Microsoft Sentinel - Tables
Introduction
- In a Microsoft Sentinel Log Analytics Workspace (LAW), a variety of tables are created to store logs, metrics, and other data collected from different sources
Tables by Solutions
1. AzureResources
ContainerLog
: This includes application logs, system logs, and other logs generated within the container environment.KubePodInventory
: Contains inventory data about the pods running in your AKS clusters.KubeNodeInventory
: Stores inventory data about the nodes in your AKS clusters.KubeEvents
: Captures Kubernetes events, providing detailed information about events occurring within your AKS clusters, such as pod creations, deletions, scaling events, and errors.KubePodNetworkInventory
: Contains network-related data about the pods in your AKS clusters, including information on IP addresses and network interfaces.KubeContainerInventory
: Stores inventory data about the containers running within your AKS clusters, including container IDs, image names, statuses, and other relevant details.KubePVInventory
: Contains inventory data about Persistent Volumes (PVs) in your AKS clusters, including volume names, capacities, statuses, and associated storage classes.KubePersistentVolumeClaimInventory
: Stores inventory data about Persistent Volume Claims (PVCs) in your AKS clusters, providing information about claim names, namespaces, statuses, and associated PVs.KubeServices
: Contains data about the services running in your AKS clusters, including service names, types, cluster IPs, and associated endpoints.KubeClusterInventory
: Provides inventory data about your AKS clusters, including cluster names, versions, and other high-level metadata.
2. LogManagement
AzureActivity
: - Contains Azure Activity logs, which provide insight into operations on resources in your subscription.SecurityEvent
: Stores data from Windows Security events, capturing information about various security-related events such as logons, privilege use, and policy changes.Heartbeat
: Stores data about the health of your VMs, including status updates and heartbeat signals sent by the Azure Monitor agent.Syslog
: Collects data from Linux Syslog, providing information about system events and logs.AuditLogs
: Contains audit log data from Azure Active Directory, including information about user and group management activities, application activities, and directory-level events.SigninLogs
: Stores sign-in activity data from Azure AD, capturing details about user sign-ins, including success and failure events.AzureDiagnostics
: Collects diagnostic logs from various Azure services, providing detailed information about the operations and performance of these services.OfficeActivity
: Contains data about user activities within Office 365, including information about emails, file access, and other actions taken within Office applications.VMComputer
: Stores information about virtual machines, including metadata such as names, sizes, operating systems, and IP addresses.CommonSecurityLog
: Contains data from various network security devices like firewalls, proxy servers, and other security appliances, using common formats like syslog.WindowsEvent
: Collects data from Windows Event logs, providing a wide range of information about system and application events.Alert
: Contains information about alerts generated by various security solutions integrated with Sentinel, including custom and analytic rule-based alerts.AzureMetrics
: Stores metrics data from Azure services, providing performance and utilization information.Usage
: Provides data on the usage and performance of Azure Monitor Logs, including the volume of data ingested, retention, and query performance.
3. Microsoft Sentinel
Anomalies
: Stores data about detected unusual patterns or behaviors that could indicate potential security threats.SecurityAlert
: Contains data about security alerts generated by Azure Security Center, Sentinel, and other integrated security solutions.SecurityIncident
: Contains data about incidents created in Microsoft Sentinel, which can group multiple related alerts into a single incident for easier management and investigation.ThreatIntelligenceIndicator
: Contains threat intelligence data including indicators of compromise like malicious IPs, URLs, domains, and file hashes.
4. Microsoft Sentinel User and Entity Behavior Analytics (UEBA)
BehaviorAnalytics
: Captures behavioral patterns of users and entities to detect deviations that might signify security threats.IdentityInfo
: Holds information about user identities and their metadata, such as roles, group memberships, and associated devices.UserPeerAnalytics
: Stores data on user activities compared to their peer group norms to identify outliers and potential security risks.
This post is licensed under CC BY 4.0 by the author.