Tables that support transformations in Azure Monitor Logs

The following list identifies the tables in a Log Analytics workspace that support transformations.

Note

We are in a process of adding support for more tables. Please check this article regularly.

Table	Limitations
AACAudit
AACHttpRequest
AADB2CRequestLogs
AADCustomSecurityAttributeAuditLogs
AADDomainServicesAccountLogon
AADDomainServicesAccountManagement
AADDomainServicesDirectoryServiceAccess
AADDomainServicesDNSAuditsDynamicUpdates
AADDomainServicesDNSAuditsGeneral
AADDomainServicesLogonLogoff
AADDomainServicesPolicyChange
AADDomainServicesPrivilegeUse
AADFirstPartyToFirstPartySignInLogs
AADManagedIdentitySignInLogs
AADNonInteractiveUserSignInLogs
AADProvisioningLogs
AADRiskyServicePrincipals
AADRiskyUsers
AADServicePrincipalRiskEvents
AADServicePrincipalSignInLogs
AADUserRiskEvents
ABAPAuditLog
ABAPAuthorizationDetails
ABAPChangeDocsLog
ABAPUserDetails
ABSBotRequests
ACICollaborationAudit
ACRConnectedClientList
ACREntraAuthenticationAuditLog
ACSAdvancedMessagingOperations
ACSAuthIncomingOperations
ACSBillingUsage
ACSCallAutomationIncomingOperations
ACSCallAutomationMediaSummary
ACSCallClientMediaStatsTimeSeries
ACSCallClientOperations
ACSCallClosedCaptionsSummary
ACSCallDiagnostics
ACSCallDiagnosticsUpdates
ACSCallingMetrics
ACSCallRecordingIncomingOperations
ACSCallRecordingSummary
ACSCallSummary
ACSCallSummaryUpdates
ACSCallSurvey
ACSChatIncomingOperations
ACSEmailSendMailOperational
ACSEmailStatusUpdateOperational
ACSEmailUserEngagementOperational
ACSJobRouterIncomingOperations
ACSRoomsIncomingOperations
ACSSMSIncomingOperations
ADAssessmentRecommendation
AddonAzureBackupAlerts
AddonAzureBackupJobs
AddonAzureBackupPolicy
AddonAzureBackupProtectedInstance
AddonAzureBackupStorage
ADFActivityRun
ADFAirflowSchedulerLogs
ADFAirflowTaskLogs
ADFAirflowWebLogs
ADFAirflowWorkerLogs
ADFPipelineRun
ADFSandboxActivityRun
ADFSandboxPipelineRun
ADFSSignInLogs
ADFSSISIntegrationRuntimeLogs
ADFSSISPackageEventMessageContext
ADFSSISPackageEventMessages
ADFSSISPackageExecutableStatistics
ADFSSISPackageExecutionComponentPhases
ADFSSISPackageExecutionDataStatistics
ADFTriggerRun
ADPAudit
ADPDiagnostics
ADPRequests
ADReplicationResult
ADSecurityAssessmentRecommendation
ADTDataHistoryOperation
ADTDigitalTwinsOperation
ADTModelsOperation
ADTQueryOperation
ADXCommand
ADXJournal
ADXQuery
ADXTableDetails
ADXTableUsageStatistics
AegDataPlaneRequests
AegDeliveryFailureLogs
AegPublishFailureLogs
AEWAssignmentBlobLogs
AEWAuditLogs
AEWComputePipelinesLogs
AEWExperimentAssignmentSummary
AEWExperimentScorecardMetricPairs
AEWExperimentScorecards
AFDAccessLog
AFDClassicCdnAccessLog
AFDHealthProbeLog
AFDWebApplicationFirewallLog
AFSAuditLogs
AGCAccessLogs
AggregatedSecurityAlert
