ASIM Schema Standardization: Removing Unused User Role Fields Across Multiple Schemas

What Changed

• Removed Actor/Target user roles from AuditEvent, DhcpEvent, Dns, NetworkSession and WebSession schemas in ASimTester.csv
• Removed Target user roles from FileEvent and Registry schemas in ASimTester.csv
• Added Dst user roles for NetworkSession and WebSession schemas in ASimTester.csv
• Added ActorUserType/ActorScopeId/ActingProcessCommandLine columns to RegistryEvent schema in ASimTester.csv
• Aligned all empty parsers (vimXXXEmpty) to match ASimTester.csv and sorted fields alphabetically

Parser Impact

Schema field standardization across 11 ASIM empty parsers covering Alert, Audit, Authentication, DHCP, DNS, File, Network Session, Process, Registry, User Management, and Web Session events. Changes are primarily to data structure definitions in empty parsers rather than active parsing logic — no change to normalised field names or filter logic for production data sources. Safe for existing detections using these parsers.

Field additions in RegistryEvent (ActorUserType, ActorScopeId, ActingProcessCommandLine) prepare for enhanced user context tracking in future registry monitoring scenarios. The removal of unused role fields eliminates schema bloat without impacting current detection coverage.

Affected Files

ASIM/dev/ASimTester/ASimTester.csv
Parsers/ASimAlertEvent/ARM/vimAlertEventEmpty/vimAlertEventEmpty.json
Parsers/ASimAlertEvent/CHANGELOG/vimAlertEventEmpty.md
Parsers/ASimAlertEvent/Parsers/vimAlertEventEmpty.yaml
Parsers/ASimAuditEvent/ARM/vimAuditEventEmpty/vimAuditEventEmpty.json
Parsers/ASimAuditEvent/CHANGELOG/vimAuditEventEmpty.md
Parsers/ASimAuditEvent/Parsers/vimAuditEventEmpty.yaml
Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/vimAuthenticationEmpty.json
Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationEmpty.md
Parsers/ASimAuthentication/Parsers/vimAuthenticationEmpty.yaml
Parsers/ASimDhcpEvent/ARM/vimDhcpEventEmpty/vimDhcpEventEmpty.json
Parsers/ASimDhcpEvent/CHANGELOG/vimDhcpEventEmpty.md
Parsers/ASimDhcpEvent/Parsers/vimDhcpEventEmpty.yaml
Parsers/ASimDns/ARM/vimDnsEmpty/vimDnsEmpty.json
Parsers/ASimDns/CHANGELOG/vimDnsEmpty.md
Parsers/ASimDns/Parsers/vimDnsEmpty.yaml
Parsers/ASimFileEvent/ARM/vimFileEventEmpty/vimFileEventEmpty.json
Parsers/ASimFileEvent/CHANGELOG/vimFileEventEmpty.md
Parsers/ASimFileEvent/Parsers/vimFileEventEmpty.yaml
Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json
Parsers/ASimNetworkSession/CHANGELOG/vimNetworkSessionEmpty.md
Parsers/ASimNetworkSession/Parsers/vimNetworkSessionEmpty.yaml
Parsers/ASimProcessEvent/ARM/vimProcessEmpty/vimProcessEmpty.json
Parsers/ASimProcessEvent/CHANGELOG/vimProcessEmpty.md
Parsers/ASimProcessEvent/Parsers/vimProcessEmpty.yaml
Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoft365D/ASimRegistryEventMicrosoft365D.json
Parsers/ASimRegistryEvent/ARM/vimRegistryEventEmpty/vimRegistryEventEmpty.json
Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoft365D/vimRegistryEventMicrosoft365D.json
Parsers/ASimRegistryEvent/CHANGELOG/vimRegistryEventEmpty.md
Parsers/ASimRegistryEvent/Parsers/vimRegistryEventEmpty.yaml
Parsers/ASimUserManagement/ARM/vimUserManagementEmpty/vimUserManagementEmpty.json
Parsers/ASimUserManagement/CHANGELOG/vimUserManagementEmpty.md
Parsers/ASimUserManagement/Parsers/vimUserManagementEmpty.yaml
Parsers/ASimWebSession/ARM/vimWebSessionEmpty/vimWebSessionEmpty.json
Parsers/ASimWebSession/CHANGELOG/vimWebSessionEmpty.md
Parsers/ASimWebSession/Parsers/vimWebSessionEmpty.yaml