CSL
The Common Security Log (CSL) is a standardized schema used in Microsoft Sentinel. It provides:
Common Fields:
| Field Category | Fields | Description |
|---|---|---|
| Base Fields | TimeGenerated, Type, TenantId, SourceSystem, Computer | Core fields for event identification and source tracking |
| Identity Fields | AccountName, AccountDomain, UserPrincipalName, UserId | User identification and authentication tracking |
| Network Fields | SourceIP, DestinationIP, SourcePort, DestinationPort | Network communication endpoints |
| Security Fields | Activity, Status, ResultType, ResultDescription | Security operation outcomes and status information |
Schema Categories:
| Category | Fields | Purpose |
|---|---|---|
| Authentication | LogonType, AuthenticationMethod, LogonProcessName, ImpersonationLevel | Track authentication events and access control |
| Network Session | Protocol, Direction, BytesSent, BytesReceived, Duration | Monitor network communications and traffic patterns |
| Process | ProcessName, CommandLine, ProcessId, ParentProcessName | Track process creation and execution |
| File | FileName, FilePath, FileHash, FileOperation | Monitor file access and modifications |
| Registry | RegistryKey, RegistryValueName, RegistryValueData | Track registry changes and access |
Event Types:
| Type | Event Classes | Description |
|---|---|---|
| Authentication | SignInLogs, AuditLogs, AADNonInteractiveUserSignInLogs | Authentication-related events and outcomes |
| Security | SecurityEvent, SecurityAlert, SecurityIncident | Security-related events and alerts |
| Network | AzureNetworkAnalytics, CommonSecurityLog, DnsEvents | Network activity and communications |
| Identity | IdentityInfo, IdentityDirectoryEvents, IdentityLogonEvents | Identity and directory service events |
| Endpoint | DeviceEvents, DeviceProcessEvents, DeviceFileEvents | Endpoint detection and response events |