How to generate data in Alert, AlertHistory, AlertEvidence and AlertInfo tables in Log Analytics workspace?

Question

We would like to generate the data in the following tables in Azure Monitor and Security categories described in the docs,

1. https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/alert
2. https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/alerthistory
3. https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/alertevidence
4. https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/alertinfo

From the docs, it seems like the 1st and 2nd tables would receive data when Azure Monitor alert is triggered, but we don't get the data even though the alert is shown on the UI.

For the 3rd and 4th tables, it seems like the data would be generated when the Defender for O365 or Defender for Endpoint creates an alert, but we couldn't find a way to forward the data to Azure Sentinel or Log Analytics workspace.

Can you help when/how the data can be generated in these tables?

Answer 1

Hello,

Are you using LOG alert rules in Azure Monitor (not Sentinel rules) - just checking?

For 3/4 you need to setup the Defender XDR connector in Microsoft Sentinel, look in Content Hub, for that Solution.

Then when you check the [Data Connectors] blade in Sentinel, you will see all sources (that you have/licenced) displayed, inc. the two Tables you mention (bottom of this list)