AgriFoodApplicationAuditLogs
AgriFoodFarmManagementLogs
AgriFoodFarmOperationLogs
AgriFoodInsightLogs
AgriFoodJobProcessedLogs
AgriFoodModelInferenceLogs
AgriFoodProviderAuthLogs
AgriFoodSatelliteLogs
AgriFoodSensorManagementLogs
AgriFoodWeatherLogs
AGSGrafanaLoginEvents
AGSGrafanaUsageInsightsEvents
AGWAccessLogs
AGWFirewallLogs
AGWPerformanceLogs
AHDSDeidAuditLogs
AHDSDicomAuditLogs
AHDSDicomDiagnosticLogs
AHDSMedTechDiagnosticLogs
AirflowDagProcessingLogs
AKSAudit
AKSAuditAdmin
AKSControlPlane
ALBHealthEvent
Alert
AlertEvidence
AlertInfo
AMATelemetryEvents
AmlComputeClusterEvent
AmlComputeCpuGpuUtilization
AmlComputeInstanceEvent
AmlComputeJobEvent
AmlDataLabelEvent
AmlDataSetEvent
AmlDataStoreEvent
AmlDeploymentEvent
AmlEnvironmentEvent
AmlInferencingEvent
AmlModelsEvent
AmlOnlineEndpointConsoleLog
AmlOnlineEndpointEventLog
AmlOnlineEndpointTrafficLog
AmlPipelineEvent
AmlRegistryReadEventsLog
AmlRegistryWriteEventsLog
AmlRunEvent
AmlRunStatusChangedEvent
AMSKeyDeliveryRequests
AMSLiveEventOperations
AMSMediaAccountHealth
AMSStreamingEndpointRequests
AMWMetricsUsageDetails
ANFFileAccess
Anomalies
AOIDatabaseQuery
AOIDigestion
AOIStorage
ApiManagementGatewayLlmLog
ApiManagementGatewayLogs
APIMDevPortalAuditDiagnosticLog
AppAvailabilityResults
AppBrowserTimings
AppCenterError
AppDependencies
AppEvents
AppExceptions
AppMetrics
AppPageViews
AppPerformanceCounters
AppPlatformIngressLogs
AppPlatformLogsforSpring
AppPlatformSystemLogs
AppRequests
AppServiceAntivirusScanAuditLogs
AppServiceAppLogs
AppServiceAuditLogs
AppServiceAuthenticationLogs
AppServiceConsoleLogs
AppServiceEnvironmentPlatformLogs
AppServiceFileAuditLogs
AppServiceHTTPLogs
AppServiceIPSecAuditLogs
AppServicePlatformLogs
AppServiceServerlessSecurityPluginData
AppSystemEvents
AppTraces
ArcK8sAudit
ArcK8sAuditAdmin
ArcK8sControlPlane
ASCAuditLogs
ASCDeviceEvents
ASimAuditEventLogs
ASimAuthenticationEventLogs
ASimDhcpEventLogs
ASimDnsActivityLogs
ASimFileEventLogs
ASimNetworkSessionLogs
ASimProcessEventLogs
ASimRegistryEventLogs
ASimUserManagementActivityLogs
ASimWebSessionLogs
ASRJobs
ASRReplicatedItems
ASRv2HealthEvents
ASRv2JobEvents
ASRv2ProtectedItems
ASRv2ReplicationExtensions
ASRv2ReplicationPolicies
ASRv2ReplicationVaults
ATCExpressRouteCircuitIpfix
ATCMicrosoftPeeringMetadata
ATCPrivatePeeringMetadata
AuditLogs
AutoscaleEvaluationsLog
AutoscaleScaleActionsLog
AVNMConnectivityConfigurationChange
AVNMIPAMPoolAllocationChange
AVNMNetworkGroupMembershipChange
AVNMRuleCollectionChange
AVSEsxiFirewallSyslog
AVSEsxiSyslog
AVSNsxEdgeSyslog
AVSNsxManagerSyslog
AVSSyslog
AVSVcSyslog
AWSCloudTrail
AWSCloudTrailCCP
AWSCloudWatch
AWSCloudWatchCCP
AWSGuardDuty
AWSGuardDutyCCP
AWSNetworkFirewallAlert
AWSNetworkFirewallFlow
AWSNetworkFirewallTls
AWSRoute53Resolver
AWSS3ServerAccess
