Sentinel Explained: Table

Reference for SOC

Analysts

Tyler Wall
·
Follow
3 min read
·
Jan 31, 2024
21
Below is a curated table reference for Sentinel. To start, I went through
the list of tables and picked out the ones I can remember using. This
reference will be kept updated and I encourage you to leave a comment
if you have one I should add.
AzureActivity: Azure activity such as creation/modification/deletion
of Azure resources, and policy updates.

CommonSecurityLog: Logs from security devices logging vis syslog

using Common Event Format (CEF).

Event: Windows even log entries (excluding Security event log).

OfficeActivity: Office 365 activity: Exchange, Sharepoint, DLP,

OneDrive.

SecurityAlert: Alert details (Sentinel, Security Center, MCAS,

MSDATP, ATP, ADIP).

SecurityEvent: Windows Security event logs entries.

SigninLogs: Azure Active Directory Sign in logs.

SecurityIncident: Incidents generated by security products.

UrlClickEvents: Events involving URLs clicked, selected, or

requested on Microsoft Defender for Office 365.

IdentityLogonEvents: Authentication activities made through your

on-premises Active Directory.
EmailEvents: Office 365 email events, including email delivery and
blocking events.