Azure Monitor Table Reference

Schema of (Commonly Used) Microsoft/Azure Data Sources in Azure Sentinel

In order to interpret the data or write better Analytics Rules, it is important to first understand what information is made available within each data source (ie. what are the columns) and what does each field represent (ie. column description).

A useful reference for most Microsoft or Azure data sources can be found within this documentation).

Common References

• AuditLogs
• AWSCloudTrail
• AzureActivity
• AzureDiagnostics
• BehaviorAnalytics
• CommonSecurityLog
• DeviceFileEvents
• DHCPActivity
• Dynamics365Activity
• HDInsightSecurityLogs
• HuntingBookmark
• LinuxAuditLog
• McasShadowItReporting
• OfficeActivity
• ProtectionStatus
• SecurityAlert
• SecurityBaseline
• SecurityBaselineSummary
• SecurityDetection
• SecurityEvent
• SecurityIncident
• SecurityIoTRawEvent
• SecurityRecommendation
• SigninLogs
• Syslog
• SysmonEvent
• ThreatIntelligenceIndicator
• Update
• UserAccessAnalytics
• UserPeerAnalytics
• VMComputer
• VMConnection
• W3CIISLog
• Watchlist
• WindowsEvent
• WindowsFirewall
• WireData