| _BilledSize |
|
Double |
| _IsBillable |
|
String |
| AdditionalFields |
When no respective column in the schema matches, additional fields can be stored in a JSON bag. |
Object |
| CloudAppId |
The ID of the destination application for an HTTP application as identified by a proxy. This value is usually specific to the proxy used. |
String |
| CloudAppName |
The name of the destination application for an HTTP application as identified by a proxy. |
String |
| CloudAppOperation |
The operation the user performed in the context of the destination application for an HTTP application as identified by a proxy. This value is usually specific to the proxy used. |
String |
| CloudAppRiskLevel |
The risk level associated with an HTTP application as identified by a proxy. This value is usually specific to the proxy used. |
String |
| DstBytes |
The number of bytes sent from the destination to the source for the connection or session. |
Int64 |
| DstDomainHostname |
The domain of the destination host. |
String |
| DstDvcDomain |
The Domain of the destination device. |
String |
| DstDvcFqdn |
The fully qualified domain name of the host where the log was created. |
String |
| DstDvcHostname |
The device name of the destination device. |
String |
| DstDvcIpAddr |
The destination IP address of a device that is not directly associated with the network packet. |
String |
| DstDvcMacAddr |
The destination MAC address of a device that is not directly associated with the network packet. |
String |
| DstGeoCity |
The city associated with the destination IP address. |
String |
| DstGeoCountry |
The country associated with the source IP address. |
String |
| DstGeoLatitude |
The latitude of the geographical coordinate associated with the destination IP address. |
Double |
| DstGeoLongitude |
The longitude of the geographical coordinate associated with the destination IP address |
Double |
| DstGeoRegion |
The region within a country associated with the destination IP address. |
String |
| DstInterfaceGuid |
GUID of the network interface which was used for authentication request. |
String |
| DstInterfaceName |
The network interface used for the connection or session by the destination device. |
String |
| DstIpAddr |
The IP address of the connection or session destination. |
String |
| DstMacAddr |
The MAC address of the network interface at which the connection or session terminated. |
String |
| DstNatIpAddr |
If reported by an intermediary NAT device such as a firewall, the IP address used by the NAT device for communication with the source. |
String |
| DstNatPortNumber |
If reported by an intermediary NAT device such as a firewall, the port used by the NAT device for communication with the source. |
Int32 |
| DstPackets |
The number of packets sent from the destination to the source for the connection or session. The meaning of a packet is defined by the reporting device. |
Int64 |
| DstPortNumber |
The destination IP port. |
Int32 |
| DstResourceId |
The resource Id of the destination device. |
String |
| DstUserAadId |
The Azure AD account object ID of the user at the destination end of the session. |
String |
| DstUserDomain |
The domain or computer name of the account at the destination of the session. |
String |
| DstUserName |
The username of the identity associated with the session’s destination. |
String |
| DstUserSid |
The User ID of the identity associated with the session’s destination. Typically, the identity used to authenticate a server. |
String |
| DstUserUpn |
The UPN of the identity associated with the session’s destination. |
String |
| DstZone |
The network zone of the destination, as defined by the reporting device. |
String |
| DvcAction |
If reported by an intermediary device such as a firewall, the action taken by device. |
String |
| DvcHostname |
The device name of the device generating the message. |
String |
| DvcInboundInterface |
If reported by an intermediary device such as a firewall, the network interface used by it for the connection to the source device. |
String |
| DvcIpAddr |
The IP address of the device generating the record. |
String |
| DvcMacAddr |
The MAC address of the network interface of the reporting device from which the event was sent. |
String |
| DvcOutboundInterface |
If reported by an intermediary device such as a firewall, the network interface used by it for the connection to the destination device. |
