Sentinel Explained: Table Reference for SOC Analysts

Below is a curated table reference for Sentinel. To start, I went through the list of tables and picked out the ones I can remember using. This reference will be kept updated and I encourage you to leave a comment if you have one I should add.

AzureActivity: Azure activity such as creation/modification/deletion of Azure resources, and policy updates.

CommonSecurityLog: Logs from security devices logging vis syslog using Common Event Format (CEF).

Event: Windows even log entries (excluding Security event log).

OfficeActivity: Office 365 activity: Exchange, Sharepoint, DLP, OneDrive.

SecurityAlert: Alert details (Sentinel, Security Center, MCAS, MSDATP, ATP, ADIP).

SecurityEvent: Windows Security event logs entries.

SigninLogs: Azure Active Directory Sign in logs.

SecurityIncident: Incidents generated by security products.

UrlClickEvents: Events involving URLs clicked, selected, or requested on Microsoft Defender for Office 365.

IdentityLogonEvents: Authentication activities made through your on-premises Active Directory.

EmailEvents: Office 365 email events, including email delivery and blocking events.

EmailUrlInfo: Office 365 emails URLs information.

EmailPostDeliveryEvents: Office 365 security events occurred post email delivery to recipient mailbox.

DeviceNetworkInfo: Microsoft Defender for Endpoints (MDE) device network information table. This table contains Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains.

DeviceNetworkEvents: Microsoft Defender for Endpoints (MDE) device network events table. This table contains contains information about network connections and related events initiated by processes running on the endpoint.

DeviceProcessEvents: Microsoft Defender for Endpoints (MDE) device process events table. This table contains contains information about process creation and related events on the endpoint.

DeviceLogonEvents: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Sign-ins and other authentication events.

DeviceInfo: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Machine information, including OS information.

DeviceFileEvents: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains file creation, modification, and other file system events.

DeviceEvents: This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection.

AADNonInteractiveUserSignInLogs: Non-interactive Azure Active Directory sign-in logs from user.

Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University, and also CISSP, CCSK, CFSR, CEH, Sec+, Net+, A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, four online courses, and regularly holds webinars for new cybersecurity talent.

You can connect with him on LinkedIn.

Get 20% off all courses in our On-Demand catalog with coupon code “Welcome20”

Download the Azure Security Labs eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing.

Also available in the Secure Style Store, download the Job Hunting Application Tracker for FREE to keep track of all your job applications.

Check out my latest book Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success published June 1st, 2024 and winner of the 2024 Cybersecurity Excellence Awards.