Microsoft Sentinel: Updated SecurityEvent Table Schema
More is always better?
When querying a table or generating an Analytics Rule based on the data of that table, it’s important to know what can be accessed.
As of July 30th, the SecurityEvent table now has new data columns available to query. Here’s the list of new columns that have been added:
Keywords: A 64 bitmask of keywords defined in the event. Keywords classify types of events (e.g events associated with reading data), with the left most 2 bits representing audit success or failure.
Opcode: Operation code identifying the location in the application from where the event was logged, together with Task.
EventRecordId: The record number assigned to the event when it was logged
SystemThreadId: The thread that generated the event
SystemProcessId: The process that generated the event
Correlation: Activity identifiers that consumers can use to group related events together
Version: The version number of the event’s definition
SystemUserId: The ID of the user responsible for the event
Full SecurityEvent table schema: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/securityevent
Happy KQL’ing!
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[ Subscribe to the Bi-weekly Copilot for Security Newsletter]
[Subscribe to the Weekly SIEM and XDR Newlsetter]
[Learn KQL with the Must Learn KQL series and book]
[Learn AI Security with the Must Learn AI Security series and book]
** Need a Tech break?? Sure, we all do! Check out my fiction novels: Sword of the Shattered Kingdoms: Ancient Crystal of Eldoria and WW2045: Alien Revenge