Microsoft Sentinel - Tables

Introduction

• In a Microsoft Sentinel Log Analytics Workspace (LAW), a variety of tables are created to store logs, metrics, and other data collected from different sources

Tables by Solutions

1. AzureResources

• ContainerLog: This includes application logs, system logs, and other logs generated within the container environment.
• KubePodInventory: Contains inventory data about the pods running in your AKS clusters.
• KubeNodeInventory: Stores inventory data about the nodes in your AKS clusters.
• KubeEvents: Captures Kubernetes events, providing detailed information about events occurring within your AKS clusters, such as pod creations, deletions, scaling events, and errors.
• KubePodNetworkInventory: Contains network-related data about the pods in your AKS clusters, including information on IP addresses and network interfaces.
• KubeContainerInventory: Stores inventory data about the containers running within your AKS clusters, including container IDs, image names, statuses, and other relevant details.
• KubePVInventory: Contains inventory data about Persistent Volumes (PVs) in your AKS clusters, including volume names, capacities, statuses, and associated storage classes.
• KubePersistentVolumeClaimInventory: Stores inventory data about Persistent Volume Claims (PVCs) in your AKS clusters, providing information about claim names, namespaces, statuses, and associated PVs.
• KubeServices: Contains data about the services running in your AKS clusters, including service names, types, cluster IPs, and associated endpoints.
• KubeClusterInventory: Provides inventory data about your AKS clusters, including cluster names, versions, and other high-level metadata.

2. LogManagement

• AzureActivity: - Contains Azure Activity logs, which provide insight into operations on resources in your subscription.
• SecurityEvent: Stores data from Windows Security events, capturing information about various security-related events such as logons, privilege use, and policy changes.
• Heartbeat: Stores data about the health of your VMs, including status updates and heartbeat signals sent by the Azure Monitor agent.
• Syslog: Collects data from Linux Syslog, providing information about system events and logs.
• AuditLogs: Contains audit log data from Azure Active Directory, including information about user and group management activities, application activities, and directory-level events.
• SigninLogs: Stores sign-in activity data from Azure AD, capturing details about user sign-ins, including success and failure events.
• AzureDiagnostics: Collects diagnostic logs from various Azure services, providing detailed information about the operations and performance of these services.
• OfficeActivity: Contains data about user activities within Office 365, including information about emails, file access, and other actions taken within Office applications.
• VMComputer: Stores information about virtual machines, including metadata such as names, sizes, operating systems, and IP addresses.
• CommonSecurityLog: Contains data from various network security devices like firewalls, proxy servers, and other security appliances, using common formats like syslog.
• WindowsEvent: Collects data from Windows Event logs, providing a wide range of information about system and application events.
• Alert: Contains information about alerts generated by various security solutions integrated with Sentinel, including custom and analytic rule-based alerts.
• AzureMetrics: Stores metrics data from Azure services, providing performance and utilization information.
• Usage: Provides data on the usage and performance of Azure Monitor Logs, including the volume of data ingested, retention, and query performance.

3. Microsoft Sentinel

• Anomalies: Stores data about detected unusual patterns or behaviors that could indicate potential security threats.
• SecurityAlert: Contains data about security alerts generated by Azure Security Center, Sentinel, and other integrated security solutions.
• SecurityIncident: Contains data about incidents created in Microsoft Sentinel, which can group multiple related alerts into a single incident for easier management and investigation.
• ThreatIntelligenceIndicator: Contains threat intelligence data including indicators of compromise like malicious IPs, URLs, domains, and file hashes.

4. Microsoft Sentinel User and Entity Behavior Analytics (UEBA)

• BehaviorAnalytics: Captures behavioral patterns of users and entities to detect deviations that might signify security threats.
• IdentityInfo: Holds information about user identities and their metadata, such as roles, group memberships, and associated devices.
• UserPeerAnalytics: Stores data on user activities compared to their peer group norms to identify outliers and potential security risks.