AWSSecurityHubFindings
AWSVPCFlow
AWSVPCFlowLogsCCP
AWSWAF
AZFWApplicationRule
AZFWApplicationRuleAggregation
AZFWDnsQuery
AZFWDnsQuery
AZFWFatFlow
AZFWFatFlow
AZFWFlowTrace
AZFWFlowTrace
AZFWIdpsSignature
AZFWIdpsSignature
AZFWInternalFqdnResolutionFailure
AZFWInternalFqdnResolutionFailure
AZFWNatRule
AZFWNatRuleAggregation
AZFWNetworkRule
AZFWNetworkRuleAggregation
AZFWThreatIntel
AZKVPolicyEvaluationDetailsLogs
AZMSApplicationMetricLogs
AZMSArchiveLogs
AZMSAutoscaleLogs
AZMSCustomerManagedKeyUserLogs
AZMSDiagnosticErrorLogs
AZMSHybridConnectionsEvents
AZMSKafkaCoordinatorLogs
AZMSKafkaUserErrorLogs
AZMSOperationalLogs
AZMSRunTimeAuditLogs
AZMSVnetConnectionEvents
AzureAssessmentRecommendation
AzureAttestationDiagnostics
AzureBackupOperations
AzureDevOpsAuditing
AzureLoadTestingOperation
AzureLogAnalyticsIngestionDiagnosticLogs
BehaviorAnalytics
BehaviorEntities
BehaviorInfo
BlockchainApplicationLog
BlockchainProxyLog
CampaignInfo
CassandraAudit
CassandraLogs
CCFApplicationLogs
CDBCassandraRequests
CDBControlPlaneRequests
CDBDataPlaneRequests
CDBGremlinRequests
CDBMongoRequests
CDBPartitionKeyRUConsumption
CDBPartitionKeyStatistics
CDBQueryRuntimeStatistics
CDBTableApiRequests
ChaosStudioExperimentEventLogs
CIEventsAudit
CIEventsOperational
CloudAppEvents
CloudHsmServiceOperationAuditLogs
CommonSecurityLog
CommunicationComplianceActivity
ComputerGroup
ConfidentialWatchlist
ConfigurationChange
ConfigurationData	Partial support - some of the data is ingested through internal services that aren't supported.
ContainerAppConsoleLogs
ContainerAppSystemLogs
ContainerEvent
ContainerImageInventory
ContainerInstanceLog
ContainerInventory
ContainerLog
ContainerLogV2
ContainerNodeInventory
ContainerRegistryLoginEvents
ContainerRegistryRepositoryEvents
ContainerServiceLog
CoreAzureBackup
CosmosDBPostgresLogs
CrowdStrikeAlerts
CrowdStrikeDetections
CrowdStrikeHosts
CrowdStrikeIncidents
CrowdStrikeVulnerabilities
CSARequestResponse
DatabricksAccounts
DatabricksApps
DatabricksBrickStoreHttpGateway
DatabricksBudgetPolicyCentral
DatabricksCloudStorageMetadata
DatabricksClusterPolicies
DatabricksClusters
DatabricksDashboards
DatabricksDataMonitoring
DatabricksDataRooms
DatabricksDBFS
DatabricksFeatureStore
DatabricksFiles
DatabricksFilesystem
DatabricksGenie
DatabricksGlobalInitScripts
DatabricksGroups
DatabricksIngestion
DatabricksInstancePools
DatabricksJobs
DatabricksLakeviewConfig
DatabricksLineageTracking
DatabricksMarketplaceConsumer
DatabricksMarketplaceProvider
DatabricksMLflowAcledArtifact
DatabricksMLflowExperiment
DatabricksNotebook
DatabricksOnlineTables
DatabricksPredictiveOptimization
DatabricksRBAC
DatabricksRemoteHistoryService
DatabricksRFA
DatabricksSecrets
DatabricksSQLPermissions
DatabricksSSH
DatabricksVectorSearch
