Microsoft XDR table schema #
This site documents all table schema in Microsoft XDR and Sentinel and documents changes to the schema. All data is sourced from the official Microsoft XDR page and contains only publicly available information. The schema is subject to change and the information here may not be up to date.
Caution: The data presented here might be incomplete or incorrect. This stems from the fact that not all XDR features are enabled in the tenant used to generate this documentation.
Caution: Dates shown are not guaranteed to be accurate and there was a long pause between 2024-10-19 and 2025-12-30.
Latest changes #
The following changes have been made to the schema:
| Date | Table | Action |
|---|---|---|
| 2026-02-27 | WindowsEvent | Table removed from tracking |
| 2026-02-27 | DeviceRegistryEvents | Column MachineGroup removed |
| 2026-02-27 | DeviceRegistryEvents | Column TimeGenerated removed |
| 2026-02-27 | DeviceLogonEvents | Column TenantId removed |
| 2026-02-27 | DeviceLogonEvents | Column Type removed |
| 2026-02-27 | DeviceLogonEvents | Column SourceSystem removed |
| 2026-02-27 | DeviceLogonEvents | Column MachineGroup removed |
| 2026-02-27 | DeviceLogonEvents | Column TimeGenerated removed |
| 2026-02-27 | DeviceImageLoadEvents | Column TenantId removed |
| 2026-02-27 | DeviceImageLoadEvents | Column Type removed |
| 2026-02-27 | DeviceImageLoadEvents | Column SourceSystem removed |
| 2026-02-27 | DeviceImageLoadEvents | Column MachineGroup removed |
| 2026-02-27 | DeviceImageLoadEvents | Column TimeGenerated removed |
| 2026-02-27 | DeviceEvents | Column TenantId removed |
| 2026-02-27 | DeviceEvents | Column Type removed |
| 2026-02-27 | DeviceEvents | Column SourceSystem removed |
| 2026-02-27 | DeviceEvents | Column MachineGroup removed |
| 2026-02-27 | DeviceEvents | Column TimeGenerated removed |
| 2026-02-27 | DeviceRegistryEvents | Column SourceSystem removed |
| 2026-02-27 | DeviceRegistryEvents | Column Type removed |
| 2026-02-27 | DeviceRegistryEvents | Column TenantId removed |
| 2026-02-27 | DeviceFileEvents | Column TimeGenerated removed |
| 2026-02-27 | DeviceNetworkInfo | Column Type removed |
| 2026-02-27 | DeviceNetworkInfo | Column SourceSystem removed |
| 2026-02-27 | DeviceNetworkInfo | Column MachineGroup removed |
| 2026-02-27 | DeviceNetworkInfo | Column TimeGenerated removed |
| 2026-02-27 | DeviceProcessEvents | Column TenantId removed |
| 2026-02-27 | DeviceProcessEvents | Column Type removed |
| 2026-02-27 | DeviceProcessEvents | Column SourceSystem removed |
| 2026-02-27 | DeviceProcessEvents | Column MachineGroup removed |
| 2026-02-27 | DeviceFileCertificateInfo | Column TenantId removed |
| 2026-02-27 | DeviceProcessEvents | Column TimeGenerated removed |
| 2026-02-27 | DeviceNetworkEvents | Column Type removed |
| 2026-02-27 | DeviceNetworkEvents | Column SourceSystem removed |
| 2026-02-27 | DeviceNetworkEvents | Column MachineGroup removed |
| 2026-02-27 | DeviceNetworkEvents | Column TimeGenerated removed |
| 2026-02-27 | DeviceFileEvents | Column TenantId removed |
| 2026-02-27 | DeviceFileEvents | Column Type removed |
| 2026-02-27 | DeviceFileEvents | Column SourceSystem removed |
| 2026-02-27 | DeviceFileEvents | Column MachineGroup removed |
| 2026-02-27 | DeviceNetworkEvents | Column TenantId removed |
| 2026-02-27 | DeviceNetworkInfo | Column TenantId removed |
| 2026-02-27 | DeviceFileCertificateInfo | Column Type removed |
| 2026-02-27 | DeviceFileCertificateInfo | Column MachineGroup removed |
| 2026-02-27 | DeviceTvmSoftwareInventory | Column SourceSystem removed |
| 2026-02-27 | DeviceTvmSoftwareInventory | Column MachineGroup removed |
| 2026-02-27 | DeviceTvmInfoGathering | Column TenantId removed |
| 2026-02-27 | DeviceTvmInfoGathering | Column Type removed |
| 2026-02-27 | DeviceTvmInfoGathering | Column SourceSystem removed |
| 2026-02-27 | DeviceTvmInfoGathering | Column MachineGroup removed |
This list is limited to the latest 50 changes.