Understand common tables
When Sentinel ingests data from the Data Connectors, the following table lists the most commonly used tables.
| Table | Description |
|---|---|
| AzureActivity | Entries from the Azure Activity log that provides insight into any subscription-level or management group level events that have occurred in Azure. |
| AzureDiagnostics | Stores resource logs for Azure services that use Azure Diagnostics mode. Resource logs describe the internal operation of Azure resources. |
| AuditLogs | Audit log for Microsoft Entra ID. Includes system activity information about user and group management, managed applications, and directory activities. |
| CommonSecurityLog | Syslog messages using the Common Event Format (CEF). |
| McasShadowItReporting | Microsoft Defender for Cloud Apps logs |
| OfficeActivity | Audit logs for Office 365 tenants collected by Microsoft Sentinel. Including Exchange, SharePoint and Teams logs. |
| SecurityEvent | Security events collected from windows machines by Azure Security Center or Microsoft Sentinel |
| SigninLogs | Azure Activity Directory Sign-in logs |
| Syslog | Syslog events on Linux computers using the Log Analytics agent. |
| Event | Sysmon Events collected from a Windows host. |
| WindowsFirewall | Windows Firewall Events |