Microsoft Sentinel DHCP normalization schema reference (Public preview)

Note

Azure Sentinel is now called Microsoft Sentinel, and we’ll be updating these pages in the coming weeks. Learn more about recent Microsoft security enhancements.

The DHCP information model is used to describe events reported by a DHCP server, and is used by Microsoft Sentinel to enable source-agnostic analytics.

For more information, see Normalization and the Advanced SIEM Information Model (ASIM).

Important

The DHCP normalization schema is currently in PREVIEW. This feature is provided without a service level agreement, and is not recommended for production workloads.

The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Schema overview

The ASIM DHCP schema represents DHCP server activity, including serving requests for DHCP IP address leased from client systems and updating a DNS server with the leases granted.

The most important fields in a DHCP event are SrcIpAddr and SrcHostname, which the DHCP server binds by granting the lease, and are aliased by IpAddr and Hostname fields respectively. The SrcMacAddr field is also important as it represents the client machine used when an IP address is not leased.

A DHCP server may reject a client, either due to the security concerns, or because of network saturation. It may also quarantine a client by leasing to it an IP address that would connect it to a limited network. The EventResult, EventResultDetails and DvcAction fields provide information about the DHCP server response and action.

A lease's duration is stored in the DhcpLeaseDuration field.

Schema details

ASIM is aligned with the Open Source Security Events Metadata (OSSEM) project.

OSSEM does not have a DHCP schema comparable to the ASIM DHCP schema.

Log Analytics fields

The following fields are generated by Log Analytics for each record, and you can override them when creating a custom connector.

Field Type Description
TimeGenerated Date/time The time the event was generated by the reporting device.
_ResourceId guid The Azure Resource ID of the reporting device or service, or the log forwarder resource ID for events forwarded using Syslog, CEF, or WEF.
Type String The original table from which the record was fetched. This field is useful when the same event can be received through multiple channels to different tables, and have the same EventVendor and EventProduct values.

For example, a Sysmon event can be collected either to the Event table or to the WindowsEvent table.

Note

More Log Analytics fields, less related to security, are documented with Azure Monitor.

Event fields

Event fields are common to all schemas, and describe the activity itself and the reporting device.

Field Class Type Discussion
EventMessage Optional String A general message or description, either included in or generated from the record.
EventCount Mandatory Integer The number of events described by the record.

This value is used when the source supports aggregation and a single record may represent multiple events.

For other sources, it should be set to 1.

Example: 1
EventStartTime Mandatory Date/time If the source supports aggregation and the record represents multiple events, use this field to specify the time that the first event was generated.

In other cases, alias the TimeGenerated field.
EventEndTime Alias Alias to the TimeGenerated field.
EventType Mandatory Enumerated Indicate the operation reported by the record.

Possible values are Assign, Renew, Release and DNS Update.

Example: Assign
EventResult Mandatory Enumerated One of the following values: Success, Partial, Failure, NA (Not Applicable).

The value may be provided in the source record using different terms, which should be normalized to these values. Alternatively, the source may provide only the EventResultDetails field, which should be analyzed to derive the EventResult value. When a client is quarantined by the DHCP server, this field should be set to Partial.

Example: Success
EventResultDetails Alias Reason or details for the result reported in the EventResult](#eventresult) field.

Possible values are Exhausted, Quarantined, and Denied.

Example: Exhausted
EventOriginalResultDetails Optional String The value provided in the original record for EventResultDetails, if provided by the source. For Windows DHCP server logs, store the QResult field value here.
EventOriginalUid Optional String A unique ID of the original record, if provided by the source.
EventOriginalType Optional String The original event type or ID, if provided by the source.

Example: DNS Assign Failed
EventProduct Mandatory String The product generating the event. This field may not be available in the source record, in which case it should be set by the parser.

Example: DHCP Server
EventProductVersion Optional String The version of the product generating the event. This field may not be available in the source record, in which case it should be set by the parser.

Example: 12.1
EventVendor Mandatory String The vendor of the product generating the event. This field may not be available in the source record, in which case it should be set by the parser.

Example: Microsoft
EventSchemaVersion Mandatory String The version of the schema documented here is 0.1.0.
EventSchema Mandatory String The name of the schema documented here is Dhcp.
EventReportUrl Optional String A URL provided in the event for a resource that provides more information about the event.
Dvc Alias String A unique identifier of the DHCP server.

Example: ContosoDc.Contoso.Azure

This field may alias the DvcFQDN, DvcId, DvcHostname, or DvcIpAddr fields. For cloud sources, for which there is not apparent device, use the same value as the Event Product field.
DvcIpAddr Recommended IP address The IP address of the DHCP server.

Example: 2001:db8::ff00:42:8329
DvcHostname Mandatory String The hostname of the DHCP server, excluding domain information. If no device name is available, store the relevant IP address in this field.

Example: DESKTOP-1282V4D
DvcDomain Recommended String The domain of the DHCP server.

Example: Contoso
DvcDomainType Recommended Enumerated The type of DvcDomain , if known. Possible values include:
- Windows (contoso\mypc)
- FQDN (docs.microsoft.com)

Note: This field is required if the DvcDomain field is used.
DvcFQDN Optional String The hostname of the DHCP server, including domain information when available.

Example: Contoso\DESKTOP-1282V4D

Note: This field supports both both traditional FQDN format and Windows domain\hostname format. The DvcDomainType field reflects the format used.
DvcId Optional String The ID of the DHCP server as reported in the record.

Example: ac7e9755-8eae-4ffc-8a02-50ed7a2216c3
DvcIdType Optional Enumerated The type of DvcId, if known. Possible values include:
- AzureResourceId
- MDEid

If multiple IDs are available, use the first one from the list, and store the others using the field names DvcAzureResourceId and DvcMDEid respectively.