DatabricksWebhookNotifications
DatabricksWorkspace
DatabricksWorkspaceFiles
DataTransferOperations
DataverseActivity
DCPlanBillingEventLogs
DCRLogErrors
DefenderForSqlAlerts
DefenderForSqlTelemetry
DevCenterBillingEventLogs
DevCenterDiagnosticLogs
DevCenterResourceOperationLogs
DeviceEvents
DeviceFileCertificateInfo
DeviceFileEvents
DeviceImageLoadEvents
DeviceInfo
DeviceLogonEvents
DeviceNetworkEvents
DeviceNetworkInfo
DeviceProcessEvents
DeviceRegistryEvents
DeviceTvmSecureConfigurationAssessment
DeviceTvmSecureConfigurationAssessmentKB
DeviceTvmSoftwareInventory
DeviceTvmSoftwareVulnerabilities
DeviceTvmSoftwareVulnerabilitiesKB
DFPPurchaseLogs
DnsAuditEvents
DnsEvents
DnsInventory
DNSQueryLogs
DSMDataClassificationLogs
DSMDataLabelingLogs
DummyHydrationFact
DynamicEventCollection
Dynamics365Activity
EGNFailedHttpDataPlaneOperations
EGNFailedMqttConnections
EGNFailedMqttPublishedMessages
EGNFailedMqttSubscriptions
EGNMqttDisconnections
EGNSuccessfulHttpDataPlaneOperations
EGNSuccessfulMqttConnections
EmailAttachmentInfo
EmailEvents
EmailPostDeliveryEvents
EmailUrlInfo
EnrichedMicrosoft365AuditLogs
Event	Partial support. Data arriving from Log Analytics agent (MMA) or Azure Monitor Agent (AMA) is fully supported. Data arriving from Diagnostics Extension is collected through Azure storage. This path isn't supported.
ExchangeAssessmentRecommendation
ExchangeOnlineAssessmentRecommendation
FailedIngestion
FileMaliciousContentInfo
FSPGPGBouncer
FunctionAppLogs
GCPApigee
GCPAuditLogs
GCPCDN
GCPCloudRun
GCPCloudSQL
GCPComputeEngine
GCPDNS
GCPFirewallLogs
GCPIAM
GCPIDS
GCPLoadBalancer
GCPMonitoring
GCPNAT
GCPNATAudit
GCPResourceManager
GCPVPCFlow
GKEAPIServer
GKEApplication
GKEAudit
GKEControllerManager
GKEHPADecision
GKEScheduler
GoogleCloudSCC
GoogleWorkspaceReports
HDInsightAmbariClusterAlerts
HDInsightAmbariSystemMetrics
HDInsightGatewayAuditLogs
HDInsightHadoopAndYarnLogs
HDInsightHadoopAndYarnMetrics
HDInsightHBaseLogs
HDInsightHBaseMetrics
HDInsightHiveAndLLAPLogs
HDInsightHiveAndLLAPMetrics
HDInsightHiveTezAppStats
HDInsightKafkaLogs
HDInsightKafkaMetrics
HDInsightOozieLogs
HDInsightSecurityLogs
HDInsightSparkApplicationEvents
HDInsightSparkBlockManagerEvents
HDInsightSparkEnvironmentEvents
HDInsightSparkExecutorEvents
HDInsightSparkExtraEvents
HDInsightSparkJobEvents
HDInsightSparkLogs
HDInsightSparkSQLExecutionEvents
HDInsightSparkStageEvents
HDInsightSparkStageTaskAccumulables
HDInsightSparkTaskEvents
HDInsightStormLogs
HDInsightStormMetrics
HDInsightStormTopologyMetrics
HealthStateChangeEvent
HuntingBookmark
IdentityDirectoryEvents
IdentityInfo
IdentityLogonEvents
IdentityQueryEvents
IlumioInsights
InsightsMetrics	Partial support - some of the data is ingested through internal services that aren't supported.
