Merge pull request #310701 from oshezaf/asim/minor-updates-2026-01-13

Added filtering parameters to missing schemas

Author: prmerger-automator[bot]

articles/sentinel/normalization-schema-dhcp.md

@@ -16,6 +16,31 @@ The DHCP information model is used to describe events reported by a DHCP server,
 
 For more information, see [Normalization and the Advanced Security Information Model (ASIM)](normalization.md).
 
+## Parsers
+
+For more information about ASIM parsers, see the [ASIM parsers overview](normalization-parsers-overview.md).
+
+### Filtering parser parameters
+
+The DHCP parsers support [filtering parameters](normalization-about-parsers.md#optimizing-parsing-using-parameters). While these parameters are optional, they can improve your query performance.
+
+The following filtering parameters are available:
+
+| Name     | Type      | Description |
+|----------|-----------|-------------|
+| **starttime** | datetime | Filter only DHCP events that occurred at or after this time. This parameter filters on the `TimeGenerated` field, which is the standard designator for the time of the event, regardless of the parser-specific mapping of the EventStartTime and EventEndTime fields. |
+| **endtime** | datetime | Filter only DHCP events that occurred at or before this time. This parameter filters on the `TimeGenerated` field, which is the standard designator for the time of the event, regardless of the parser-specific mapping of the EventStartTime and EventEndTime fields. |
+| **srcipaddr_has_any_prefix** | dynamic | Filter only DHCP events where the source IP address prefix matches any of the listed values. Prefixes should end with a `.`, for example: `10.0.`. |
+| **srchostname_has_any** | dynamic | Filter only DHCP events where the source hostname has any of the listed values. |
+| **srcusername_has_any** | dynamic | Filter only DHCP events where the source username has any of the listed values. |
+| **eventresult** | string | Filter only DHCP events with a specific event result. Use `*` to include all results. |
+
+For example, to filter only DHCP events from a specific IP address range in the last day, use:
+
+```kusto
+_Im_DhcpEvent (srcipaddr_has_any_prefix=dynamic(['10.0.']), starttime = ago(1d), endtime=now())
+```
+
 ## Schema overview
 
 The ASIM DHCP schema represents DHCP server activity, including serving requests for DHCP IP address leased from client systems and updating a DNS server with the leases granted.

articles/sentinel/normalization-schema-file-event.md

@@ -30,8 +30,31 @@ For the list of the file activity parsers Microsoft Sentinel provides out-of-the
 
 When implementing custom parsers for the File Event information model, name your KQL functions using the following syntax: `imFileEvent<vendor><Product`.
 
-Refer to the article [Managing ASIM parsers](normalization-manage-parsers.md) to learn how to add your custom parsers to the file activity  unifying parser.
+Refer to the article [Managing ASIM parsers](normalization-manage-parsers.md) to learn how to add your custom parsers to the file activity unifying parser.
 
+### Filtering parser parameters
+
+The File Event parsers support [filtering parameters](normalization-about-parsers.md#optimizing-parsing-using-parameters). While these parameters are optional, they can improve your query performance.
+
+The following filtering parameters are available:
+
+| Name     | Type      | Description |
+|----------|-----------|-------------|
+| **starttime** | datetime | Filter only file events that occurred at or after this time. This parameter filters on the `TimeGenerated` field, which is the standard designator for the time of the event, regardless of the parser-specific mapping of the EventStartTime and EventEndTime fields. |
+| **endtime** | datetime | Filter only file events that occurred at or before this time. This parameter filters on the `TimeGenerated` field, which is the standard designator for the time of the event, regardless of the parser-specific mapping of the EventStartTime and EventEndTime fields. |
+| **eventtype_in** | dynamic | Filter only file events where the event type is one of the values listed, such as `FileCreated`, `FileModified`, `FileDeleted`, `FileRenamed`, or `FileCopied`. |
+| **srcipaddr_has_any_prefix** | dynamic | Filter only file events where the source IP address prefix matches any of the listed values. Prefixes should end with a `.`, for example: `10.0.`. |
+| **actorusername_has_any** | dynamic | Filter only file events where the actor username has any of the listed values. |
+| **targetfilepath_has_any** | dynamic | Filter only file events where the target file path has any of the listed values. |
+| **srcfilepath_has_any** | dynamic | Filter only file events where the source file path has any of the listed values. |
+| **hashes_has_any** | dynamic | Filter only file events where the file hash matches any of the listed values. |
+| **dvchostname_has_any** | dynamic | Filter only file events where the device hostname has any of the listed values. |
+
+For example, to filter only file creation and modification events from the last day, use:
+
+```kusto
+_Im_FileEvent (eventtype_in=dynamic(['FileCreated','FileModified']), starttime = ago(1d), endtime=now())
+```
 
 ## Normalized content
 

articles/sentinel/normalization-schema-registry-event.md

@@ -35,6 +35,29 @@ When implementing custom parsers for the Registry Event information model, name
 
 Add your KQL functions to the `imRegistry` unifying parsers to ensure that any content using the Registry Event model also uses your new parser.
 
