Azure Sentinel Tables and Structure
The following post Azure Sentinel Tables and Structure, describe the table and structure in Azure Sentinel. Azure Sentinel Data is based on Azure Log Analytics, and this is similar to Azure Monitor itself.
Data in Azure Sentinel Logs are stored in either a Log Analytics workspace. Azure Data Explorer and the meaning power them that they leverage its powerful data engine and query language.
Azure Sentinel Data is organized into tables, each of which stores different kinds of data and has its own unique set of properties. Most data sources will write to their tables in a Log Analytics workspace.
Log queries are very flexible, allowing you to easily combine data from multiple tables and even use a cross-resource query to combine tables in multiple workspaces or write queries that combine workspace and application data.
The following image shows data sources that write to different tables that are used in queries:
Different kinds of data are stored in separate tables in the Azure Log Analytics workspace, and each table has a unique set of properties.
When created, a standard set of tables is added to a workspace, and new tables are added for different data sources, solutions, and services as they’re onboarded.
Note: you can also create custom tables using the Data Collector API.
You can browse the tables in a workspace in Log Analytics for the workspace.
- Tables and columns have metadata to allow you to find what you need with ease.
- Tables now have a short description, so it’s easier to understand the table’s purpose.
- All tables are now tagged with additional information – resource type, category, and solution.
Table Name and Description
Azure Sentinel has more than 50 tables, and each table has its purpose, and for example, the table name and description in the following image:
To the full Azure Sentinel tables essential list, go to the following location Azure Sentinel Tables.
All data collected by Azure Sentinel Logs are stored in a Log Analytics workspace.
Data Sources such as activity logs and resource logs from Azure resources, agents on virtual machines, and data from insights and monitoring solutions will write data to one or more workspaces that you configure as part of their onboarding.
Other services such as Azure Security Center use a Log Analytics workspace to store their data to be analyzed using log queries and monitoring data from other sources.
How to view all existing tables in Azure Sentinel? Run the following command:
union withsource = table *
| summarize count() by table
| sort by table asc
Each table has a unique set of properties. When created, a standard set of tables is added to a workspace, and new tables are added for different data sources, solutions, and services as they’re onboarded.
Note: You can also create custom tables using the Data Collector API.