Microsoft Sentinel ASIM Agent Event normalization schema reference

The Microsoft Sentinel Agent Event normalization schema represents events associated with the activities and telemetry of AI agents operating throughout enterprise environments. These events capture the full spectrum of agent interactions, including model invocations, tool usage, token consumption, thought processes, and communication between source and target agents. These activities are generated by a wide range of AI agent platforms and frameworks, each producing telemetry in its own format.

Every AI agent platform logs agent events as part of its operational telemetry. Normalizing these events using the ASIM schema enables security analysts to correlate agent behaviors between platforms, detect anomalous patterns, and investigate incidents without having to learn the proprietary format of each source.

For more information about normalization in Microsoft Sentinel, see Normalization and the Advanced Security Information Model (ASIM).

Parsers

Deploying and using agent event parsers

Deploy the ASIM Agent Event parsers from the Microsoft Sentinel GitHub repository. To query all agent event sources, use the unifying parser _Im_AgentEvent as the table name in your query.

For more information about using ASIM parsers, see the ASIM parsers overview.

Add your own normalized parsers

When implementing custom parsers for the Agent Event information model, name your KQL functions using the following syntax:

ASimAgentEvent<vendor><Product> for regular parsers
vimAgentEvent<vendor><Product> for parameterized parsers

To add custom parsers to the Agent Event unifying parser, see Managing ASIM parsers.

Filtering parser parameters

The agent event parsers support filtering parameters. While these parameters are optional, they can improve your query performance.

The following filtering parameters are available:

Name	Type	Description
starttime	datetime	Filter only events that ran at or after this time. This parameter uses the `TimeGenerated` field as the time designator of the event.
endtime	datetime	Filter only events that finished running at or before this time. This parameter uses the `TimeGenerated` field as the time designator of the event.
agentid_has_any	dynamic	Filter only events that have any of the agent ids, as represented in the SrcAgentId, TargetAgentId, or PlatformTargetAgentId field.
agentname_has_any	dynamic	Filter only events that have any of the agent names, as represented in the SrcAgentName, TargetAgentName, or PlatformTargetAgentName field.
username_has_any	dynamic	Filter only events that have any of the listed user names, as represented in the ActorUsername field.

Some parameters can accept both list of values of type dynamic or a single string value. To pass a literal list to parameters that expect a dynamic value, explicitly use a dynamic literal. For example: dynamic(['192.168.','10.'])

For example, to filter only agent events with the agent names M365Planner from the last day, use:

_Im_AgentEvent (agentname_has_any=dynamic(['M365Planner']), starttime = ago(1d), endtime=now())

Schema details

Common ASIM fields

Important

Fields common to all schemas are described in detail in the ASIM Common Fields article.

Common fields with specific guidelines

The following list mentions fields that have specific guidelines for agent events:

Field	Class	Type	Description
EventOriginalType	Optional	String	Describes the operation called by the agent that initiated the event. Because this is an evolving space where agents can perform a vast number of actions, we have not enforced a set of enumerations for EventType.
EventSchema	Mandatory	Enumerated	The name of the schema documented here is `AgentEvent`.
EventSchemaVersion	Mandatory	SchemaVersion (String)	The version of the schema. The version of the schema documented here is `0.1.0`.

All common fields

Fields in this table are common to all ASIM schemas. Any guidelines specified in this document override the general guidelines for each field. For example, a field might be optional in general, but mandatory for a specific schema. For more information on each field, see the ASIM Common Fields article.

Class	Fields
Mandatory	- EventCount - EventStartTime - EventEndTime - EventProduct - EventVendor - EventSchema - EventSchemaVersion
Recommended	- EventUid
Optional	- EventOriginalUid - EventOriginalType - EventOriginalResultDetails - AdditionalFields

Source agent information

Field	Class	Type	Description
SrcAgentId	Recommended	String	The unique ID of the source agent.
SrcAgentName	Recommended	String	The name of the source agent.
SrcAgentOriginalType	Optional	String	The original type of the source agent.
SrcAgentDescription	Optional	String	A description of the source agent.
SrcAgentBlueprintId	Optional	String	The blueprint ID of the source agent.
SrcIpAddr	Optional	String	The IP address of the source.
SrcFQDN	Optional	String	The fully qualified domain name of the source.
SrcPortNumber	Optional	int	The port number of the source.

