Microsoft XDR table schema #
This site documents all table schema in Microsoft XDR and Sentinel and documents changes to the schema. All data is sourced from the official Microsoft XDR page and contains only publicly available information. The schema is subject to change and the information here may not be up to date.
Caution: The data presented here might be incomplete or incorrect. This stems from the fact that not all XDR features are enabled in the tenant used to generate this documentation.
Caution: Dates shown are not guaranteed to be accurate and there was a long pause between 2024-10-19 and 2025-12-30.
Latest changes #
The following changes have been made to the schema:
| Date | Table | Action |
|---|---|---|
| 2026-02-02 | SecurityAlert | Table added to tracking |
| 2026-02-01 | DisruptionAndResponseEvents | Action type added: GroupPolicyHardeningPolicyApplied |
| 2026-02-01 | DisruptionAndResponseEvents | Action type added: GroupPolicyHardeningPolicyRemoved |
| 2026-02-01 | GCPCloudRun | Column JsonPayloadRequest added |
| 2026-02-01 | DisruptionAndResponseEvents | Action type added: SafeBootGuardPolicyRemoved |
| 2026-02-01 | DisruptionAndResponseEvents | Action type added: SafeBootGuardPolicyApplied |
| 2026-02-01 | GCPCloudRun | Column JsonPayloadMessage added |
| 2026-01-27 | DisruptionAndResponseEvents | Action type removed: SafeBootGuardPolicyRemoved |
| 2026-01-27 | DisruptionAndResponseEvents | Action type removed: SafeBootGuardPolicyApplied |
| 2026-01-27 | DisruptionAndResponseEvents | Action type removed: GroupPolicyHardeningPolicyRemoved |
| 2026-01-27 | DisruptionAndResponseEvents | Action type removed: GroupPolicyHardeningPolicyApplied |
| 2026-01-26 | DisruptionAndResponseEvents | Action type added: SafeBootGuardPolicyRemoved |
| 2026-01-26 | DisruptionAndResponseEvents | Action type added: SafeBootGuardPolicyApplied |
| 2026-01-26 | DisruptionAndResponseEvents | Action type added: GroupPolicyHardeningPolicyApplied |
| 2026-01-26 | DisruptionAndResponseEvents | Action type added: GroupPolicyHardeningPolicyRemoved |
| 2026-01-24 | LLMActivity | Table removed from tracking |
| 2026-01-24 | QualysKnowledgeBase | Table added to tracking |
| 2026-01-24 | CopilotActivity | Table added to tracking |
| 2026-01-24 | ASimAlertEventLogs | Table added to tracking |
| 2026-01-12 | DeviceEvents | Action type added: UserAccountPasswordResetAttempt |
| 2026-01-12 | GraphAPIAuditEvents | Column ResponseSize added |
| 2026-01-05 | AzureMetrics | Table removed from tracking |
| 2026-01-05 | ContainerRegistryRepositoryEvents | Table removed from tracking |
| 2026-01-05 | ContainerRegistryLoginEvents | Table removed from tracking |
| 2026-01-04 | AzureMetricsV2 | Table removed from tracking |
| 2026-01-04 | AzureDiagnostics | Table removed from tracking |
| 2026-01-04 | AppServiceServerlessSecurityPluginData | Table removed from tracking |
| 2026-01-04 | AppServicePlatformLogs | Table removed from tracking |
| 2026-01-04 | AppServiceIPSecAuditLogs | Table removed from tracking |
| 2026-01-04 | AppServiceHTTPLogs | Table removed from tracking |
| 2026-01-04 | AppServiceFileAuditLogs | Table removed from tracking |
| 2026-01-04 | AppServiceConsoleLogs | Table removed from tracking |
| 2026-01-04 | AppServiceAuthenticationLogs | Table removed from tracking |
| 2026-01-04 | AppServiceAppLogs | Table removed from tracking |
| 2026-01-04 | AppServiceAntivirusScanAuditLogs | Table removed from tracking |
| 2026-01-04 | AppEnvSpringAppConsoleLogs | Table removed from tracking |
| 2026-01-04 | AppEnvSessionPoolEventLogs | Table removed from tracking |
| 2026-01-04 | AppEnvSessionLifecycleLogs | Table removed from tracking |
| 2026-01-04 | AppEnvSessionConsoleLogs | Table removed from tracking |
| 2026-01-04 | AppServiceAuditLogs | Table removed from tracking |
| 2026-01-04 | ContainerAppConsoleLogs | Table removed from tracking |
| 2026-01-04 | ContainerAppSystemLogs | Table removed from tracking |
| 2026-01-04 | Event | Table removed from tracking |
| 2026-01-04 | Syslog | Table removed from tracking |
| 2026-01-04 | StorageTableLogs | Table removed from tracking |
| 2026-01-04 | StorageQueueLogs | Table removed from tracking |
| 2026-01-04 | StorageFileLogs | Table removed from tracking |
| 2026-01-04 | StorageBlobLogs | Table removed from tracking |
| 2026-01-04 | OTelTraces | Table removed from tracking |
| 2026-01-04 | OTelSpans | Table removed from tracking |
This list is limited to the latest 50 changes.