more details.	Inherited
TcpFlagsFin	Optional	boolean					The TCP FIN Flag reported. The finished flag means there is no more data from the sender. Therefore, it is used in the last packet sent from the sender.	Inherited
TcpFlagsNs	Optional	boolean					The TCP NS Flag reported. The nonce sum flag is still an experimental flag used to help protect against accidental malicious concealment of packets from the sender. See RFC 3540 for more details	Inherited
TcpFlagsPsh	Optional	boolean					The TCP PSH Flag reported. The push flag is similar to the URG flag and tells the receiver to process these packets as they are received instead of buffering them.	Inherited
TcpFlagsRst	Optional	boolean					The TCP RST Flag reported. The reset flag gets sent from the receiver to the sender when a packet is sent to a particular host that was not expecting it.	Inherited
TcpFlagsSyn	Optional	boolean					The TCP SYN Flag reported. The synchronization flag is used as a first step in establishing a three way handshake between two hosts. Only the first packet from both the sender and receiver should have this flag set.	Inherited
TcpFlagsUrg	Optional	boolean					The TCP URG Flag reported. The urgent flag is used to notify the receiver to process the urgent packets before processing all other packets. The receiver will be notified when all known urgent data has been received. See RFC 6093 for more details.	Inherited
ThreatCategory	Optional	string					The category of the threat or malware identified in the network session. (e.g. Trojan)	Inherited
ThreatConfidence	Optional	int	ConfidenceLevel				The confidence level of the threat identified, normalized to a value between 0 and a 100.	Inherited
ThreatField	Conditional	string	Enumerated Values (2) SrcIpAddr, DstIpAddr				The field for which a threat was identified. The value is either `SrcIpAddr` or `DstIpAddr`	Inherited
ThreatFirstReportedTime	Optional	datetime					The first time the IP address or domain were identified as a threat.	Inherited
ThreatId	Optional	string					The ID of the threat or malware identified in the network session. (e.g. Tr.124)	Inherited
ThreatIpAddr	Optional	string	IP Address				An IP address for which a threat was identified. The field ThreatField contains the name of the field ThreatIpAddr represents.	Inherited
ThreatIsActive	Optional	boolean					True if the threat identified is considered an active threat.	Inherited
ThreatLastReportedTime	Optional	datetime					The last time the IP address or domain were identified as a threat.	Inherited
ThreatName	Optional	string					The name of the threat or malware identified in the network session. (e.g. EICAR Test File)	Inherited
ThreatOriginalConfidence	Optional	string					The original confidence level of the threat identified, as reported by the reporting device.	Inherited
ThreatOriginalRiskLevel	Optional	string					The risk level as reported by the reporting device.	Inherited
ThreatRiskLevel	Optional	int	RiskLevel				The risk level associated with the session. The level should be a number between 0 and 100.	Inherited
TimeGenerated	Mandatory	datetime					The time the event was generated by the reporting device.	Common (Implicit)
Type	Mandatory	string					The original table from which the record was fetched. This field is useful when the same event can be received through multiple channels to different tables, and have the same EventVendor and EventProduct values. (e.g. a Sysmon event can be collected either to the Event table or to the WindowsEvent table)	Common (Implicit)
Url	Mandatory	string	URL				The HTTP request URL, including parameters. For `HTTPSession` events, the URL may include the schema and should include the server name. For `WebServerSession` and for `ApiRequest` the URL would typically not include the schema and server, which can be found in the `NetworkApplicationProtocol` and `DstFQDN` fields respectively. (e.g. https://contoso.com/fo/?k=v&q=u#f)	Schema
UrlCategory	Optional	string					The defined grouping of a URL or the domain part of the URL. The category is commonly provided by web security gateways and is based on the content of the site the URL points to. (e.g. search engines, adult, news, advertising, and parked domains)	Schema
UrlOriginal	Optional	string	URL				The original value of the URL, when the URL was modified by the reporting device and both values are provided.	Schema
User	Alias			User	Dst	DstUsername		Inherited
UserAgent	Alias					HttpUserAgent		Schema

Parser	Version	Product	Tables	Solutions

ASimWebSessionApacheHTTPServer	0.1.0	Apache HTTP Server	ApacheHTTPServer_CL	CustomLogsAma
ASimWebSessionAzureFirewall	0.1.0	Azure Firewall	AZFWApplicationRule
ASimWebSessionBarracudaCEF	0.2.1	Barracuda WAF	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimWebSessionBarracudaWAF	0.2.2	Barracuda WAF	barracuda_CL
ASimWebSessionCiscoFirepower	0.1.0	Cisco Firepower	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimWebSessionCiscoMeraki	0.1.1	Cisco Meraki	Syslog, meraki_CL	Cisco SD-WAN, CiscoMeraki, CustomLogsAma, Forescout (Legacy)
ASimWebSessionCiscoUmbrella	0.1.0	Cisco Umbrella	Cisco_Umbrella_proxy_CL	CiscoUmbrella
ASimWebSessionCitrixNetScaler	0.1.1	Citrix NetScaler	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimWebSessionF5ASM	0.1.0	F5 BIG-IP Application Security Manager (ASM)	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimWebSessionFortinetFortiGate	0.3.0	Fortinet FortiGate	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimWebSessionIIS	0.2	Internet Information Services (IIS)	W3CIISLog	Microsoft Exchange Security - Exchange On-Premises
ASimWebSessionNative	0.1	Native	ASimWebSessionLogs	Cisco Meraki Events via REST API, SynqlyIntegrationConnector
ASimWebSessionPaloAltoCEF	0.2	Palo Alto Networks	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimWebSessionPaloAltoCortexDataLake	0.1.1	Palo Alto Cortex Data Lake	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimWebSessionSonicWallFirewall	0.1.1	SonicWall	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access
ASimWebSessionSquidProxy	0.4.0	Squid Proxy	SquidProxy_CL	CustomLogsAma
ASimWebSessionVectraAI	0.2	Vectra AI Streams	VectraStream_CL	CustomLogsAma, Vectra AI Stream
ASimWebSessionZscalerZIA	0.4.1	Zscaler ZIA	CommonSecurityLog	Common Event Format, VirtualMetric DataStream, Zscaler Internet Access