Target agent fields

Field	Class	Type	Description
TargetAgentId	Optional	String	The unique ID of the target agent.
TargetAgentName	Optional	String	The name of the target agent.
TargetAgentUsername	Optional	String	The username of the target agent.
TargetAgentUserId	Optional	String	The user ID of the target agent.
TargetAgentOriginalType	Optional	String	The original type of the target agent.
TargetAgentDescription	Optional	String	A description of the target agent.
TargetAgentBlueprintId	Optional	String	The blueprint ID of the target agent.

Platform target agent fields

Field	Class	Type	Description
PlatformTargetAgentId	Optional	String	The unique ID of the platform target agent.
PlatformTargetAgentName	Optional	String	The name of the platform target agent.
PlatformTargetAgentDescription	Optional	String	A description of the platform target agent.
PlatformTargetOriginalAgentType	Optional	String	The original type of the platform target agent.

Actor fields

Field	Class	Type	Description
ActorUserId	Optional	String	A machine-readable, alphanumeric, unique representation of the Actor. For more information, and for alternative fields for other IDs, see The User entity. Example: `S-1-12-1-4141952679-1282074057-627758481-2916039507`
ActorUserIdType	Optional	String	The type of the ID stored in the ActorUserId field. For more information and list of allowed values, see UserIdType in the Schema Overview article.
ActorUserScope	Optional	String	The scope, such as Microsoft Entra Domain Name, in which ActorUserId and ActorUsername are defined. For more information and a list of allowed values, see UserScope in the Schema Overview article.
ActorUserScopeId	Optional	String	The scope ID, such as Microsoft Entra Directory ID, in which ActorUserId and ActorUsername are defined. For more information and a list of allowed values, see UserScopeId in the Schema Overview article.
ActorUsername	Optional	Username (String)	The Actor’s username, including domain information when available. For more information, see The User entity. Example: `AlbertE`
ActorUsernameType	Optional	String	Specifies the type of the user name stored in the ActorUsername field. For more information, and list of allowed values, see UsernameType in the Schema Overview article. Example: `Windows`
ActingAppId	Optional	String	The ID of the application that initiated the activity reported, including a process, browser, or service. For example: `0x12ae8`
ActingAppName	Optional	String	The name of the application that initiated the activity reported, including a service, a URL, or a SaaS application. For example: `C:\Windows\System32\svchost.exe`
ActingAppType	Optional	AppType	The type of acting application. For more information, and allowed list of values, see AppType in the Schema Overview article.
ActingOriginalAppType	Optional	String	The type of the application that initiated the activity as reported by the reporting device.

Model fields

Field	Class	Type	Description
ModelProviderName	Optional	String	The name of the model provider.
ModelName	Optional	String	The name of the model.

Token fields

Field	Class	Type	Description
InputTokensUsed	Optional	long	The number of input tokens used.
OutputTokensUsed	Optional	long	The number of output tokens used.

Tool fields

Field	Class	Type	Description
ToolId	Optional	String	The unique ID of the tool.
ToolName	Optional	String	The name of the tool.
ToolDescription	Optional	String	A description of the tool.
ToolOriginalType	Optional	String	The original type of the tool.

Event specific fields

Field	Class	Type	Description
EventSessionId	Optional	String	The unique ID of the event session.
EventSessionName	Optional	String	The name of the event session.
EventType	Optional	String	The type of the event.
EventOriginalType	Optional	String	The original type of the event as reported by the source.
EventRequestId	Optional	String	The unique ID of the event request.
EventRequestTemperature	Optional	double	The temperature parameter of the event request.
EventRequestTopP	Optional	double	The top-p parameter of the event request.
EventRequestPresencePenalty	Optional	double	The presence penalty parameter of the event request.
EventRequestFrequencyPenalty	Optional	double	The frequency penalty parameter of the event request.
EventRequestSeed	Optional	long	The seed parameter of the event request.
EventResponseId	Optional	String	The unique ID of the event response.
EventOriginalRequestDetails	Optional	String	The original request details as reported by the source.
EventOriginalResultDetails	Optional	String	The original result details as reported by the source.
EventErrorDetails	Optional	String	Details about the error associated with the event.
EventOriginalErrorType	Optional	String	The original error type as reported by the source.
EventThoughtProcessDetails	Optional	String	Details about the thought process associated with the event.
EventThoughtProcessId	Optional	String	The unique ID of the thought process.
EventFinishReasons	Optional	dynamic	The reasons the event finished.
EventOutputType	Optional	String	The type of the event output.

Feedback

Was this page helpful?

Last updated on 2026-05-24