Data source schema reference

Note

Azure Sentinel is now called Microsoft Sentinel, and we’ll be updating these pages in the coming weeks. Learn more about recent Microsoft security enhancements.

This article lists supported Azure and third-party data source schemas, with links to their reference documentation.

Azure data sources

Type Data source Log Analytics tablename Schema reference
Azure Azure Active Directory SigninEvents Azure AD activity reports sign-in properties
Azure Azure Active Directory AuditLogs Azure Monitor AuditLogs reference
Azure Azure Active Directory AzureActivity Azure Monitor AzureActivity reference
Azure Office OfficeActivity Office 365 Management Activity API schemas:
- Common schema
- Exchange Admin schema
- Exchange Mailbox schema
- SharePoint Base schema
- SharePoint file operations
Azure Azure Key Vault AzureDiagnostics Azure Monitor AzureDiagnostics reference
Host Linux Syslog Azure Monitor Syslog reference
Network IIS Logs W3CIISLog Azure Monitor W3CIISLog reference
Network VMinsights VMConnection Azure Monitor VMConnection reference
Network Wire Data Solution WireData Azure Monitor WireData reference
Network NSG Flow Logs AzureNetworkAnalytics Schema and data aggregation in Traffic Analytics

Note

For more information, see the entire Azure Monitor data reference.

3rd-party vendor data sources

The following table lists supported third-party vendors and their Syslog or Common Event Format (CEF)-mapping documentation for various supported log types, which contain CEF field mappings and sample logs for each category type.

Type Vendor Product Log Analytics tablename CEF field-mapping reference
Network Palo Alto PAN OS CommonSecurityLog PAN-OS 9.0 Common Event Format Integration Guide (search for CEF- style Log Formats)
Network Check Point ALL CommonSecurityLog Log Fields Description
Network Fortigate ALL CommonSecurityLog Log Schema Structure
Network Barracuda Web Application Firewall CommonSecurityLog How to Configure Syslog and Other Logs
Network Cisco ASA CommonSecurityLog Cisco ASA Series Syslog Messages
Network Cisco Firepower CommonSecurityLog Cisco Firepower Threat Defense Syslog Messages
Network Cisco Umbrella Custom Logs Table Log Formats and Versioning
Network Cisco Meraki CommonSecurityLog Syslog Event Types and Log Samples
Network Zscaler Nano Streaming Service (NSS) CommonSecurityLog Formatting NSS Feeds (Web, Firewall, DNS, and Tunnel logs only)
Network F5 BigIP LTM CommonSecurityLog Event Messages and Attack Types
Network F5 BigIP ASM CommonSecurityLog Logging Application Security Events
Network Citrix Web App Firewall CommonSecurityLog Common Event Format (CEF) Logging Support in the Application Firewall
NetScaler 12.0 Syslog Message Reference
Host Symantec Symantec Endpoint Protection Manager (SEPM) CommonSecurityLog External Logging settings and log event severity levels for Endpoint Protection Manager
Host Trend Micro All CommonSecurityLog Syslog Content Mapping - CEF

Note

For more information, see also CEF and CommonSecurityLog field mapping.

Next steps

Learn more supported Microsoft Sentinel connectors, such as CEF, Syslog, direct, agent, and custom connectors: