Microsoft XDR table schema #
This site documents all table schema in Microsoft XDR and Sentinel and documents changes to the schema. All data is sourced from the official Microsoft XDR page and contains only publicly available information. The schema is subject to change and the information here may not be up to date.
Caution: The data presented here might be incomplete or incorrect. This stems from the fact that not all XDR features are enabled in the tenant used to generate this documentation.
Caution: Dates shown are not guaranteed to be accurate and there was a long pause between 2024-10-19 and 2025-12-30.
Latest changes #
The following changes have been made to the schema:
| Date | Table | Action |
|---|---|---|
| 2026-03-23 | DeviceEvents | Action type added: CertificateServicesReceivedCertificateRequest |
| 2026-03-23 | AIAgentsInfo | Column RegistrySource added |
| 2026-03-23 | AIAgentsInfo | Column Instructions added |
| 2026-03-23 | AIAgentsInfo | Column EntraObjectId added |
| 2026-03-23 | AIAgentsInfo | Column EntraBlueprintId added |
| 2026-03-23 | AIAgentsInfo | Column IsBlocked added |
| 2026-03-23 | DeviceEvents | Action type added: CertificateServicesLoadedTemplate |
| 2026-03-23 | AIAgentsInfo | Column AIModel added |
| 2026-03-23 | AIAgentsInfo | Column AccessCapabilities added |
| 2026-03-23 | AIAgentsInfo | Column ElementTypes added |
| 2026-03-23 | AIAgentsInfo | Column SourceAgentId added |
| 2026-03-23 | DeviceEvents | Action type added: CertificateServicesApprovedCertificateRequest |
| 2026-03-23 | AIAgentsInfo | Column Version added |
| 2026-03-11 | DeviceInfo | Column DlpInfo added |
| 2026-03-08 | AADSpnSignInEventsBeta | Column IsConfidentialClient added |
| 2026-03-08 | EntraIdSpnSignInEvents | Column IsConfidentialClient added |
| 2026-03-08 | CloudProcessEvents | Table removed from tracking |
| 2026-03-08 | CloudStorageAggregatedEvents | Table removed from tracking |
| 2026-03-08 | CloudAuditEvents | Table removed from tracking |
| 2026-02-27 | DeviceLogonEvents | Column MachineGroup removed |
| 2026-02-27 | DeviceRegistryEvents | Column SourceSystem removed |
| 2026-02-27 | DeviceRegistryEvents | Column MachineGroup removed |
| 2026-02-27 | DeviceRegistryEvents | Column TimeGenerated removed |
| 2026-02-27 | DeviceLogonEvents | Column TenantId removed |
| 2026-02-27 | DeviceLogonEvents | Column Type removed |
| 2026-02-27 | DeviceLogonEvents | Column SourceSystem removed |
| 2026-02-27 | DeviceLogonEvents | Column TimeGenerated removed |
| 2026-02-27 | DeviceEvents | Column TenantId removed |
| 2026-02-27 | DeviceImageLoadEvents | Column Type removed |
| 2026-02-27 | DeviceImageLoadEvents | Column SourceSystem removed |
| 2026-02-27 | DeviceImageLoadEvents | Column MachineGroup removed |
| 2026-02-27 | DeviceImageLoadEvents | Column TimeGenerated removed |
| 2026-02-27 | DeviceEvents | Column Type removed |
| 2026-02-27 | DeviceEvents | Column SourceSystem removed |
| 2026-02-27 | DeviceEvents | Column MachineGroup removed |
| 2026-02-27 | DeviceEvents | Column TimeGenerated removed |
| 2026-02-27 | DeviceImageLoadEvents | Column TenantId removed |
| 2026-02-27 | DeviceRegistryEvents | Column Type removed |
| 2026-02-27 | DeviceFileEvents | Column Type removed |
| 2026-02-27 | DeviceFileEvents | Column TimeGenerated removed |
| 2026-02-27 | DeviceNetworkInfo | Column Type removed |
| 2026-02-27 | DeviceNetworkInfo | Column SourceSystem removed |
| 2026-02-27 | DeviceNetworkInfo | Column MachineGroup removed |
| 2026-02-27 | DeviceNetworkInfo | Column TimeGenerated removed |
| 2026-02-27 | DeviceProcessEvents | Column TenantId removed |
| 2026-02-27 | DeviceProcessEvents | Column Type removed |
| 2026-02-27 | DeviceProcessEvents | Column SourceSystem removed |
| 2026-02-27 | DeviceProcessEvents | Column MachineGroup removed |
| 2026-02-27 | DeviceRegistryEvents | Column TenantId removed |
| 2026-02-27 | DeviceProcessEvents | Column TimeGenerated removed |
This list is limited to the latest 50 changes.