+### Filtering parser parameters
+
+The Registry Event parsers support [filtering parameters](normalization-about-parsers.md#optimizing-parsing-using-parameters). While these parameters are optional, they can improve your query performance.
+
+The following filtering parameters are available:
+
+| Name     | Type      | Description |
+|----------|-----------|-------------|
+| **starttime** | datetime | Filter only registry events that occurred at or after this time. This parameter filters on the `TimeGenerated` field, which is the standard designator for the time of the event, regardless of the parser-specific mapping of the EventStartTime and EventEndTime fields. |
+| **endtime** | datetime | Filter only registry events that occurred at or before this time. This parameter filters on the `TimeGenerated` field, which is the standard designator for the time of the event, regardless of the parser-specific mapping of the EventStartTime and EventEndTime fields. |
+| **eventtype_in** | dynamic | Filter only registry events where the event type is one of the values listed, including: `RegistryKeyCreated`, `RegistryKeyDeleted`, `RegistryKeyRenamed`, `RegistryValueDeleted`, or `RegistryValueSet`. |
+| **actorusername_has_any** | dynamic | Filter only registry events where the actor username has any of the listed values. |
+| **registrykey_has_any** | dynamic | Filter only registry events where the registry key has any of the listed values. |
+| **registryvalue_has_any** | dynamic | Filter only registry events where the registry value has any of the listed values. |
+| **registrydata_has_any** | dynamic | Filter only registry events where the registry data has any of the listed values. |
+| **dvchostname_has_any** | dynamic | Filter only registry events where the device hostname has any of the listed values. |
+
+For example, to filter only registry key creation events from the last day, use:
+
+```kusto
+_Im_RegistryEvent (eventtype_in=dynamic(['RegistryKeyCreated']), starttime = ago(1d), endtime=now())
+```
+
 ## Normalized content
 
 Microsoft Sentinel provides the [Persisting Via IFEO Registry Key](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PersistViaIFEORegistryKey.yaml) hunting query. This query works on any registry activity data normalized using the Advanced Security Information Model.

articles/sentinel/normalization-schema-user-management.md

@@ -31,6 +31,31 @@ Some activities, such as **UserCreated**, **GroupCreated**, **UserModified**, an
 - [PreviousPropertyValue](#previouspropertyvalue) - the previous value of the property.
 - [NewPropertyValue](#newpropertyvalue) - the updated value of the property.
 
+## Parsers
+
+For more information about ASIM parsers, see the [ASIM parsers overview](normalization-parsers-overview.md).
+
+### Filtering parser parameters
+
+The User Management parsers support [filtering parameters](normalization-about-parsers.md#optimizing-parsing-using-parameters). While these parameters are optional, they can improve your query performance.
+
+The following filtering parameters are available:
+
+| Name     | Type      | Description |
+|----------|-----------|-------------|
+| **starttime** | datetime | Filter only user management events that occurred at or after this time. This parameter filters on the `TimeGenerated` field, which is the standard designator for the time of the event, regardless of the parser-specific mapping of the EventStartTime and EventEndTime fields. |
+| **endtime** | datetime | Filter only user management events that occurred at or before this time. This parameter filters on the `TimeGenerated` field, which is the standard designator for the time of the event, regardless of the parser-specific mapping of the EventStartTime and EventEndTime fields. |
+| **srcipaddr_has_any_prefix** | dynamic | Filter only user management events where the source IP address prefix matches any of the listed values. Prefixes should end with a `.`, for example: `10.0.`. |
+| **targetusername_has_any** | dynamic | Filter only user management events where the target username has any of the listed values. |
+| **actorusername_has_any** | dynamic | Filter only user management events where the actor username has any of the listed values. |
+| **eventtype_in** | dynamic | Filter only user management events where the event type is one of the listed values, such as `UserCreated`, `UserDeleted`, `UserModified`, `PasswordChanged`, or `GroupCreated`. |
+
+For example, to filter only user creation events from the last day, use:
+
+```kusto
+_Im_UserManagement (eventtype_in=dynamic(['UserCreated']), starttime = ago(1d), endtime=now())
+```
+
 ## Schema details
 
 ### Common ASIM fields