Microsoft XDR table schema #
This site documents all table schema in Microsoft XDR and Sentinel and documents changes to the schema. All data is sourced from the official Microsoft XDR page and contains only publicly available information. The schema is subject to change and the information here may not be up to date.
Caution: The data presented here might be incomplete or incorrect. This stems from the fact that not all XDR features are enabled in the tenant used to generate this documentation.
Caution: Dates shown are not guaranteed to be accurate and there was a long pause between 2024-10-19 and 2025-12-30.
Latest changes #
The following changes have been made to the schema:
| Date | Table | Action |
|---|---|---|
| 2026-02-15 | StorageTableLogs | Table removed from tracking |
| 2026-02-15 | AWSEKSLogs | Table added to tracking |
| 2026-02-15 | AzureMetrics | Table removed from tracking |
| 2026-02-15 | StorageQueueLogs | Table removed from tracking |
| 2026-02-15 | StorageFileLogs | Table removed from tracking |
| 2026-02-15 | StorageBlobLogs | Table removed from tracking |
| 2026-02-11 | StorageTableLogs | Table added to tracking |
| 2026-02-11 | StorageQueueLogs | Table added to tracking |
| 2026-02-11 | StorageFileLogs | Table added to tracking |
| 2026-02-11 | StorageBlobLogs | Table added to tracking |
| 2026-02-11 | AzureMetrics | Table added to tracking |
| 2026-02-10 | EntraIdSignInEvents | Column UniqueTokenId added |
| 2026-02-10 | EntraIdSignInEvents | Column IsSignInThroughGlobalSecureAccess added |
| 2026-02-10 | EntraIdSpnSignInEvents | Column UniqueTokenId added |
| 2026-02-10 | BehaviorInfo | Column MachineGroup added |
| 2026-02-10 | AZKVPolicyEvaluationDetailsLogs | Table removed from tracking |
| 2026-02-10 | AZKVAuditLogs | Table removed from tracking |
| 2026-02-10 | AzureDiagnostics | Table removed from tracking |
| 2026-02-10 | AzureMetrics | Table removed from tracking |
| 2026-02-10 | BehaviorEntities | Column MachineGroup added |
| 2026-02-08 | AZKVAuditLogs | Table added to tracking |
| 2026-02-08 | AZKVPolicyEvaluationDetailsLogs | Table added to tracking |
| 2026-02-08 | AzureDiagnostics | Table added to tracking |
| 2026-02-08 | AzureMetrics | Table added to tracking |
| 2026-02-05 | CrowdStrikeDetections | Column XdrDetectionId added |
| 2026-02-05 | CrowdStrikeDetections | Column TechniqueIds added |
| 2026-02-05 | CrowdStrikeDetections | Column Techniques added |
| 2026-02-05 | CrowdStrikeDetections | Column TacticIds added |
| 2026-02-05 | CrowdStrikeDetections | Column Tactics added |
| 2026-02-05 | CrowdStrikeDetections | Column SourceEventModel added |
| 2026-02-05 | CrowdStrikeDetections | Column References added |
| 2026-02-05 | CrowdStrikeDetections | Column Name added |
| 2026-02-05 | CrowdStrikeDetections | Column MitreAttack added |
| 2026-02-05 | CrowdStrikeDetections | Column EntityValues added |
| 2026-02-05 | CrowdStrikeDetections | Column Entities added |
| 2026-02-05 | CrowdStrikeDetections | Column EndTime added |
| 2026-02-05 | CrowdStrikeDetections | Column Description added |
| 2026-02-05 | CrowdStrikeCases | Table added to tracking |
| 2026-02-05 | CrowdStrikeDetections | Column AddedPrivileges added |
| 2026-02-05 | CrowdStrikeDetections | Column AggregateId added |
| 2026-02-05 | CrowdStrikeDetections | Column Id added |
| 2026-02-05 | CrowdStrikeDetections | Column PolyId added |
| 2026-02-05 | CrowdStrikeDetections | Column TacticId added |
| 2026-02-05 | CrowdStrikeDetections | Column Tactic added |
| 2026-02-05 | CrowdStrikeDetections | Column SourceAccountUpn added |
| 2026-02-05 | CrowdStrikeDetections | Column SourceAccountSamAccountName added |
| 2026-02-05 | CrowdStrikeDetections | Column TechniqueId added |
| 2026-02-05 | CrowdStrikeDetections | Column SourceAccountObjectSid added |
| 2026-02-05 | CrowdStrikeDetections | Column SourceAccountObjectGuid added |
| 2026-02-05 | CrowdStrikeDetections | Column Technique added |
This list is limited to the latest 50 changes.