Data source schema reference
This article lists supported Azure and third-party data source schemas, with links to their reference documentation.
Azure data sources
| Type | Data source | Log Analytics tablename | Schema reference |
|---|---|---|---|
| Azure | Azure Active Directory | SigninEvents | Azure AD activity reports sign-in properties |
| Azure | Azure Active Directory | AuditLogs | Azure Monitor AuditLogs reference |
| Azure | Azure Active Directory | AzureActivity | Azure Monitor AzureActivity reference |
| Azure | Office | OfficeActivity | Office 365 Management Activity API schemas: - Common schema - Exchange Admin schema - Exchange Mailbox schema - SharePoint Base schema - SharePoint file operations |
| Azure | Azure Key Vault | AzureDiagnostics | Azure Monitor AzureDiagnostics reference |
| Host | Linux | Syslog | Azure Monitor Syslog reference |
| Network | IIS Logs | W3CIISLog | Azure Monitor W3CIISLog reference |
| Network | VMinsights | VMConnection | Azure Monitor VMConnection reference |
| Network | Wire Data Solution | WireData | Azure Monitor WireData reference |
| Network | NSG Flow Logs | AzureNetworkAnalytics | Schema and data aggregation in Traffic Analytics |
Note
For more information, see the entire Azure Monitor data reference.
3rd-party vendor data sources
The following table lists supported third-party vendors and their Syslog or Common Event Format (CEF)-mapping documentation for various supported log types, which contain CEF field mappings and sample logs for each category type.
| Type | Vendor | Product | Log Analytics tablename | CEF field-mapping reference |
|---|---|---|---|---|
| Network | Palo Alto | PAN OS | CommonSecurityLog | PAN-OS 9.0 Common Event Format Integration Guide (search for CEF- style Log Formats) |
| Network | Check Point | ALL | CommonSecurityLog | Log Fields Description |
| Network | Fortigate | ALL | CommonSecurityLog | Log Schema Structure |
| Network | Barracuda | Web Application Firewall | CommonSecurityLog | How to Configure Syslog and Other Logs |
| Network | Cisco | ASA | CommonSecurityLog | Cisco ASA Series Syslog Messages |
| Network | Cisco | Firepower | CommonSecurityLog | Cisco Firepower Threat Defense Syslog Messages |
| Network | Cisco | Umbrella | Custom Logs Table | Log Formats and Versioning |
| Network | Cisco | Meraki | CommonSecurityLog | Syslog Event Types and Log Samples |
| Network | Zscaler | Nano Streaming Service (NSS) | CommonSecurityLog | Formatting NSS Feeds (Web, Firewall, DNS, and Tunnel logs only) |
| Network | F5 | BigIP LTM | CommonSecurityLog | Event Messages and Attack Types |
| Network | F5 | BigIP ASM | CommonSecurityLog | Logging Application Security Events |
| Network | Citrix | Web App Firewall | CommonSecurityLog | Common Event Format (CEF) Logging Support in the Application Firewall NetScaler 12.0 Syslog Message Reference |
| Host | Symantec | Symantec Endpoint Protection Manager (SEPM) | CommonSecurityLog | External Logging settings and log event severity levels for Endpoint Protection Manager |
| Host | Trend Micro | All | CommonSecurityLog | Syslog Content Mapping - CEF |
Note
For more information, see also CEF and CommonSecurityLog field mapping.
Next steps
Learn more supported Microsoft Sentinel connectors, such as CEF, Syslog, direct, agent, and custom connectors:
Feedback
Submit and view feedback for