ASIM Authentication Parser: Microsoft 365 Defender Schema Compliance Enhancement

What Changed

Major schema compliance enhancement to ASIM Authentication parser for Microsoft 365 Defender Device Logon Events improving normalization standards.

Parser Impact

Schema Normalization: Removed unnormalized process and hash fields from main output and relocated to AdditionalFields:

Acting process metadata (command line, creation time, integrity level, hashes)
Parent process information
Process hash details (MD5, SHA1, SHA256)

Field Restructuring: Enhanced AdditionalFields bag structure using bag_merge to preserve both original additional fields and unnormalized process metadata for downstream analysis.

Performance Optimization: Switched from TimeGenerated to Timestamp field for event time filtering and explicitly added Type field for table identification.

Version Update: Schema version updated to 0.2.0 reflecting significant normalization improvements.

No change to core authentication logic or entity mappings — safe for existing detections. Previously exposed process fields now accessible via AdditionalFields for specialized hunting queries requiring process context.

Affected Files

Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/ASimAuthenticationM365Defender.json
Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/vimAuthenticationM365Defender.json
Parsers/ASimAuthentication/Parsers/ASimAuthenticationM365Defender.yaml
Parsers/ASimAuthentication/Parsers/vimAuthenticationM365Defender.yaml

What Changed#

Parser Impact#

Affected Files#

What Changed

Parser Impact

Affected Files