Kusto Sentinel Tables

Revised DateAuthorComment
21.03.2025Roger JohnsenArticle added

Introduction

For threat hunters, having a comprehensive understanding of these tables is crucial to identifying, investigating, and mitigating potential security threats. Each table in Microsoft Defender Advanced Hunting provides unique insights into various aspects of an organization’s environment—such as device activity, user behavior, network connections, and email threats. By correlating data across these tables, threat hunters can uncover patterns, detect anomalies, and trace the pathways of potential attacks. This approach enables proactive threat detection and enhances the ability to respond effectively to incidents, ensuring the security and integrity of the organization’s systems and data.


Table NameDescriptionPurposeKey Columns (Focus)Threat Hunting Use CasesMITRE ATT&CK Techniques
DeviceEventsGeneral device activityCentralized repository for device-related events like file, process, network, and registry changesTimestamp, DeviceId, ActionType, FileName, SHA256Investigating process executions, file modifications, anomaliesT1003 (Credential Dumping) , T1082 (System Discovery)
DeviceInfoDevice information and contextProvides essential device metadata to contextualize eventsDeviceId, DeviceName, Domain, OSPlatform, LastSeenIdentifying vulnerable systems, tracking device behaviorT1202 (Indicator Removal on Host) , T1016 (System Network Configuration Discovery)
DeviceLogonEventsLogon/logoff events on devicesTracks authentication activity to detect unauthorized accessTimestamp, DeviceId, AccountName, IPAddressDetecting lateral movement, credential theftT1078 (Valid Accounts) , T1566 (Phishing)
DeviceProcessEventsProcess creation/termination eventsLogs details of processes to trace malware or anomaliesTimestamp, ProcessId, ProcessCommandLine, FileNameIdentifying malicious processes, suspicious behaviorT1059 (Command and Scripting Interpreter) , T1086 (PowerShell)
DeviceFileEventsFile-related eventsMonitors file modifications to identify suspicious actionsTimestamp, DeviceId, FileName, ActionType, SHA256Detecting ransomware activity, data exfiltrationT1486 (Data Encrypted for Impact) , T1027 (Obfuscated Files or Information)
DeviceNetworkEventsNetwork connectionsLogs network activity to spot anomalies or threatsTimestamp, RemoteIP, RemotePort, LocalIPCommand-and-control detection, unusual network trafficT1071 (Application Layer Protocol) , T1105 (Ingress Tool Transfer)
DeviceRegistryEventsRegistry modificationsTracks changes to registry keys to detect persistence techniquesTimestamp, RegistryKey, ActionType, ValueDataPersistence mechanisms, malware configuration changesT1547 (Boot or Logon Autostart Execution) , T1112 (Modify Registry)
EmailEventsEmail-related threatsAnalyzes email metadata for suspicious activitiesTimestamp, SenderFromAddress, RecipientEmailAddressPhishing campaigns, malware deliveryT1566 (Phishing) , T1189 (Drive-by Compromise)
EmailAttachmentInfoEmail attachment detailsContains attachment metadata for email threat analysisTimestamp, FileName, FileSize, SHA256Identifying malicious attachmentsT1204 (User Execution) , T1036 (Masquerading)
EmailUrlInfoURLs in emailsTracks and evaluates URLs found within email messagesTimestamp, Url, NetworkMessageIdTracking phishing URLs, anomalous behaviorT1566 (Phishing) , T1204 (User Execution)
UrlClickEventsUser interactions with URLsMonitors user clicks on URLs for risk assessmentTimestamp, Url, ClickAction, AccountNameTracking malicious URL clicksT1566 (Phishing) , T1189 (Drive-by Compromise)
CloudAppEventsCloud application activityTracks interactions with cloud services for threat detectionTimestamp, Application, ActionType, IPAddressInvestigating cloud access anomaliesT1078 (Valid Accounts) , T1082 (System Discovery)
IdentityLogonEventsIdentity logon eventsProvides insights into user authentication activityTimestamp, AccountName, IPAddress, LogonTypeCompromised accounts, MFA bypass detectionT1078 (Valid Accounts) , T1530 (Data from Cloud Storage Object)
IdentityInfoIdentity-related informationConsolidates user identity information for correlationAccountSid, AccountName, Domain, ObjectIdEnriching investigations with user contextT1087 (Account Discovery) , T1580 (Cloud Infrastructure Discovery)
AlertInfoSecurity alert detailsServes as a summary of triggered security alertsTimestamp, AlertId, Title, SeverityInvestigating and prioritizing security incidentsT1518 (Software Discovery) , T1135 (Network Share Discovery)
AlertEvidenceEvidence related to alertsProvides specific data supporting the context of alertsTimestamp, AlertId, EntityType, FileNameUnderstanding the scope and impact of alertsVaries depending on alert type
ExternalDataExternal threat intelligence dataEnables integration of external threat data for correlationDepends on sourceEnriching hunting with threat intelligence feedsCustom, based on external data source

On pivoting

There are many tables in Defender and it is possible to pivoting between the tables. In threat hunting, “pivoting” refers to the process of using a specific piece of information or data point, such as a DeviceId, UserId, or FileHash, to navigate across different data sources or tables. The goal is to correlate events and uncover related details that might help in tracking down a threat.

For example, if you discover a suspicious process on a device, you can use the DeviceId to “pivot” to other tables, like DeviceNetworkEvents to check for unusual network activity or DeviceLogonEvents to see if unauthorized access occurred on that same device. It’s like following breadcrumbs across a connected web of data to piece together the story of how a threat might have unfolded.

Think of it as a detective chasing leads to unravel the bigger picture—it’s a cornerstone of effective threat hunting!

For instance, say you have a DeviceId. Armed with this id you can basically take any table in the graph below and move between the other tables depicted:

graph TD
    Start[Start: Searching for DeviceId] --> A[DeviceEvents]
    A --> B[DeviceProcessEvents]
    A --> C[DeviceFileEvents]
    A --> D[DeviceLogonEvents]
    A --> E[DeviceNetworkEvents]
    A --> F[DeviceRegistryEvents]
    A --> G[DeviceInfo]
    D --> G
    E --> G
    B --> F
    G --> H[AlertInfo]
    F --> H
    B --> H
    C --> H
    H --> I[AlertEvidence]
    P[CloudAppEvents] --> G

Similarly, you can do the same using, say, the UserID:

graph TD
    Start[Start: Searching for UserId] --> A[DeviceLogonEvents]
    Start --> B[IdentityLogonEvents]
    A --> C[IdentityInfo]
    B --> C
    C --> D[AlertInfo]
    D --> E[AlertEvidence]
    Start --> F[UrlClickEvents]
    F --> G[EmailEvents]
    G --> H[EmailAttachmentInfo]
    G --> I[EmailUrlInfo]
    C --> J[CloudAppEvents]
    J --> D

These are just two examples, think of all the possibilities that opens up when you start joining resultsets on other pivotpoints to connect data!