IntuneAuditLogs
IntuneDevices
IntuneOperationalLogs
KubeEvents
KubeHealth
KubeMonAgentEvents
KubeNodeInventory
KubePodInventory
KubePVInventory
KubeServices
LAJobLogs
LAQueryLogs
LASummaryLogs
LIATrackingEvents
LinuxAuditLog
LogicAppWorkflowRuntime
McasShadowItReporting
MCCEventLogs
MCVPAuditLogs
MCVPOperationLogs
MDCDetectionDNSEvents
MDCDetectionFimEvents
MDCDetectionGatingValidationEvents
MDCDetectionK8SApiEvents
MDCFileIntegrityMonitoringEvents
MDECustomCollectionDeviceFileEvents
MDPResourceLog
MicrosoftAzureBastionAuditLogs
MicrosoftDataShareReceivedSnapshotLog
MicrosoftDataShareSentSnapshotLog
MicrosoftGraphActivityLogs
MicrosoftHealthcareApisAuditLogs
MicrosoftPurviewInformationProtection
MNFDeviceUpdates
MNFSystemSessionHistoryUpdates
MNFSystemStateMessageUpdates
MPTOperation
MySqlAuditLogs
MySqlErrorLogs
MySqlSlowLogs
NCBMBreakGlassAuditLogs
NCBMSecurityDefenderLogs
NCBMSecurityLogs
NCBMSystemLogs
NCCKubernetesLogs
NCCPlatformOperationsLogs
NCCVMOrchestrationLogs
NCMClusterOperationsLogs
NCSStorageAlerts
NCSStorageAudits
NCSStorageLogs
NetworkAccessAlerts
NetworkAccessConnectionEvents
NetworkAccessTraffic
NetworkMonitoring
NetworkSessions
NginxUpstreamUpdateLogs
NGXOperationLogs
NGXSecurityLogs
NSPAccessLogs
NTAInsights
NTAIpDetails
NTANetAnalytics
NTATopologyDetails
NWConnectionMonitorPathResult
NWConnectionMonitorTestResult
OEPAirFlowTask
OEPAuditLogs
OEPDataplaneLogs
OEPElasticOperator
OEPElasticsearch
OEWExperimentAssignmentSummary
OEWExperimentScorecardMetricPairs
OEWExperimentScorecards
OfficeActivity
OktaSystemLogs
OLPSupplyChainEntityOperations
OLPSupplyChainEvents
OTelEvents
OTelLogs
OTelResources
OTelSpans
Perf
PFTitleAuditLogs
PGSQLAutovacuumStats
PGSQLDbTransactionsStats
PGSQLPgStatActivitySessions
PGSQLQueryStoreRuntime
PGSQLQueryStoreWaits
PGSQLServerLogs
PipelineTestVehicles
PipelineTestVehiclesInternalUseOnly
PlatformTelemetryMetricsLaTable
PowerAppsActivity
PowerAutomateActivity
PowerBIActivity
PowerBIDatasetsTenant
PowerBIDatasetsWorkspace
PowerPlatformAdminActivity
PowerPlatformConnectorActivity
PowerPlatformDlpActivity
ProcessInvestigator
ProjectActivity
ProtectionStatus
PurviewDataSensitivityLogs
PurviewScanStatusLogs
PurviewSecurityLogs
REDConnectionEvents
RemoteNetworkHealthLogs
ResourceManagementPublicAccessLogs
RetinaNetworkFlowLogs
RomeDetectionEvent
SCCMAssessmentRecommendation
SCGPoolExecutionLog
SCGPoolRequestLog
SCOMAssessmentRecommendation
SecureScoreControls
SecureScores
SecurityAlert
SecurityAttackPathData
SecurityBaseline
SecurityBaselineSummary
SecurityDetection
SecurityEvent	Partial support - data arriving from Log Analytics agent (MMA) or Azure Monitor Agent (AMA) is fully supported. Data arriving via Diagnostics Extension agent is collected though storage while this path isn't supported.
