Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Sentinel normalized agent event logs table. Stores events associated with agent interactions, ensuring consistent and efficient analysis across different data sources.
Table attributes
| Attribute | Value |
|---|---|
| Resource types | microsoft.securityinsights/agenteventnormalized |
| Categories | Security |
| Solutions | SecurityInsights |
| Basic log | No |
| Ingestion-time DCR support | No |
| Lake-only ingestion | Yes |
| Sample Queries | Yes |
Columns
| Column | Type | Description |
|---|---|---|
| ActingAppId | string | The identifier of the application that initiated the event. |
| ActingAppName | string | The name of the application that initiated the event. |
| ActingAppType | string | The type of the application that initiated the event. |
| ActorUserId | string | The unique identifier of the actor user. |
| ActorUserIdType | string | The type of the actor user identifier. |
| ActorUsername | string | The username of the actor. |
| ActorUsernameType | string | The type of the actor username. |
| ActorUserScope | string | The scope of the actor user. |
| ActorUserScopeId | string | The scope identifier of the actor user. |
| AdditionalFields | dynamic | Additional information not covered by other fields, stored as key-value pairs. |
| _BilledSize | real | The record size in bytes |
| EventCount | int | The number of events aggregated in this record. |
| EventEndTime | datetime | The time at which the event ended. |
| EventErrorDetails | string | Details about any error that occurred during the event. |
| EventFinishReasons | dynamic | The reasons for the event completion. |
| EventOriginalErrorType | string | The original error type as provided by the source. |
| EventOriginalRequestDetails | string | The original request details as provided by the source. |
| EventOriginalResultDetails | string | The original result details as provided by the source. |
| EventOriginalType | string | The original event type as provided by the source. |
| EventOriginalUid | string | The original unique identifier of the event as provided by the source. |
| EventOutputType | string | The type of the event output. |
| EventProduct | string | The product that generated the event. |
| EventRequestFrequencyPenalty | real | The frequency penalty parameter used in the event request. |
| EventRequestId | string | The unique identifier of the request associated with the event. |
| EventRequestPresencePenalty | real | The presence penalty parameter used in the event request. |
| EventRequestSeed | long | The seed parameter used in the event request for reproducibility. |
| EventRequestTemperature | real | The temperature parameter used in the event request. |
| EventRequestTopP | real | The top-p (nucleus sampling) parameter used in the event request. |
| EventResponseId | string | The unique identifier of the response associated with the event. |
| EventSchema | string | The name of the ASIM schema for the event. |
| EventSchemaVersion | string | The version of the ASIM schema used. |
| EventSessionId | string | The unique identifier of the event session. |
| EventSessionName | string | The name of the event session. |
| EventStartTime | datetime | The time at which the event started. |
| EventThoughtProcessDetails | string | Details about the thought process or reasoning during the event. |
| EventThoughtProcessId | string | The unique identifier of the thought process associated with the event. |
| EventType | string | The type of the event. |
| EventUid | string | A unique identifier for the event. |
| EventVendor | string | The vendor of the product that generated the event. |
| InputTokensUsed | long | The number of input tokens consumed during the event. |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| ModelName | string | The name of the model used in the event. |
| ModelProviderName | string | The name of the model provider. |
| OutputTokensUsed | long | The number of output tokens generated during the event. |
| PlatformTargetAgentDescription | string | A description of the platform target agent. |
| PlatformTargetAgentId | string | The unique identifier of the platform target agent. |
| PlatformTargetAgentName | string | The name of the platform target agent. |
| PlatformTargetOriginalAgentType | string | The original type of the platform target agent as reported by the source. |
| _ResourceId | string | A unique identifier for the resource that the record is associated with |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| SrcAgentBlueprintId | string | The blueprint identifier of the source agent. |
| SrcAgentDescription | string | A description of the source agent. |
| SrcAgentId | string | The unique identifier of the source agent. |
| SrcAgentName | string | The name of the source agent. |
| SrcAgentOriginalType | string | The original type of the source agent as reported by the source. |
| SrcFQDN | string | The fully qualified domain name of the source. |
| SrcIpAddr | string | The IP address of the source. |
| SrcPortNumber | int | The port number of the source. |
| _SubscriptionId | string | A unique identifier for the subscription that the record is associated with |
| TargetAgentBlueprintId | string | The blueprint identifier of the target agent. |
| TargetAgentDescription | string | A description of the target agent. |
| TargetAgentId | string | The unique identifier of the target agent. |
| TargetAgentName | string | The name of the target agent. |
| TargetAgentOriginalType | string | The original type of the target agent as reported by the source. |
| TargetAgentUserId | string | The user identifier associated with the target agent. |
| TargetAgentUsername | string | The username associated with the target agent. |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | The timestamp (UTC) of when the log was generated. |
| ToolDescription | string | A description of the tool used in the event. |
| ToolId | string | The unique identifier of the tool used in the event. |
| ToolName | string | The name of the tool used in the event. |
| ToolOriginalType | string | The original type of the tool as reported by the source. |
| Type | string | The name of the table |