Microsoft XDR table schema

Microsoft XDR table schema #

This site documents all table schema in Microsoft XDR and Sentinel and documents changes to the schema. All data is sourced from the official Microsoft XDR page and contains only publicly available information. The schema is subject to change and the information here may not be up to date.

Caution: The data presented here might be incomplete or incorrect. This stems from the fact that not all XDR features are enabled in the tenant used to generate this documentation.

Caution: Dates shown are not guaranteed to be accurate and there was a long pause between 2024-10-19 and 2025-12-30.

Latest changes #

The following changes have been made to the schema:

Date Table Action
2026-02-05 CrowdStrikeDetections Column TechniqueId added
2026-02-05 CrowdStrikeDetections Column TechniqueIds added
2026-02-05 CrowdStrikeDetections Column Techniques added
2026-02-05 CrowdStrikeDetections Column TacticIds added
2026-02-05 CrowdStrikeDetections Column Tactics added
2026-02-05 CrowdStrikeDetections Column SourceEventModel added
2026-02-05 CrowdStrikeDetections Column References added
2026-02-05 CrowdStrikeDetections Column XdrDetectionId added
2026-02-05 CrowdStrikeDetections Column Name added
2026-02-05 CrowdStrikeDetections Column Id added
2026-02-05 CrowdStrikeDetections Column EntityValues added
2026-02-05 CrowdStrikeDetections Column Entities added
2026-02-05 CrowdStrikeDetections Column EndTime added
2026-02-05 CrowdStrikeDetections Column Description added
2026-02-05 CrowdStrikeCases Table added to tracking
2026-02-05 CrowdStrikeDetections Column MitreAttack added
2026-02-05 CrowdStrikeDetections Column AddedPrivileges added
2026-02-05 CrowdStrikeDetections Column TacticId added
2026-02-05 CrowdStrikeDetections Column Objective added
2026-02-05 CrowdStrikeDetections Column Technique added
2026-02-05 CrowdStrikeDetections Column AggregateId added
2026-02-05 CrowdStrikeDetections Column SourceAccountUpn added
2026-02-05 CrowdStrikeDetections Column SourceAccountSamAccountName added
2026-02-05 CrowdStrikeDetections Column SourceAccountObjectSid added
2026-02-05 CrowdStrikeDetections Column SourceAccountObjectGuid added
2026-02-05 CrowdStrikeDetections Column SourceAccountName added
2026-02-05 CrowdStrikeDetections Column Tactic added
2026-02-05 CrowdStrikeDetections Column SeverityName added
2026-02-05 CrowdStrikeDetections Column Severity added
2026-02-05 CrowdStrikeDetections Column Scenario added
2026-02-05 CrowdStrikeDetections Column Privileges added
2026-02-05 CrowdStrikeDetections Column PreviousPrivileges added
2026-02-05 CrowdStrikeDetections Column PolyId added
2026-02-05 CrowdStrikeDetections Column SourceAccountDomain added
2026-02-02 SecurityAlert Table added to tracking
2026-02-01 DisruptionAndResponseEvents Action type added: GroupPolicyHardeningPolicyApplied
2026-02-01 DisruptionAndResponseEvents Action type added: GroupPolicyHardeningPolicyRemoved
2026-02-01 DisruptionAndResponseEvents Action type added: SafeBootGuardPolicyRemoved
2026-02-01 GCPCloudRun Column JsonPayloadMessage added
2026-02-01 GCPCloudRun Column JsonPayloadRequest added
2026-02-01 DisruptionAndResponseEvents Action type added: SafeBootGuardPolicyApplied
2026-01-27 DisruptionAndResponseEvents Action type removed: SafeBootGuardPolicyRemoved
2026-01-27 DisruptionAndResponseEvents Action type removed: SafeBootGuardPolicyApplied
2026-01-27 DisruptionAndResponseEvents Action type removed: GroupPolicyHardeningPolicyRemoved
2026-01-27 DisruptionAndResponseEvents Action type removed: GroupPolicyHardeningPolicyApplied
2026-01-26 DisruptionAndResponseEvents Action type added: GroupPolicyHardeningPolicyApplied
2026-01-26 DisruptionAndResponseEvents Action type added: GroupPolicyHardeningPolicyRemoved
2026-01-26 DisruptionAndResponseEvents Action type added: SafeBootGuardPolicyApplied
2026-01-26 DisruptionAndResponseEvents Action type added: SafeBootGuardPolicyRemoved
2026-01-24 LLMActivity Table removed from tracking

This list is limited to the latest 50 changes.