GCC Schema
Alerts
------
AlertInfo (replaces DeviceAlertEvents)
- (AlertID, TimeStamp, Severity, Category, Title, AttackTechniques)
AlertEvidence
- (AlertID, TimeStamp, DeviceID, DeviceName, FileName, SHA1, RemoteUrl, RemoteIP, ReportId, Table)
Apps & identities
-----------------
IdentityInfo
IdentityLogonEvents
IdentityQueryEvents
IdentityDirectoryEvents
CloudAppEvents (replaces AppFileEvents)
Email & collaboration
---------------------
EmailEvents
EmailAttachmentInfo
EmailUrlInfo
EmailPostDeliveryEvents
Devices
-------
DeviceInfo
DeviceNetworkInfo
DeviceProcessEvents
DeviceNetworkEvents
DeviceFileEvents
DeviceRegistryEvents
DeviceLogonEvents
DeviceImageLoadEvents
DeviceEvents
DeviceFileCertificateInfo
Threat & Vulnerability Management
---------------------------------
DeviceTvmSoftwareVulnerabilities (replaces DeviceTvmSoftwareInventoryVulnerabilities)
DeviceTvmSoftwareVulnerabilitiesKB
DeviceTvmSecureConfigurationAssessment
DeviceTvmConfigurationAssessmentKB
DeviceTvmSoftwareInventory (replaces DeviceTvmSoftwareInventoryVulnerabilities)
DeviceTvmInfoGathering
DeviceTvmInfoGatheringKB
DeviceTvmSoftwareEvidenceBeta
Missing tables
--------------
UrlClickEvents
AppFileEvents (deprecated)
AADSignInEventsBeta
AADSpnSignInEventsBeta
DeviceAlertEvents (deprecated)
DeviceTvmSoftwareInventoryVulnerabilities (deprecated)