SecurityIncident
SecurityIoTRawEvent
SecurityNestedRecommendation
SecurityRecommendation
SecurityRegulatoryCompliance
SentinelAudit
SentinelHealth
ServiceMap
SfBAssessmentRecommendation
SfBOnlineAssessmentRecommendation
SharePointOnlineAssessmentRecommendation
SignalRServiceDiagnosticLogs
SigninLogs
SPAssessmentRecommendation
SQLAssessmentRecommendation
SqlAtpStatus
SQLSecurityAuditEvents
SqlThreatProtectionLoginAudits
SqlVulnerabilityAssessmentResult
SqlVulnerabilityAssessmentScanStatus
StorageBlobLogs
StorageCacheOperationEvents
StorageCacheUpgradeEvents
StorageCacheWarningEvents
StorageFileLogs
StorageInsightsAccountPropertiesDaily
StorageInsightsDailyMetrics
StorageInsightsHourlyMetrics
StorageInsightsMonthlyMetrics
StorageInsightsWeeklyMetrics
StorageMalwareScanningResults
StorageMoverCopyLogsFailed
StorageMoverCopyLogsTransferred
StorageMoverJobRunLogs
StorageQueueLogs
StorageTableLogs
SucceededIngestion
SVMPoolExecutionLog
SVMPoolRequestLog
SynapseBigDataPoolApplicationsEnded
SynapseBuiltinSqlPoolRequestsEnded
SynapseDXFailedIngestion
SynapseDXSucceededIngestion
SynapseGatewayApiRequests
SynapseIntegrationActivityRuns
SynapseIntegrationPipelineRuns
SynapseIntegrationTriggerRuns
SynapseLinkEvent
SynapseRbacOperations
SynapseScopePoolScopeJobsEnded
SynapseScopePoolScopeJobsStateChange
SynapseSqlPoolDmsWorkers
SynapseSqlPoolExecRequests
SynapseSqlPoolRequestSteps
SynapseSqlPoolSqlRequests
SynapseSqlPoolWaits
Syslog	Partial support - data arriving from Log Analytics agent (MMA) or Azure Monitor Agent (AMA) is fully supported. Data arriving via Diagnostics Extension agent is collected though storage while this path isn't supported.
ThreatIntelIndicators
ThreatIntelligenceIndicator
ThreatIntelObjects
TOUserAudits
TOUserDiagnostics
TSIIngress
UCClient
UCClientReadinessStatus
UCClientUpdateStatus
UCDeviceAlert
UCDOAggregatedStatus
UCDOStatus
UCServiceUpdateStatus
UCUpdateAlert
Update	Partial support - some of the data is ingested through internal services that aren't supported.
UpdateRunProgress
UpdateSummary
UrlClickEvents
VCoreMongoRequests
VIAudit
VIIndexing
W3CIISLog	Partial support - data arriving from Log Analytics agent (MMA) or Azure Monitor Agent (AMA) is fully supported. Data arriving via Diagnostics Extension agent is collected though storage while this path isn't supported.
WaaSDeploymentStatus
WaaSInsiderStatus
WaaSUpdateStatus
Watchlist
WebPubSubConnectivity
WebPubSubHttpRequest
WebPubSubMessaging
Windows365AuditLogs
WindowsClientAssessmentRecommendation
WindowsEvent
WindowsFirewall
WindowsServerAssessmentRecommendation
WireData	Partial support - some of the data is ingested through internal services that aren't supported.
WorkloadDiagnosticLogs
WUDOAggregatedStatus
WUDOStatus
WVDAgentHealthStatus
WVDCheckpoints
WVDConnectionNetworkData
WVDConnections
WVDErrors
WVDFeeds
WVDHostRegistrations
WVDManagement

Last updated on 2025-11-13

Tables that support transformations in Azure Monitor Logs

Additional resources