Post

Microsoft Sentinel - Tables

Introduction

  • In a Microsoft Sentinel Log Analytics Workspace (LAW), a variety of tables are created to store logs, metrics, and other data collected from different sources

Tables by Solutions

1. AzureResources

  • ContainerLog: This includes application logs, system logs, and other logs generated within the container environment.
  • KubePodInventory: Contains inventory data about the pods running in your AKS clusters.
  • KubeNodeInventory: Stores inventory data about the nodes in your AKS clusters.
  • KubeEvents: Captures Kubernetes events, providing detailed information about events occurring within your AKS clusters, such as pod creations, deletions, scaling events, and errors.
  • KubePodNetworkInventory: Contains network-related data about the pods in your AKS clusters, including information on IP addresses and network interfaces.
  • KubeContainerInventory: Stores inventory data about the containers running within your AKS clusters, including container IDs, image names, statuses, and other relevant details.
  • KubePVInventory: Contains inventory data about Persistent Volumes (PVs) in your AKS clusters, including volume names, capacities, statuses, and associated storage classes.
  • KubePersistentVolumeClaimInventory: Stores inventory data about Persistent Volume Claims (PVCs) in your AKS clusters, providing information about claim names, namespaces, statuses, and associated PVs.
  • KubeServices: Contains data about the services running in your AKS clusters, including service names, types, cluster IPs, and associated endpoints.
  • KubeClusterInventory: Provides inventory data about your AKS clusters, including cluster names, versions, and other high-level metadata.

2. LogManagement

  • AzureActivity: - Contains Azure Activity logs, which provide insight into operations on resources in your subscription.
  • SecurityEvent: Stores data from Windows Security events, capturing information about various security-related events such as logons, privilege use, and policy changes.
  • Heartbeat: Stores data about the health of your VMs, including status updates and heartbeat signals sent by the Azure Monitor agent.
  • Syslog: Collects data from Linux Syslog, providing information about system events and logs.
  • AuditLogs: Contains audit log data from Azure Active Directory, including information about user and group management activities, application activities, and directory-level events.
  • SigninLogs: Stores sign-in activity data from Azure AD, capturing details about user sign-ins, including success and failure events.
  • AzureDiagnostics: Collects diagnostic logs from various Azure services, providing detailed information about the operations and performance of these services.
  • OfficeActivity: Contains data about user activities within Office 365, including information about emails, file access, and other actions taken within Office applications.
  • VMComputer: Stores information about virtual machines, including metadata such as names, sizes, operating systems, and IP addresses.
  • CommonSecurityLog: Contains data from various network security devices like firewalls, proxy servers, and other security appliances, using common formats like syslog.
  • WindowsEvent: Collects data from Windows Event logs, providing a wide range of information about system and application events.
  • Alert: Contains information about alerts generated by various security solutions integrated with Sentinel, including custom and analytic rule-based alerts.
  • AzureMetrics: Stores metrics data from Azure services, providing performance and utilization information.
  • Usage: Provides data on the usage and performance of Azure Monitor Logs, including the volume of data ingested, retention, and query performance.

3. Microsoft Sentinel

  • Anomalies: Stores data about detected unusual patterns or behaviors that could indicate potential security threats.
  • SecurityAlert: Contains data about security alerts generated by Azure Security Center, Sentinel, and other integrated security solutions.
  • SecurityIncident: Contains data about incidents created in Microsoft Sentinel, which can group multiple related alerts into a single incident for easier management and investigation.
  • ThreatIntelligenceIndicator: Contains threat intelligence data including indicators of compromise like malicious IPs, URLs, domains, and file hashes.

4. Microsoft Sentinel User and Entity Behavior Analytics (UEBA)

  • BehaviorAnalytics: Captures behavioral patterns of users and entities to detect deviations that might signify security threats.
  • IdentityInfo: Holds information about user identities and their metadata, such as roles, group memberships, and associated devices.
  • UserPeerAnalytics: Stores data on user activities compared to their peer group norms to identify outliers and potential security risks.
This post is licensed under CC BY 4.0 by the author.