Data source schema reference
This article lists supported Azure and third-party data source schemas, with links to their reference documentation.
Azure data sources
Type | Data source | Log Analytics tablename | Schema reference |
---|---|---|---|
Azure | Microsoft Entra ID | SigninEvents | Microsoft Entra activity reports sign-in properties |
Azure | Microsoft Entra ID | AuditLogs | Azure Monitor AuditLogs reference |
Azure | Microsoft Entra ID | AzureActivity | Azure Monitor AzureActivity reference |
Azure | Office | OfficeActivity | Office 365 Management Activity API schemas: - Common schema - Exchange Admin schema - Exchange Mailbox schema - SharePoint Base schema - SharePoint file operations |
Azure | Azure Key Vault | AzureDiagnostics | Azure Monitor AzureDiagnostics reference |
Host | Linux | Syslog | Azure Monitor Syslog reference |
Network | IIS Logs | W3CIISLog | Azure Monitor W3CIISLog reference |
Network | VMinsights | VMConnection | Azure Monitor VMConnection reference |
Network | Wire Data Solution | WireData | Azure Monitor WireData reference |
Network | NSG Flow Logs | AzureNetworkAnalytics | Schema and data aggregation in Traffic Analytics |
Note
For more information, see the entire Azure Monitor data reference.
3rd-party vendor data sources
The following table lists supported third-party vendors and their Syslog or Common Event Format (CEF)-mapping documentation for various supported log types, which contain CEF field mappings and sample logs for each category type.
Type | Vendor | Product | Log Analytics tablename | CEF field-mapping reference |
---|---|---|---|---|
Network | Palo Alto | PAN OS | CommonSecurityLog | PAN-OS 9.0 Common Event Format Integration Guide (search for CEF- style Log Formats) |
Network | Check Point | ALL | CommonSecurityLog | Log Fields Description |
Network | Fortigate | ALL | CommonSecurityLog | Log Schema Structure |
Network | Barracuda | Web Application Firewall | CommonSecurityLog | How to Configure Syslog and Other Logs |
Network | Cisco | ASA | CommonSecurityLog | Cisco ASA Series Syslog Messages |
Network | Cisco | Firepower | CommonSecurityLog | Cisco Firepower Threat Defense Syslog Messages |
Network | Cisco | Umbrella | Custom Logs Table | Log Formats and Versioning |
Network | Cisco | Meraki | CommonSecurityLog | Syslog Event Types and Log Samples |
Network | Zscaler | Nano Streaming Service (NSS) | CommonSecurityLog | Formatting NSS Feeds (Web, Firewall, DNS, and Tunnel logs only) |
Network | F5 | BigIP LTM | CommonSecurityLog | Event Messages and Attack Types |
Network | F5 | BigIP ASM | CommonSecurityLog | Logging Application Security Events |
Network | Citrix | Web App Firewall | CommonSecurityLog | Common Event Format (CEF) Logging Support in the Application Firewall |
Host | Symantec | Symantec Endpoint Protection Manager (SEPM) | CommonSecurityLog | External Logging settings and log event severity levels for Endpoint Protection Manager |
Host | Trend Micro | All | CommonSecurityLog | Syslog Content Mapping - CEF |
Note
For more information, see also CEF and CommonSecurityLog field mapping.
Next steps
Learn more supported Microsoft Sentinel connectors, such as CEF, Syslog, direct, agent, and custom connectors: