In Microsoft Sentinel, tables are where all your collected data is stored and organized within the Log Analytics workspace. Each table represents a specific type of data—like security events, sign-ins, alerts, or network logs—and has its own schema with defined fields.
These tables are the foundation for running Kusto Query Language (KQL) queries, building workbooks, creating analytics rules, and powering automation.
| Sentinel Data Table Name | Description |
| Defender for Endpoint Event Types | |
| DeviceInfo | Machine information, including OS information |
| DeviceNetworkInfo | Network properties of devices, including physical adapters, IP and MAC addresses, as well as connected networks and domains |
| DeviceProcessEvents | Process creation and related events |
| DeviceNetworkEvents | Network connection and related events |
| DeviceFileEvents | File creation, modification, and other file system events |
| DeviceRegistryEvents | Creation and modification of registry entries |
| DeviceLogonEvents | Sign-ins and other authentication events on devices |
| DeviceImageLoadEvents | DLL loading events |
| DeviceEvents | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection |
| DeviceFileCertificateInfo | Certificate information of signed files obtained from certificate verification events on endpoints |
| Defender for O365 Event Types | |
| EmailAttachmentInfo | Information about files attached to emails |
| EmailEvents | Microsoft 365 email events, including email delivery and blocking events |
| EmailPostDeliveryEvents | Security events that occur post-delivery, after Microsoft 365 has delivered the emails to the recipient mailbox |
| EmailUrlInfo | Information about URLs in emails |
| Defender for Identity Event Types | |
| IdentityDirectoryEvents | Various identity-related events, like password changes, password expirations, and user principal name (UPN) changes, captured from an on-premises Active Directory domain controller Also includes system events on the domain controller |
| IdentityInfo | Information about user accounts obtained from various services, including Azure Active Directory |
| IdentityLogonEvents | Authentication activities made through your on-premises Active Directory, as captured by Microsoft Defender for Identity Authentication activities related to Microsoft online services, as captured by Microsoft Defender for Cloud Apps |
| IdentityQueryEvents | Information about queries performed against Active Directory objects such as users, groups, devices, and domains. |
| Defender for Cloud Apps Event Type | |
| CloudAppEvents | Information about activities in various cloud apps and services covered by Microsoft Defender for Cloud Apps |
| Defender Alerts | |
| AlertInfo | Information about alerts from Microsoft 365 Defender components |
| AlertEvidence | Information about various entities – files, IP addresses, URLs, users, devices – associated with alerts from Microsoft 365 Defender components |