String |
| EventCount |
The number of events aggregated, if applicable. |
Int32 |
| EventEndTime |
The time in which the event ended. |
DateTime |
| EventMessage |
A general message or description, either included in, or generated from the record. |
String |
| EventOriginalUid |
The record ID from the reporting device. |
String |
| EventProduct |
The product generating the event. |
String |
| EventProductVersion |
The version of the product generating the event. |
String |
| EventReportUrl |
A link to the full report created by the reporting device. |
String |
| EventResourceId |
The resource ID of the device generating the message. |
String |
| EventResult |
The result reported for the activity. Empty value when not applicable. |
String |
| EventResultDetails |
Reason for the result reported in EventResult |
String |
| EventSchemaVersion |
Azure Sentinel Schema Version. |
String |
| EventSeverity |
If the activity reported has a security impact, denotes the severity of the impact. |
String |
| EventStartTime |
The time in which the event stated. |
DateTime |
| EventSubType |
Additional description of type if applicable. |
String |
| EventTimeIngested |
The time the event was ingested to Azure Sentinel. Will be added by Azure Sentinel. |
DateTime |
| EventType |
Type of event being collected. |
String |
| EventUid |
Unique identifier used by Sentinel to mark a row. |
String |
| EventVendor |
The vendor of the product generating the event. |
String |
| FileExtension |
The type of the file transmitted over the network connections for protocols such as FTP and HTTP. |
String |
| FileHashMd5 |
The MD5 hash value of the file transmitted over the network connections for protocols. |
String |
| FileHashSha1 |
The SHA1 hash value of the file transmitted over the network connections for protocols. |
String |
| FileHashSha256 |
The SHA256 hash value of the file transmitted over the network connections for protocols. |
String |
| FileHashSha512 |
The SHA512 hash value of the file transmitted over the network connections for protocols. |
String |
| FileMimeType |
The MIME type of the file transmitted over the network connections for protocols such as FTP and HTTP. |
String |
| FileName |
The filename transmitted over the network connections for protocols such as FTP and HTTP which provide the file name information. |
String |
| FilePath |
The full path, including file name, of the file. |
String |
| FileSize |
The file size, in bytes, of the file transmitted over the network connections for protocols. |
Int32 |
| HttpContentType |
The HTTP Response content type header for HTTP/HTTPS network sessions. |
String |
| HttpReferrerOriginal |
The HTTP referrer header for HTTP/HTTPS network sessions. |
String |
| HttpRequestMethod |
The HTTP Method for HTTP/HTTPS network sessions. |
String |
| HttpRequestTime |
The amount of time it took to send the request to the server, if applicable. |
Int32 |
| HttpRequestXff |
The HTTP X-Forwarded-For header for HTTP/HTTPS network sessions. |
String |
| HttpResponseTime |
The amount of time it took to receive a response in the server, if applicable. |
Int32 |
| HttpStatusCode |
The HTTP Status Code for HTTP/HTTPS network sessions. |
String |
| HttpUserAgentOriginal |
The HTTP user agent header for HTTP/HTTPS network sessions. |
String |
| HttpVersion |
The HTTP Request Version for HTTP/HTTPS network connections. |
String |
| NetworkApplicationProtocol |
The application layer protocol used by the connection or session. |
String |
| NetworkBytes |
Number of bytes sent in both directions. If both BytesReceived and BytesSent exist, BytesTotal should equal their sum. |
Int64 |
| NetworkDirection |
The direction the connection or session, into or out of the organization. |
String |
| NetworkDuration |
The amount of time, in millisecond, for the completion of the network session or connection. |
Int32 |
| NetworkIcmpCode |
For an ICMP message, ICMP message type numeric value (RFC 2780 or RFC 4443). |
Int32 |
| NetworkIcmpType |
For an ICMP message, ICMP message type text representation (RFC 2780 or RFC 4443). |
String |
| NetworkPackets |
Number of packets sent in both directions. If both PacketsReceived and PacketsSent exist, BytesTotal should equal their sum. |
Int64 |
| NetworkProtocol |
