Skip to main content Link Menu Expand (external link) Document Search Copy Copied
TechWorkshop Understanding Sentinel datalake and graph

Task 02: Explore tables, schemas, and data sources

Introduction

Microsoft Sentinel organizes collected data into tables stored within your workspace. Each table corresponds to a data source such as Defender XDR, Entra ID, or Azure Activity.

Understanding how these tables are structured helps you build effective queries and detections.

Description

In this task, you’ll explore the table structure inside your workspace and run basic Kusto Query Language (KQL) queries to view sample data.

### Success criteria

  • Key tables (SecurityIncident, SecurityAlert, SigninLogs, AuditLogs) are identified.
  • Schema and data structure are reviewed.
  • Queries successfully return relevant security data.

Key steps:

  1. Locate and review these Sentinel workspace key tables:

    • SecurityIncident — Incident-level data aggregated from Defender XDR and Sentinel rules.

    • SecurityAlert — Alert-level data from Defender XDR, Sentinel analytics rules, and integrated sources.

    • SigninLogs — Authentication events from Entra ID.

    • AuditLogs — Administrative or configuration actions.

    Expand here for detailed steps
    1. Open your default Sentinel workspace (law-sentinel-xdr-lab).
    2. In the left menu, select Logs.
    3. Close the Query hub, if necessary.
    4. Expand the Tables icon in the left pane to view all table categories.

    Exc2_img5.png

    {: .highlight } Each data connector adds its own set of tables. Knowing which table maps to which connector helps target your KQL queries effectively.

  2. Run exploratory KQL queries to inspect data and schemas.

    {: .warning } Remember from the Logs page, in the upper right, verify that KQL mode is selected.

    1. List all tables and row counts.

      Expand here for detailed steps

      1. Run the following:

         search * | summarize Rows = count() by $table| sort by Rows desc

    2. Inspect schema for a specific table (example: SecurityAlert).

      Expand here for detailed steps

      1. Run the following:

         SecurityAlert 
 | getschema

    3. Review the latest incidents.

      Expand here for detailed steps

      1. Run the following:

         SecurityIncident | sort by TimeGenerated desc| take 10

    4. Filter incidents related to EICAR test.

      Expand here for detailed steps

      1. Run the following:

         SecurityIncident| where Title contains "EICAR" or Description contains "EICAR"| project TimeGenerated, IncidentNumber, Title, Severity, ProviderName, Owner| sort by TimeGenerated desc

    5. View Defender for Endpoint alerts.

      Expand here for detailed steps

      1. Run the following:

         SecurityAlert| where ProviderName == "MDATP" or ProductName == "Microsoft Defender for Endpoint"| where TimeGenerated > ago(48h)| project TimeGenerated, AlertName, Description, CompromisedEntity, Tactics, ProviderName| sort by TimeGenerated desc

    6. Analyze recent sign-in activity (if Entra ID connector is active).

      Expand here for detailed steps

      1. Run the following:

         SigninLogs| summarize SignIns = count() by AppDisplayName, ResultType| top 10 by SignIns desc

{: .warning } Some queries may return no results if connectors like Entra ID are not yet configured.