Merge pull request #310697 from oshezaf/asim/minor-updates-2026-01-13

prmerger-automator[bot] · web-flow · commit 9a69df422bfa · 2026-01-21T02:50:56.000Z
Asim/update functions doc
diff --git a/articles/sentinel/normalization-common-fields.md b/articles/sentinel/normalization-common-fields.md
@@ -79,8 +79,8 @@ Each schema document specifies the role of the device for the schema.
 | <a name="dvcdomaintype"></a>**DvcDomainType** | Conditional | Enumerated | The type of  [DvcDomain](#dvcdomain). For a list of allowed values and further information, refer to [DomainType](normalization-entity-device.md#domaintype).<br><br>**Note**: This field is required if the [DvcDomain](#dvcdomain) field is used. |
 | <a name="dvcfqdn"></a>**DvcFQDN** | Optional | FQDN (String) | The hostname of the device on which the event occurred or which reported the event, depending on the schema. <br><br> Example: `Contoso\DESKTOP-1282V4D`<br><br>**Note**: This field supports both traditional FQDN format and Windows domain\hostname format. The  [DvcDomainType](#dvcdomaintype) field reflects the format used.  |
 | <a name = "dvcdescription"></a>**DvcDescription** | Optional | String | A descriptive text associated with the device. For example: `Primary Domain Controller`. |
-| <a name ="dvcid"></a>**DvcId**               | Optional    | String     | The unique ID of the device on which the event occurred or which reported the event, depending on the schema. <br><br>Example: `41502da5-21b7-48ec-81c9-baeea8d7d669`   |
-| <a name="dvcidtype"></a>**DvcIdType** | Conditional | Enumerated | The type of [DvcId](#dvcid). For a list of allowed values and further information, refer to [DvcIdType](#dvcidtype).<br>- `MDEid`<br><br>If multiple IDs are available, use the first one from the list, and store the others by using the field names **DvcAzureResourceId** and **DvcMDEid**, respectively.<br><br>**Note**: This field is required if the [DvcId](#dvcid) field is used. |
+| <a name ="dvcid"></a>**DvcId**               | Optional    | String     | The unique ID of the device on which the event occurred or which reported the event, depending on the schema. <br><br>Example: `41502da5-21b7-48ec-81c9-baeea8d7d669`<br><br>If multiple IDs are available, use the first one from the list, and store the others by using the field names **DvcAzureResourceId**, **DvcMDEid**, etc. |
+| <a name="dvcidtype"></a>**DvcIdType** | Conditional | Enumerated | The type of [DvcId](#dvcid). The list of allowed values is `AzureResourceId`, `MDEid`, `MD4IoTid`, `VMConnectionId`, `AwsVpcId`, `VectraId`, `AppGateId`, `FQDN`, and `Other`. Using `FQDN` as a device ID, implies reusing the hostname. Use it only as a last resort.<br><br>**Note**: This field is required if the [DvcId](#dvcid) field is used. |
 | <a name="dvcmacaddr"></a>**DvcMacAddr**          | Optional    | MAC address |   The MAC address of the device on which the event occurred or which reported the event.  <br><br>Example: `00:1B:44:11:3A:B7`       |
 | <a name="dvczone"></a>**DvcZone** | Optional | String | The network on which the event occurred or which reported the event, depending on the schema. The zone is defined by the reporting device.<br><br>Example: `Dmz` |
 | <a name="dvcos"></a>**DvcOs**               | Optional    | String     |         The operating system running on the device on which the event occurred or which reported the event.    <br><br>Example: `Windows`    |
diff --git a/articles/sentinel/normalization-functions.md b/articles/sentinel/normalization-functions.md
@@ -53,6 +53,8 @@ For more information on scalar and tabular functions (represented by the lookup
 | **_ASIM_LookupDnsResponseCode** | Numeric DNS response code | Response code name | Translate a numeric DNS response code (RCODE) to its name, as defined by [IANA](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6) |
 | **_ASIM_LookupICMPType** | Numeric ICMP type | ICMP type name | Translate a numeric ICMP type to its name, as defined by [IANA](https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml#icmp-parameters-types) |
 | **_ASIM_LookupNetworkProtocol** | IP protocol number | IP protocol name | Translate a numeric IP protocol code to its name, as defined by [IANA](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml) |
+| **_ASIM_LookupHTTPStatusCode** | HTTP status code | HTTP status code name | Translate a numeric HTTP status code to its name, as defined by [IANA](https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml). Also supports extended status codes used by IIS and other web servers. |
+| **_ASIM_LookupAADcodes** | Microsoft Entra ID STS error code | Error category | Translate a Microsoft Entra ID STS error code to its error category, such as `Logon violates policy` or `No such user or password`. |
 
