Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article lists supported Azure and third-party data source schemas, with links to their reference documentation.
Azure data sources
Type | Data source | Log Analytics tablename | Schema reference |
---|---|---|---|
Azure | Microsoft Entra ID | SigninEvents | Microsoft Entra activity reports sign-in properties |
Azure | Microsoft Entra ID | AuditLogs | Azure Monitor AuditLogs reference |
Azure | Microsoft Entra ID | AzureActivity | Azure Monitor AzureActivity reference |
Azure | Office | OfficeActivity | Office 365 Management Activity API schemas: - Common schema - Exchange Admin schema - Exchange Mailbox schema - SharePoint Base schema - SharePoint file operations |
Azure | Azure Key Vault | AzureDiagnostics | Azure Monitor AzureDiagnostics reference |
Host | Linux | Syslog | Azure Monitor Syslog reference |
Network | IIS Logs | W3CIISLog | Azure Monitor W3CIISLog reference |
Network | VMinsights | VMConnection | Azure Monitor VMConnection reference |
Network | Wire Data Solution | WireData | Azure Monitor WireData reference |
Network | NSG Flow Logs | AzureNetworkAnalytics | Schema and data aggregation in Traffic Analytics |
Note
For more information, see the entire Azure Monitor data reference.
3rd-party vendor data sources
The following table lists supported third-party vendors and their Syslog or Common Event Format (CEF)-mapping documentation for various supported log types, which contain CEF field mappings and sample logs for each category type.
Type | Vendor | Product | Log Analytics tablename | CEF field-mapping reference |
---|---|---|---|---|
Network | Palo Alto | PAN OS | CommonSecurityLog | PAN-OS 9.0 Common Event Format Integration Guide (search for CEF- style Log Formats) |
Network | Check Point | ALL | CommonSecurityLog | Log Fields Description |
Network | Fortigate | ALL | CommonSecurityLog | Log Schema Structure |
Network | Barracuda | Web Application Firewall | CommonSecurityLog | How to Configure Syslog and Other Logs |
Network | Cisco | ASA | CommonSecurityLog | Cisco ASA Series Syslog Messages |
Network | Cisco | Firepower | CommonSecurityLog | Cisco Firepower Threat Defense Syslog Messages |
Network | Cisco | Umbrella | Custom Logs Table | Log Formats and Versioning |
Network | Cisco | Meraki | CommonSecurityLog | Syslog Event Types and Log Samples |
Network | Zscaler | Nano Streaming Service (NSS) | CommonSecurityLog | Formatting NSS Feeds (Web, Firewall, DNS, and Tunnel logs only) |
Network | F5 | BigIP LTM | CommonSecurityLog | Event Messages and Attack Types |
Network | F5 | BigIP ASM | CommonSecurityLog | Logging Application Security Events |
Network | Citrix | Web App Firewall | CommonSecurityLog | Common Event Format (CEF) Logging Support in the Application Firewall |
Host | Symantec | Symantec Endpoint Protection Manager (SEPM) | CommonSecurityLog | External Logging settings and log event severity levels for Endpoint Protection Manager |
Host | Trend Micro | All | CommonSecurityLog | Syslog Content Mapping - CEF |
Note
For more information, see also CEF and CommonSecurityLog field mapping.
Next steps
Learn more supported Microsoft Sentinel connectors, such as CEF, Syslog, direct, agent, and custom connectors: