Microsoft Sentinel Documentation Statistics

This page provides comprehensive statistics across all Microsoft Sentinel solutions, connectors, tables, content items, and parsers.

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Table of Contents

Terminology

Term Description
Published Available in Microsoft Sentinel Content Hub for installation
Unpublished ⚠️ Present on GitHub but not available in Content Hub
Active Published and not deprecated
Deprecated 🚫 Marked as no longer maintained or replaced by newer solution
Discovered 🔍 Found in solution folders but not listed in Solution JSON definitions
In Solutions Listed in the Solution JSON definition file
📦 Solution Content that is part of a published Content Hub package
📄 Standalone GitHub content with metadata but not part of a Solution
🔗 GitHub Only GitHub content without formal metadata
Standalone Reference Tables Tables in Azure Monitor reference not used by any Sentinel solution
Support Tier Support level: Microsoft, Partner, or Community

Solutions

Availability

Metric Total Published Unpublished ⚠️
Solutions 520 472 48
With Connectors 334 306 28
With Content 414 383 31

Support Ownership

Support Tier Total Published Unpublished ⚠️
Microsoft 239 233 6
Partner 257 226 31
Community 11 11 0
Unknown 13 2 11
Total 520 472 48

Other Metrics

Metric Count
Unique Connectors 443
Tables Used 913

Connectors

Note: The connector count Microsoft reports publicly is the number of active connectors published in solutions, plus 41 connectors (at the time of writing) that are not managed through this GitHub repository — including Logic App connectors and Sentinel data lake-only connectors.

Availability

Metric Total Active Deprecated 🚫 Unpublished ⚠️
In Solutions 443 380 40 23
Discovered 🔍 154 36 112 6
Total 597 416 152 29

Support Ownership

Support Tier Total Active Deprecated 🚫 Unpublished ⚠️
Microsoft 255 155 96 4
Partner 321 251 48 22
Community 18 10 8 0
Unknown 3 0 0 3
Total 597 416 152 29

Collection Methods

Collection Method Total Active Deprecated 🚫 Unpublished ⚠️
Azure Function 139 103 28 8
CCF 134 128 0 6
MMA 109 14 89 6
AMA 58 25 33 0
REST Pull API 57 52 1 4
CCF Push 34 33 0 1
Native 25 25 0 0
Azure Diagnostics 17 17 0 0
CCF (Legacy) 15 12 1 2
Unknown 8 7 0 1
Unknown (Custom Log) 1 0 0 1
Total 597 416 152 29

Collection Methods by Support Tier

Each cell shows: Active / Deprecated / Unpublished / Total

Collection Method Microsoft Partner Community Unknown
Azure Function 15 / 22 / 0 / 37 87 / 6 / 8 / 101 1 / 0 / 0 / 1 -
CCF 68 / 0 / 2 / 70 60 / 0 / 4 / 64 - -
MMA 8 / 57 / 1 / 66 6 / 27 / 3 / 36 0 / 5 / 0 / 5 0 / 0 / 2 / 2
AMA 10 / 16 / 0 / 26 11 / 14 / 0 / 25 4 / 3 / 0 / 7 -
REST Pull API 2 / 0 / 1 / 3 45 / 1 / 3 / 49 5 / 0 / 0 / 5 -
CCF Push - 33 / 0 / 1 / 34 - -
Native 25 / 0 / 0 / 25 - - -
Azure Diagnostics 17 / 0 / 0 / 17 - - -
CCF (Legacy) 3 / 1 / 0 / 4 9 / 0 / 2 / 11 - -
Unknown 7 / 0 / 0 / 7 - - 0 / 0 / 1 / 1
Unknown (Custom Log) - 0 / 0 / 1 / 1 - -
Total 155 / 96 / 4 / 255 251 / 48 / 22 / 321 10 / 8 / 0 / 18 0 / 0 / 3 / 3

CCF Capabilities

Metric Count
CCF Connectors (polling) 134
CCF Push Connectors 34
CCF Legacy Connectors 15
Total CCF 183
With config file 163
With capabilities detected 178

Connector Kind (non-default kinds; REST Pull API polling is the default):

Kind Count
REST Pull API Polling (default) 105
Push 34
GCP 16
AmazonWebServicesS3 13
AliCloudSlsV1 2
StorageAccountBlobContainer 2
OCI 2
Oracle 2
PurviewAudit 1
WebSocket 1

Authentication Methods:

Auth Type Count
APIKey 67
OAuth2 24
Basic 12
JwtToken 5
ServicePrincipal 2
(none detected) 68

Request Features:

Feature Count
Paging 85
POST 19
Nested 5
MvExpand 1

Ingestion API

API-based connectors use one of two APIs to send data to the workspace:

Ingestion API Total Active Deprecated 🚫 Unpublished ⚠️
Log Ingestion API 76 72 0 4
HTTP Data Collector API 142 104 29 9
Undetermined 6 6 0 0
Total 224 182 29 13

By Collection Method:

Collection Method Log Ingestion API HTTP Data Collector API Undetermined Total
Azure Function 42 87 6 135
REST Pull API - 55 - 55
CCF Push 34 - - 34
Total 76 142 6 224

Custom Log V1 (CLv1) 🔶

Connectors that use at least one Custom Log V1 table (identified by type-suffixed columns or _CL suffix with compatible collection method).

Metric Count
CLv1 Connectors 161
Active 121
Deprecated 🚫 29
Unpublished ⚠️ 11

By Collection Method:

Collection Method CLv1 Connectors
Azure Function 73
REST Pull API 48
Azure Diagnostics 14
CCF 14
MMA 5
CCF (Legacy) 4
AMA 2
CCF Push 1
Total 161

By Ingestion API:

Ingestion API CLv1 Connectors
Log Ingestion API 3
HTTP Data Collector API 118
Undetermined 1
(no API) 39
Total 161

Tables

Overview

1938 tables documented across all discovery sources. 1679 tables have schema information.

Discovery Sources

Each table is assigned a single discovery source ("Discovered Via") by priority: Connector > Content > Docs > Schema. Within doc sources, priority is: Azure Monitor > Defender XDR > Sentinel Tables > Feature Support > Ingestion API. The "Total" column shows how many tables have each source regardless of priority, since a table can appear in multiple sources.

Discovery Source Discovered Via Total
Connector 913 913
Content 244 826
Azure Monitor Tables Reference 614 800
Defender XDR Advanced Hunting Schema 24 63
Sentinel Tables and Connectors Reference 0 0
Azure Monitor Tables Feature Support 91 761
Azure Monitor Logs Ingestion API 0 117
Schema 52 1679
Total 1938

33 tables are available in Defender XDR but not in Azure Monitor Log Analytics.

Schema Sources

Tables with schema information, by schema source. A single table may have schemas from multiple sources.

Schema Source Tables
Azure Monitor docs 833
DCR 9
KQL validation 727
Connector definition 110
Total unique tables with schema 1679

Custom Log V1 (CLv1) 🔶

466 of 1938 tables are Custom Log V1 tables, identified by type-suffixed columns or _CL suffix with compatible collection method.

By Table Category:

Category CLv1 Tables
Uncategorized 442
Internal 18
GCP 5
Various 1
Total 466

Content

Content Items Summary

Metric Total 📦 In Solution 📦 Discovered 📦 Unpublished 📄 Standalone 🔗 GitHub Only
Content Items 6,518 4,665 129 205 439 1,285

Content Items by Type

Type Total 📦 In Solution 📦 Discovered 📦 Unpublished 📄 Standalone 🔗 GitHub Only
Analytic Rules 2,178 1,976 32 82 158 12
Hunting Queries 2,313 1,173 13 18 84 1,043
Playbooks 865 597 41 65 190 37
Workbooks 562 366 9 25 0 187
Parsers* 526 492 34 15 0 0
Watchlists 49 43 0 0 0 6
Summary Rules 25 18 0 0 7 0

* Parsers from solution content. See Parsers section for all parsers including legacy.

Parsers

Category Count
Legacy Parsers 35
Solution Parsers (in Solution JSON) 493
Discovered Parsers 🔍 36
Total Parsers 564
Solutions with Parsers 164

ASIM Parsers

Metric Count
Schemas 13
Source Parser Pairs* 89
Union Parser Pairs* 15
Empty Parsers 0

* Each parser pair consists of an ASim filtering parser and a vim parameter-based parser.

ASIM Products

Metric Count
Products 91
Source Parser Pairs* 89
Schemas Covered 11
Tables Used 76

* Each parser pair consists of an ASim filtering parser and a vim parameter-based parser.

Products per Schema

Schema Products
NetworkSession 32
Authentication 29
WebSession 17
AuditEvent 16
FileEvent 14
Dns 13
ProcessEvent 10
RegistryEvent 7
UserManagement 7
AlertEvent 2
DhcpEvent 2
Total 91

Pre-requisites

Overview

Metric Total Explicit (required) ASIM (optional)
Dependency records 238 238 0
Solutions with dependencies 108 108 0
Unique dependency targets 41 41 0

Most Depended-Upon Solutions

Solution Depended On By
Common Event Format 47
Syslog 31
CustomLogsAma 14
Microsoft Entra ID 10
Microsoft Defender XDR 10
Microsoft 365 9
PaloAlto-PAN-OS 8
Amazon Web Services 8
CiscoASA 6
Azure Firewall 6
Check Point 6
Windows Server DNS 5
Azure Activity 5
Windows Security Events 5
Windows Forwarded Events 5

Generated by Solutions Analyzer - April 2026