Microsoft XDR table schema

Microsoft XDR table schema #

This site documents all table schema in Microsoft XDR and Sentinel and documents changes to the schema. All data is sourced from the official Microsoft XDR page and contains only publicly available information. The schema is subject to change and the information here may not be up to date.

Caution: The data presented here might be incomplete or incorrect. This stems from the fact that not all XDR features are enabled in the tenant used to generate this documentation.

Caution: Dates shown are not guaranteed to be accurate and there was a long pause between 2024-10-19 and 2025-12-30.

Latest changes #

The following changes have been made to the schema:

Date Table Action
2026-04-01 IdentityInfo Column RiskScoreUpdateTime added
2026-04-01 IdentityInfo Column RiskScore added
2026-03-23 DeviceEvents Action type added: CertificateServicesLoadedTemplate
2026-03-23 DeviceEvents Action type added: CertificateServicesApprovedCertificateRequest
2026-03-23 AIAgentsInfo Column SourceAgentId added
2026-03-23 AIAgentsInfo Column ElementTypes added
2026-03-23 AIAgentsInfo Column AccessCapabilities added
2026-03-23 AIAgentsInfo Column AIModel added
2026-03-23 AIAgentsInfo Column Version added
2026-03-23 AIAgentsInfo Column IsBlocked added
2026-03-23 AIAgentsInfo Column EntraBlueprintId added
2026-03-23 AIAgentsInfo Column EntraObjectId added
2026-03-23 AIAgentsInfo Column Instructions added
2026-03-23 AIAgentsInfo Column RegistrySource added
2026-03-23 DeviceEvents Action type added: CertificateServicesReceivedCertificateRequest
2026-03-11 DeviceInfo Column DlpInfo added
2026-03-08 AADSpnSignInEventsBeta Column IsConfidentialClient added
2026-03-08 EntraIdSpnSignInEvents Column IsConfidentialClient added
2026-03-08 CloudStorageAggregatedEvents Table removed from tracking
2026-03-08 CloudProcessEvents Table removed from tracking
2026-03-08 CloudAuditEvents Table removed from tracking
2026-02-27 DeviceLogonEvents Column TimeGenerated removed
2026-02-27 DeviceRegistryEvents Column MachineGroup removed
2026-02-27 DeviceRegistryEvents Column TimeGenerated removed
2026-02-27 DeviceLogonEvents Column TenantId removed
2026-02-27 DeviceLogonEvents Column Type removed
2026-02-27 DeviceLogonEvents Column SourceSystem removed
2026-02-27 DeviceLogonEvents Column MachineGroup removed
2026-02-27 DeviceImageLoadEvents Column TenantId removed
2026-02-27 DeviceEvents Column TimeGenerated removed
2026-02-27 DeviceImageLoadEvents Column SourceSystem removed
2026-02-27 DeviceImageLoadEvents Column MachineGroup removed
2026-02-27 DeviceImageLoadEvents Column TimeGenerated removed
2026-02-27 DeviceEvents Column TenantId removed
2026-02-27 DeviceEvents Column Type removed
2026-02-27 DeviceEvents Column SourceSystem removed
2026-02-27 DeviceEvents Column MachineGroup removed
2026-02-27 DeviceRegistryEvents Column SourceSystem removed
2026-02-27 DeviceImageLoadEvents Column Type removed
2026-02-27 DeviceRegistryEvents Column Type removed
2026-02-27 DeviceNetworkEvents Column SourceSystem removed
2026-02-27 DeviceFileEvents Column TimeGenerated removed
2026-02-27 DeviceNetworkInfo Column Type removed
2026-02-27 DeviceNetworkInfo Column SourceSystem removed
2026-02-27 DeviceNetworkInfo Column MachineGroup removed
2026-02-27 DeviceNetworkInfo Column TimeGenerated removed
2026-02-27 DeviceProcessEvents Column TenantId removed
2026-02-27 DeviceProcessEvents Column Type removed
2026-02-27 DeviceProcessEvents Column SourceSystem removed
2026-02-27 DeviceProcessEvents Column MachineGroup removed

This list is limited to the latest 50 changes.