 
 ### Resolve type functions
@@ -78,13 +80,44 @@ The device resolution functions analyze a hostname and determine whether it has
 | -------- | ---------------- | ----------- |
 | **_ASIM_ResolveFQDN** | - `ExtractedHostname`<br> - `Domain`<br> - `DomainType` <br> - `FQDN` | Analyzes the value in the field specified and set the output fields accordingly. For more information, see [example](normalization-develop-parsers.md#resolvefqnd) in the article about developing parsers. | 
 | **_ASIM_ResolveSrcFQDN** | - `SrcHostname`<br> - `SrcDomain`<br> - `SrcDomainType`<br> - `SrcFQDN` | Similar to `_ASIM_ResolveFQDN`, but sets the `Src` fields | 
-| **_ASIM_ResolveDstFQDN** | - `DstHostname`<br> - `DstDomain`<br> - `DstDomainType`<br> - `SrcFQDN` | Similar to `_ASIM_ResolveFQDN`, but sets the `Dst` fields | 
+| **_ASIM_ResolveDstFQDN** | - `DstHostname`<br> - `DstDomain`<br> - `DstDomainType`<br> - `DstFQDN` | Similar to `_ASIM_ResolveFQDN`, but sets the `Dst` fields | 
 | **_ASIM_ResolveDvcFQDN** | - `DvcHostname`<br> - `DvcDomain`<br> - `DvcDomainType`<br> - `DvcFQDN` | Similar to `_ASIM_ResolveFQDN`, but sets the `Dvc` fields | 
 
+### User type functions
+
+The user type functions help determine the type of user based on username patterns or security identifiers (SIDs).
+
+| Function | Input | Output | Description |
+| -------- | ----- | ------ | ----------- |
+| **_ASIM_GetUsernameType** | Username string | Username type | Returns the username type based on the format of the username. Possible values include `UPN` (for email-like usernames), `Windows` (for domain\\user format), `DN` (for distinguished names), `Simple`, or empty if the username is empty. |
+| **_ASIM_GetWindowsUserType** | Username string, SID string | User type | Returns the user type for Windows systems based on the username and security identifier (SID). Possible values include `Admin`, `Guest`, `Service`, `Machine`, `System`, `Anonymous`, `Regular`, or `Other`. |
+| **_ASIM_GetUserType** | Username string, SID string | User type | **Deprecated.** Use `_ASIM_GetWindowsUserType` instead. Sets the UserType in Windows systems based on the username and SID. |
+
 ### Source identification functions
 
 The **_ASIM_GetSourceBySourceType** function retrieves the list of sources associated with a source type provided as input from the `SourceBySourceType` Watchlist. The function is intended for use by parsers writers. For more information, see [Filtering by source type using a Watchlist](normalization-develop-parsers.md#filtering-by-source-type-using-a-watchlist).
 
+The **_ASIM_GetDisabledParsers** function reads the `ASimDisabledParsers` watchlist and determines based on it whether the parser provided as a parameter is disabled. This function is used internally by ASIM parsers to support disabling specific parsers.
+
+### Watchlist functions
+
+The watchlist functions provide optimized methods for reading watchlists in ASIM parsers.
+
+| Function | Input | Output | Description |
+| -------- | ----- | ------ | ----------- |
+| **_ASIM_GetWatchlistRaw** | Watchlist alias (string), optional keys (dynamic array) | Watchlist items | Reads a single watchlist in raw format. More performant than the general `_GetWatchlist` function. |
+| **_ASIM_GetWatchlistsRaw** | Watchlist aliases (dynamic array), optional keys (dynamic array) | Watchlist items | Reads multiple watchlists in raw format. The primary use case is providing an option for using multiple watchlist names for the same watchlist. |
+
+## Identity enrichment functions
+
+Identity enrichment functions help enrich your data with user information from the UEBA IdentityInfo table.
+
+| Function | Input | Output | Description |
+| -------- | ----- | ------ | ----------- |
+| **_ASIM_IdentityInfo** | None | Normalized IdentityInfo table | Deduplicates and normalizes the [IdentityInfo table](ueba-reference.md#identityinfo-table) to improve its usability in queries. Returns a deduplicated table with ASIM-normalized field names. |
+| **_ASIM_Enrich_IdentityInfo** | Input table, field name parameters | Enriched table | Enriches your result set with user information from the [IdentityInfo table](ueba-reference.md#identityinfo-table). Use the parameters to specify which field to use for matching: `AadIdField`, `TenantIdField`, `SidField`, `UpnField`, or `EmailField`. |
+
+
 ## <a name="next-steps"></a>Next steps
 
 This article discusses the Advanced Security Information Model (ASIM) help functions.
