ASIM Agent Event Schema: New Normalization Framework for Security Agent Monitoring

What Changed

Microsoft Sentinel introduces a new ASIM schema for Agent Event normalization, establishing the foundation for vendor-agnostic security agent monitoring. This creates the framework for standardizing agent lifecycle events, configuration changes, and agent-to-platform communications across all security tools.

Schema Structure

The new AgentEvent schema normalizes agent activity across three core areas:

• Source Agent Fields: SrcAgentId, SrcAgentName, SrcAgentDescription — tracks the originating security agent
• Target Agent Fields: TargetAgentId, TargetAgentName, TargetAgentUsername — identifies affected agents or platforms
• Event Context: EventType, EventRequestId, EventSessionId — provides operational context for agent interactions

Key fields include agent blueprint identification, platform targeting, and detailed error reporting for agent failures.

Parser Infrastructure

Three foundational parsers are now available:

• ASimAgentEvent — unifying parser for all supported agent event sources
• imAgentEvent — filtering parser with parameters for time range, agent ID, and username filtering
• vimAgentEventEmpty — empty schema template for testing and development

Detection Surface Unlocked

This schema enables monitoring of:

• Agent deployment and configuration drift across the environment
• Unauthorized agent modifications or tampering attempts
• Agent communication failures that create visibility blind spots
• Cross-platform agent lifecycle management events

The schema supports advanced fields for AI/ML agent interactions including token usage tracking, model provider identification, and thought process details — preparing for next-generation intelligent security agents.

Affected Files

.github/workflows/convertKqlFunctionYamlToArmTemplate.yaml
.github/workflows/runAsimSchemaAndDataTesters.yaml
.script/getModifiedASimSchemas.ps1
.script/tests/KqlvalidationsTests/CustomFunctions/_Im_AgentEvent.json
.script/tests/KqlvalidationsTests/FunctionSchemasLoaders/ParsersDatabase.cs
.script/tests/asimParsersTest/VerifyASimParserTemplate.py
ASIM/deploy/EmptyCustomUnifyingParsers/ASim_AgentEventCustom.json
ASIM/deploy/EmptyCustomUnifyingParsers/AgentEventDeploymentCustomUnifyingParsers.json
ASIM/deploy/EmptyCustomUnifyingParsers/FullDeploymentCustomUnifyingParsers.json
ASIM/deploy/EmptyCustomUnifyingParsers/Im_AgentEventCustom.json
ASIM/deploy/EmptyCustomUnifyingParsers/README.md
ASIM/dev/ASimTester/ASimTester.csv
Parsers/ASimAgentEvent/ARM/ASimAgentEntity/ASimAgentEntity.json
Parsers/ASimAgentEvent/ARM/ASimAgentEntity/README.md
Parsers/ASimAgentEvent/ARM/FullDeploymentAgentEvent.json
Parsers/ASimAgentEvent/ARM/README.md
Parsers/ASimAgentEvent/ARM/imAgentEvent/README.md
Parsers/ASimAgentEvent/ARM/imAgentEvent/imAgentEvent.json
Parsers/ASimAgentEvent/ARM/vimAgentEventEmpty/README.md
Parsers/ASimAgentEvent/ARM/vimAgentEventEmpty/vimAgentEventEmpty.json
Parsers/ASimAgentEvent/CHANGELOG/ASimAgentEvent.md
Parsers/ASimAgentEvent/CHANGELOG/imAgentEvent.md
Parsers/ASimAgentEvent/CHANGELOG/vimAgentEventEmpty.md
Parsers/ASimAgentEvent/Parsers/ASimAgentEntity.yaml
Parsers/ASimAgentEvent/Parsers/imAgentEvent.yaml
Parsers/ASimAgentEvent/Parsers/vimAgentEventEmpty.yaml
Parsers/ASimAgentEvent/README.md