Table creation and table mappings for the Sentinel tables

[andrePKI]

This article is about Sentinel data. That is of the same structure and format for all customers. Is there any resource or repository which contains the target table definition and corresponding mapping? We are struggling with the creation of the tables and appropriate table mappings for the tables we have in Sentinel (about 100) and can't believe this hasn't been done before.

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 3bc62483-6dcf-c373-bc5d-fa11983a5126
• Version Independent ID: 68bb5add-0557-0799-6a29-f45220482417
• Content: Integrate Azure Data Explorer for long-term log retention
• Content Source: articles/sentinel/store-logs-in-azure-data-explorer.md
• Service: microsoft-sentinel
• Sub-service: microsoft-sentinel
• GitHub Login: @batamig
• Microsoft Alias: bagol

[YashikaTyagii]

@andrePKI Thanks for your feedback! We will investigate and update as appropriate.

[batamig]

Hi and thanks for your feedback! Tagging a current content owner - @yelevin , can you take a look?

[yelevin]

@bwren Do you know how to answer this? Thanks.

[cwatson-cat]

#assign:austinmccollum

[cwatson-cat]

@andrePKI There's a table reference in this library: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/sentinelaudit

You can also run the getschema operator in your workspace to get more info about a table: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/getschemaoperator

[rayne-wiselman]

@andrePKI, happy to hear if this addresses what you're looking for.

[andrePKI]

The above sure helps, but I also found this article on MS learn which refers to this powershell script I used that as a starting point and tweaked it for completeness. So I am happy now