The IP protocol used by the connection or session. Typically, TCP, UDP or ICMP. |
String |
| NetworkRuleName |
The name or ID of the rule by which DeviceAction was decided upon. |
String |
| NetworkRuleNumber |
Matched rule number. |
Int32 |
| NetworkSessionId |
The session identifier as reported by the reporting device. |
String |
| SourceSystem |
|
String |
| SrcBytes |
The number of bytes sent from the source to the destination for the connection or session. |
Int64 |
| SrcDvcDomain |
Domain of the device from which session was initiated. |
String |
| SrcDvcFqdn |
The fully qualified domain name of the host where the log was created. |
String |
| SrcDvcHostname |
The device name of the source device. |
String |
| SrcDvcIpAddr |
The source IP address of a device not directly associated with the network packet (collected by a provider or explicitly calculated). |
String |
| SrcDvcMacAddr |
The source MAC address of a device that is not directly associated with the network packet. |
String |
| SrcDvcModelName |
The model of the source device. |
String |
| SrcDvcModelNumber |
The model number of the source device. |
String |
| SrcDvcOs |
The OS of the source device. |
String |
| SrcDvcType |
The type of the source device. |
String |
| SrcGeoCity |
The city associated with the source IP address. |
String |
| SrcGeoCountry |
The country associated with the source IP address. |
String |
| SrcGeoLatitude |
The latitude of the geographical coordinate associated with the source IP address. |
Double |
| SrcGeoLongitude |
The longitude of the geographical coordinate associated with the source IP address. |
Double |
| SrcGeoRegion |
The region within a country associated with the source IP address. |
String |
| SrcInterfaceGuid |
GUID of the network interface used. |
String |
| SrcInterfaceName |
The network interface used for the connection or session by the source device. |
String |
| SrcIpAddr |
The IP address from which the connection or session originated. |
String |
| SrcMacAddr |
The MAC address of the network interface from which the connection od session originated. |
String |
| SrcNatIpAddr |
If reported by an intermediary NAT device such as a firewall, the IP address used by the NAT device for communication with the destination. |
String |
| SrcNatPortNumber |
If reported by an intermediary NAT device such as a firewall, the port used by the NAT device for communication with the destination. |
Int32 |
| SrcPackets |
The number of packets sent from the source to the destination for the connection or session. The meaning of a packet is defined by the reporting device. |
Int64 |
| SrcPortNumber |
The IP port from which the connection originated. May not be relevant for a session comprising multiple connections. |
Int32 |
| SrcResourceId |
The resource ID of the device generating the message. |
String |
| SrcUserAadId |
The Azure AD account object ID of the user at the source end of the session. |
String |
| SrcUserDomain |
The domain for the account initiating the session. |
String |
| SrcUserName |
The username of the identity associated with the sessions source. Typically, user performing an action on the client. |
String |
| SrcUserSid |
The user ID of the identity associated with the sessions source. Typically, user performing an action on the client. |
String |
| SrcUserUpn |
UPN of the account initiating the session. |
String |
| SrcZone |
The network zone of the source, as defined by the reporting device. |
String |
| TenantId |
|
String |
| ThreatCategory |
The category of a threat identified by a security system such as Web Security Gateway of an IPS and is associated with this network session. |
String |
| ThreatId |
The ID of a threat identified by a security system such as Web Security Gateway of an IPS and is associated with this network session. |
String |
| ThreatName |
The name of the threat or malware identified. |
String |
| TimeGenerated |
The time the event occurred, as reported by reporting source. |
DateTime |
| Type |
The name of the table |
String |
| UrlCategory |
The defined grouping of a URL (or could be just based on the domain in the URL) related to what it is (i.e.: adult, news, advertising, parked domains, etc.). |
String |
| UrlHostname |
The domain part of an HTTP request URL for HTTP/HTTPS network sessions. |
String |
| UrlOriginal |
The HTTP request URL for HTTP/HTTPS network sessions. |
String |