Note: This field is required if the DvcId field is used.
EventSeverity Optional Enumerated Set to Low if the DHCP server quarantined the client, and to Medium if the server blocked the client. Otherwise set to Informational.

Example: Informational
DvcAction Optional Enumerated The action taken by the DHCP server. Possible values are Allow, Deny, and Quarantine.

Example: Deny
AdditionalFields Optional Dynamic If your source provides other information worth preserving, either keep it with the original field names or create the AdditionalFields dynamic field, and add to the extra information as key/value pairs.

DHCP-specific fields

The fields below are specific to DHCP events, but many are similar to fields in other schemas and follow the same naming convention.

Field Class Type Notes
SrcIpAddr Mandatory IP Address The IP address assigned to the client by the DHCP server.

Example: 192.168.12.1
IpAddr Alias Alias for SrcIpAddr
RequestedIpAddr Optional IP Address The IP address requested by the DHCP client, when available.

Example: 192.168.12.3
SrcHostname Mandatory String The hostname of the device requesting the DHCP lease. If no device name is available, store the relevant IP address in this field.

Example: DESKTOP-1282V4D
Hostname Alias Alias for SrcHostname
SrcDomain Recommended String The domain of the source device.

Example: Contoso
SrcDomainType Recommended Enumerated The type of SrcDomain, if known. Possible values include:
- Windows (such as: contoso)
- FQDN (such as: microsoft.com)

Required if SrcDomain is used.
SrcFQDN Optional String The source device hostname, including domain information when available.

Note: This field supports both traditional FQDN format and Windows domain\hostname format. The SrcDomainType field reflects the format used.

Example: Contoso\DESKTOP-1282V4D
SrcDvcId Optional String The ID of the source device as reported in the record.

For example: ac7e9755-8eae-4ffc-8a02-50ed7a2216c3
SrcDvcIdType Optional Enumerated The type of SrcDvcId, if known. Possible values include:
- AzureResourceId
- MDEid

If multiple IDs are available, use the first one from the list above, and store the others in the SrcDvcAzureResourceId and SrcDvcMDEid, respectively.

Note: This field is required if SrcDvcId is used.
SrcDeviceType Optional Enumerated The type of the source device. Possible values include:
- Computer
- Mobile Device
- IOT Device
- Other
SrcUserId Optional String A machine-readable, alphanumeric, unique representation of the source user. Format and supported types include:
- SID (Windows): S-1-5-21-1377283216-344919071-3415362939-500
- UID (Linux): 4578
- AADID (Azure Active Directory): 9267d02c-5f76-40a9-a9eb-b686f3ca47aa
- OktaId: 00urjk4znu3BcncfY0h7
- AWSId: 72643944673

Store the ID type in the SrcUserIdType field. If other IDs are available, we recommend that you normalize the field names to SrcUserSid, SrcUserUid, SrcUserAadId, SrcUserOktaId and UserAwsId, respectively.

Example: S-1-12
SrcUserIdType Optional Enumerated The type of the ID stored in the SrcUserId field. Supported values include: SID, UIS, AADID, OktaId, and AWSId.
SrcUsername Optional String The Source username, including domain information when available. Use one of the following formats and in the following order of priority:
- Upn/Email: johndow@contoso.com
- Windows: Contoso\johndow
- DN: CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM
- Simple: johndow. Use the Simple form only if domain information is not available.

Store the Username type in the SrcUsernameType field. If other IDs are available, we recommend that you normalize the field names to SrcUserUpn, SrcUserWindows and SrcUserDn.

For more information, see The User entity.

Example: AlbertE
Username Alias Alias for SrcUsername
SrcUsernameType Optional Enumerated Specifies the type of the username stored in the SrcUsername field. Supported values are: UPN, Windows, DN, and Simple. For more information, see The User entity.

Example: Windows
SrcUserType Optional Enumerated The type of Actor. Allowed values are:
- Regular
- Machine
- Admin
- System
- Application
- Service Principal
- Other

Note: The value may be provided in the source record using different terms, which should be normalized to these values. Store the original value in the EventOriginalUserType field.
SrcOriginalUserType The original source user type, if provided by the source.
SrcMacAddr Mandatory Mac Address The MAC address of the client requesting a DHCP lease.

Note: The Windows DHCP server logs MAC address in a non-standard way, omitting the colons, which should be inserted by the parser.

Example: 06:10:9f:eb:8f:14
DhcpLeaseDuration Optional Integer The length of the lease granted to a client, in seconds.
DhcpSessionId Optional string The session identifier as reported by the reporting device. For the Windows DHCP server, set this to the TransactionID field.

Example: 2099570186
SessionId Alias String Alias to DhcpkSessionId
DhcpSessionDuration Optional Integer The amount of time, in milliseconds, for the completion of the DHCP session.

Example: 1500
Duration Alias Alias to DhcpSessionDuration
DhcpSrcDHCId  Optional String The DHCP client ID, as defined by RFC4701
DhcpCircuitId  Optional String The DHCP circuit ID, as defined by RFC3046
DhcpSubscriberId  Optional String The DHCP subscriber ID, as defined by RFC3993
DhcpVendorClassId   Optional String The DHCP Vendor Class Id, as defined by RFC3925.
DhcpVendorClass   Optional String The DHCP Vendor Class, as defined by RFC3925.
DhcpUserClassId   Optional String The DHCP User Class Id, as defined by RFC3004.
DhcpUserClass  Optional String The DHCP User Class, as defined by RFC3004.

Next steps

For more information, see: