Versions Compared

Old Version 2

changes.mady.by.user Marlon Morales

Saved on

compared with

New Version 3

changes.mady.by.user Marlon Morales

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview

A network security group (NSG) includes rules that allow or deny traffic to a virtual network subnet, network interface, or both.
When you enable logging for an NSG, you can gather the following types of resource log information:

  • Event: Entries are logged for which NSG rules are applied to virtual machines, based on MAC address.

  • Rule counter: Contains entries for how many times each NSG rule is applied to allow or deny traffic. The status for these rules is collected every 300 seconds.

Resource logging is enabled separately for each NSG for which to collect diagnostic data.

Azure NSG Group Event: AzureNetworkSecurityGroupEvent

The event log contains information about which NSG rules are applied to virtual machines, based on MAC address. The following data is logged for each event.

Log Structure

Expand
titleSample NetworkSecurityGroupEvents from API
{
"tables": [
{
"name": "PrimaryResult",
"columns": [
{
"name": "TenantId",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "ResourceId",
"type": "string"
},
{
"name": "Category",
"type": "string"
},
{
"name": "ResourceGroup",
"type": "string"
},
{
"name": "SubscriptionId",
"type": "string"
},
{
"name": "ResourceProvider",
"type": "string"
},
{
"name": "Resource",
"type": "string"
},
{
"name": "ResourceType",
"type": "string"
},
{
"name": "OperationName",
"type": "string"
},
{
"name": "ResultType",
"type": "string"
},
{
"name": "CorrelationId",
"type": "string"
},
{
"name": "ResultDescription",
"type": "string"
},
{
"name": "Tenant_g",
"type": "string"
},
{
"name": "JobId_g",
"type": "string"
},
{
"name": "RunbookName_s",
"type": "string"
},
{
"name": "StreamType_s",
"type": "string"
},
{
"name": "Caller_s",
"type": "string"
},
{
"name": "requestUri_s",
"type": "string"
},
{
"name": "Level",
"type": "string"
},
{
"name": "DurationMs",
"type": "long"
},
{
"name": "CallerIPAddress",
"type": "string"
},
{
"name": "OperationVersion",
"type": "string"
},
{
"name": "ResultSignature",
"type": "string"
},
{
"name": "id_s",
"type": "string"
},
{
"name": "status_s",
"type": "string"
},
{
"name": "LogicalServerName_s",
"type": "string"
},
{
"name": "Message",
"type": "string"
},
{
"name": "clientInfo_s",
"type": "string"
},
{
"name": "httpStatusCode_d",
"type": "real"
},
{
"name": "identity_claim_appid_g",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g",
"type": "string"
},
{
"name": "userAgent_s",
"type": "string"
},
{
"name": "ruleName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s",
"type": "string"
},
{
"name": "systemId_g",
"type": "string"
},
{
"name": "isAccessPolicyMatch_b",
"type": "bool"
},
{
"name": "EventName_s",
"type": "string"
},
{
"name": "httpMethod_s",
"type": "string"
},
{
"name": "subnetId_s",
"type": "string"
},
{
"name": "type_s",
"type": "string"
},
{
"name": "instanceId_s",
"type": "string"
},
{
"name": "macAddress_s",
"type": "string"
},
{
"name": "vnetResourceGuid_g",
"type": "string"
},
{
"name": "direction_s",
"type": "string"
},
{
"name": "subnetPrefix_s",
"type": "string"
},
{
"name": "primaryIPv4Address_s",
"type": "string"
},
{
"name": "conditions_sourcePortRange_s",
"type": "string"
},
{
"name": "priority_d",
"type": "real"
},
{
"name": "conditions_destinationPortRange_s",
"type": "string"
},
{
"name": "conditions_destinationIP_s",
"type": "string"
},
{
"name": "conditions_None_s",
"type": "string"
},
{
"name": "conditions_sourceIP_s",
"type": "string"
},
{
"name": "httpVersion_s",
"type": "string"
},
{
"name": "matchedConnections_d",
"type": "real"
},
{
"name": "startTime_t",
"type": "datetime"
},
{
"name": "endTime_t",
"type": "datetime"
},
{
"name": "DatabaseName_s",
"type": "string"
},
{
"name": "clientIP_s",
"type": "string"
},
{
"name": "host_s",
"type": "string"
},
{
"name": "requestQuery_s",
"type": "string"
},
{
"name": "sslEnabled_s",
"type": "string"
},
{
"name": "clientPort_d",
"type": "real"
},
{
"name": "httpStatus_d",
"type": "real"
},
{
"name": "receivedBytes_d",
"type": "real"
},
{
"name": "sentBytes_d",
"type": "real"
},
{
"name": "timeTaken_d",
"type": "real"
},
{
"name": "resultDescription_ErrorJobs_s",
"type": "string"
},
{
"name": "resultDescription_ChildJobs_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_scope_s",
"type": "string"
},
{
"name": "workflowId_s",
"type": "string"
},
{
"name": "resource_location_s",
"type": "string"
},
{
"name": "resource_workflowId_g",
"type": "string"
},
{
"name": "resource_resourceGroupName_s",
"type": "string"
},
{
"name": "resource_subscriptionId_g",
"type": "string"
},
{
"name": "resource_runId_s",
"type": "string"
},
{
"name": "resource_workflowName_s",
"type": "string"
},
{
"name": "_schema_s",
"type": "string"
},
{
"name": "correlation_clientTrackingId_s",
"type": "string"
},
{
"name": "properties_sku_Family_s",
"type": "string"
},
{
"name": "properties_sku_Name_s",
"type": "string"
},
{
"name": "properties_tenantId_g",
"type": "string"
},
{
"name": "properties_enabledForDeployment_b",
"type": "bool"
},
{
"name": "code_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineId_s",
"type": "string"
},
{
"name": "resultDescription_Summary_ScheduleName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_Status_s",
"type": "string"
},
{
"name": "resultDescription_Summary_StatusDescription_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_TotalUpdatesInstalled_d",
"type": "real"
},
{
"name": "resultDescription_Summary_RebootRequired_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_TotalUpdatesFailed_d",
"type": "real"
},
{
"name": "resultDescription_Summary_InstallPercentage_d",
"type": "real"
},
{
"name": "resultDescription_Summary_StartDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resource_triggerName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_InitialRequiredUpdatesCount_d",
"type": "real"
},
{
"name": "properties_enabledForTemplateDeployment_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_s",
"type": "string"
},
{
"name": "resultDescription_Summary_DurationInMinutes_s",
"type": "string"
},
{
"name": "resource_originRunId_s",
"type": "string"
},
{
"name": "properties_enabledForDiskEncryption_b",
"type": "bool"
},
{
"name": "resource_actionName_s",
"type": "string"
},
{
"name": "correlation_actionTrackingId_g",
"type": "string"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resultDescription_Summary_DurationInMinutes_d",
"type": "real"
},
{
"name": "conditions_protocols_s",
"type": "string"
},
{
"name": "identity_claim_ipaddr_s",
"type": "string"
},
{
"name": "ElasticPoolName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_claims_authnmethodsreferences_s",
"type": "string"
},
{
"name": "RunOn_s",
"type": "string"
},
{
"name": "query_hash_s",
"type": "string"
},
{
"name": "SourceSystem",
"type": "string"
},
{
"name": "MG",
"type": "string"
},
{
"name": "ManagementGroupName",
"type": "string"
},
{
"name": "Computer",
"type": "string"
},
{
"name": "RawData",
"type": "string"
},
{
"name": "AdditionalFields",
"type": "dynamic"
},
{
"name": "Type",
"type": "string"
},
{
"name": "_ItemId",
"type": "string"
},
{
"name": "_ResourceId",
"type": "string"
},
{
"name": "IngestionTime",
"type": "datetime"
},
{
"name": "LogId",
"type": "string"
}
],
"rows": [
[
"3c17ed1c-6996-4e21-9d0f-8785b9245551",
"2023-06-20T00:47:14.399Z",
"/SUBSCRIPTIONS/EFAF3341-8916-416E-8D3C-37AB9DC5D4F7/RESOURCEGROUPS/TEST/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/NSG-1",
"NetworkSecurityGroupEvent",
"TEST",
"efaf3341-8916-416e-8d3c-37ab9dc5d4f7",
"MICROSOFT.NETWORK",
"NSG-1",
"NETWORKSECURITYGROUPS",
"NetworkSecurityGroupEvents",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"DefaultRule_AllowVnetOutBound",
"",
"6de438b4-8f8f-4541-9417-49580902a016",
null,
"",
"",
"",
"allow",
"",
"60-45-BD-40-53-2E",
"e30d725c-10d8-4b65-862f-11fb5a93f148",
"Out",
"1.2.3.0/24",
"1.2.3.4",
"0-65535",
65000,
"0-65535",
"",
"",
"",
"",
null,
null,
null,
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
null,
null,
"",
"",
"",
null,
"",
"",
null,
null,
"",
"",
"",
"",
"",
"",
"Azure",
"",
"",
"",
"",
null,
"AzureDiagnostics",
"768e99d0-9862-4c29-acce-5db965680101",
"/subscriptions/efaf3341-8916-416e-8d3c-37ab9dc5d4f7/resourcegroups/test/providers/microsoft.network/networksecuritygroups/NSG-1",
"2023-06-20T00:52:37.530055Z",
"768e99d0-9862-4c29-acce-5db965680101"
]
]
}
]
}

Table Fields

Field

Description

TABLE

AzureActivity AzureNetworkSecurityGroupEvent was a value derived from TYPE + OPERATIONNAME.

SYSTEM

Depends on CALLERIPADDRESS PRIMARYIPV4ADDRESS field if not empty, else will depend on configured domain value.

DATE

Extracted date value from CREATEDDATETIME.

TIME

Extracted time value from CREATEDDATETIME.

DATETIME

Extracted datetime value from CREATEDDATETIME and formatted usingRFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

COLLECTIONDATETIME

The datetime value when the log was collected from the API and formatted usingRFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

ADDITIONALFIELDS

If the total number of columns is at or above 500, the excess data is added to a dynamic property bag column called AdditionalFields as a property.

ACTIONTYPE

Action done, either allow or deny, as specified in the rule.

CATEGORY

NetworkSecurityGroupEvent is the fix value for this log type.

CONDITIONSDESTINATIONIP

The value of Destination IP addresses ranges, as specified in the rule.

CONDITIONSDESTINATIONPORTRANGE

The value of Destination port ranges, as specified in the rule.

CONDITIONSSOURCEIP

The value of Source IP addresses/CIDR ranges, as specified in the rule.

CONDITIONSSOURCEPORTRANGE

The value of Source port ranges, as specified in the rule.

CONDITIONSPROTOCOLS

The value of Protocol, as specified in the rule.

DIRECTION

Possible values: In or Out, as specified in the rule.

INGESTIONTIME

A datetime value specifying the approximate time of ingestion into an Azure table.

LOGID

A unique identifier for the record or log.

MACADDRESS

MAC address of the VM associated with the NSG resource.

OPERATIONNAME

NetworkSecurityGroupEvents is the fix value for this log type.

PRIMARYIPV4ADDRESS

Private IP address of the VM associated with the NSG resource.

PRIORITY

Priority of the rule set and configured on the NSG resource.

RESOURCE

If empty, will use the value from Properties.resource as its value.

RESOURCEGROUP

Resource group name of the impacted resource.

RESOURCEID

A unique identifier for the resource that the record or log is associated with.

RESOURCEPROVIDER

Id of the resource provider for the impacted resource, for this log type it will be MICROSOFT.NETWORK

RESOURCETYPE

NETWORKSECURITYGROUPS is the fix value for all Azure NSG logs.

RULENAME

Rule name set and configured on the NSG resource.

SOURCESYSTEM

Azure is the fix value for all log types under AzureDiagnostics table.

SUBNETPREFIX

Subnet of the VM associated with the NSG resource.

SUBSCRIPTIONID

Subscription ID of the impacted resource.

SYSTEMID

System ID of the network security group.

TENANTID

The Log Analytics workspace ID.

TIMEGENERATED

Timestamp when the event was generated by the Azure service processing the request corresponding the event.

TYPE

AzureDiagnostics is the fix value for this log type.

VNETRESOURCEGUID

Virtual network ID of the VM associated with the NSG resource.

WORKSPACEID

Derived from TenantId if not empty, else will depend configured value for the Workspace ID.

SNAREDATAMAP

All unclassified field/s in the log will be pushed into the SNAREDATAMAP using key=value format and separated by newline.

Azure NSG Group Rule Counter: AzureNetworkSecurityGroupRuleCounter

The rule counter log contains information about each rule applied to resources. The following example data is logged each time a rule is applied.

Log Structure

Expand
titleSample NetworkSecurityGroupRuleCounter from API
{
"tables": [
{
"name": "PrimaryResult",
"columns": [
{
"name": "TenantId",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "ResourceId",
"type": "string"
},
{
"name": "Category",
"type": "string"
},
{
"name": "ResourceGroup",
"type": "string"
},
{
"name": "SubscriptionId",
"type": "string"
},
{
"name": "ResourceProvider",
"type": "string"
},
{
"name": "Resource",
"type": "string"
},
{
"name": "ResourceType",
"type": "string"
},
{
"name": "OperationName",
"type": "string"
},
{
"name": "ResultType",
"type": "string"
},
{
"name": "CorrelationId",
"type": "string"
},
{
"name": "ResultDescription",
"type": "string"
},
{
"name": "Tenant_g",
"type": "string"
},
{
"name": "JobId_g",
"type": "string"
},
{
"name": "RunbookName_s",
"type": "string"
},
{
"name": "StreamType_s",
"type": "string"
},
{
"name": "Caller_s",
"type": "string"
},
{
"name": "requestUri_s",
"type": "string"
},
{
"name": "Level",
"type": "string"
},
{
"name": "DurationMs",
"type": "long"
},
{
"name": "CallerIPAddress",
"type": "string"
},
{
"name": "OperationVersion",
"type": "string"
},
{
"name": "ResultSignature",
"type": "string"
},
{
"name": "id_s",
"type": "string"
},
{
"name": "status_s",
"type": "string"
},
{
"name": "LogicalServerName_s",
"type": "string"
},
{
"name": "Message",
"type": "string"
},
{
"name": "clientInfo_s",
"type": "string"
},
{
"name": "httpStatusCode_d",
"type": "real"
},
{
"name": "identity_claim_appid_g",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g",
"type": "string"
},
{
"name": "userAgent_s",
"type": "string"
},
{
"name": "ruleName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s",
"type": "string"
},
{
"name": "systemId_g",
"type": "string"
},
{
"name": "isAccessPolicyMatch_b",
"type": "bool"
},
{
"name": "EventName_s",
"type": "string"
},
{
"name": "httpMethod_s",
"type": "string"
},
{
"name": "subnetId_s",
"type": "string"
},
{
"name": "type_s",
"type": "string"
},
{
"name": "instanceId_s",
"type": "string"
},
{
"name": "macAddress_s",
"type": "string"
},
{
"name": "vnetResourceGuid_g",
"type": "string"
},
{
"name": "direction_s",
"type": "string"
},
{
"name": "subnetPrefix_s",
"type": "string"
},
{
"name": "primaryIPv4Address_s",
"type": "string"
},
{
"name": "conditions_sourcePortRange_s",
"type": "string"
},
{
"name": "priority_d",
"type": "real"
},
{
"name": "conditions_destinationPortRange_s",
"type": "string"
},
{
"name": "conditions_destinationIP_s",
"type": "string"
},
{
"name": "conditions_None_s",
"type": "string"
},
{
"name": "conditions_sourceIP_s",
"type": "string"
},
{
"name": "httpVersion_s",
"type": "string"
},
{
"name": "matchedConnections_d",
"type": "real"
},
{
"name": "startTime_t",
"type": "datetime"
},
{
"name": "endTime_t",
"type": "datetime"
},
{
"name": "DatabaseName_s",
"type": "string"
},
{
"name": "clientIP_s",
"type": "string"
},
{
"name": "host_s",
"type": "string"
},
{
"name": "requestQuery_s",
"type": "string"
},
{
"name": "sslEnabled_s",
"type": "string"
},
{
"name": "clientPort_d",
"type": "real"
},
{
"name": "httpStatus_d",
"type": "real"
},
{
"name": "receivedBytes_d",
"type": "real"
},
{
"name": "sentBytes_d",
"type": "real"
},
{
"name": "timeTaken_d",
"type": "real"
},
{
"name": "resultDescription_ErrorJobs_s",
"type": "string"
},
{
"name": "resultDescription_ChildJobs_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_scope_s",
"type": "string"
},
{
"name": "workflowId_s",
"type": "string"
},
{
"name": "resource_location_s",
"type": "string"
},
{
"name": "resource_workflowId_g",
"type": "string"
},
{
"name": "resource_resourceGroupName_s",
"type": "string"
},
{
"name": "resource_subscriptionId_g",
"type": "string"
},
{
"name": "resource_runId_s",
"type": "string"
},
{
"name": "resource_workflowName_s",
"type": "string"
},
{
"name": "_schema_s",
"type": "string"
},
{
"name": "correlation_clientTrackingId_s",
"type": "string"
},
{
"name": "properties_sku_Family_s",
"type": "string"
},
{
"name": "properties_sku_Name_s",
"type": "string"
},
{
"name": "properties_tenantId_g",
"type": "string"
},
{
"name": "properties_enabledForDeployment_b",
"type": "bool"
},
{
"name": "code_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineId_s",
"type": "string"
},
{
"name": "resultDescription_Summary_ScheduleName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_Status_s",
"type": "string"
},
{
"name": "resultDescription_Summary_StatusDescription_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_TotalUpdatesInstalled_d",
"type": "real"
},
{
"name": "resultDescription_Summary_RebootRequired_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_TotalUpdatesFailed_d",
"type": "real"
},
{
"name": "resultDescription_Summary_InstallPercentage_d",
"type": "real"
},
{
"name": "resultDescription_Summary_StartDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resource_triggerName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_InitialRequiredUpdatesCount_d",
"type": "real"
},
{
"name": "properties_enabledForTemplateDeployment_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_s",
"type": "string"
},
{
"name": "resultDescription_Summary_DurationInMinutes_s",
"type": "string"
},
{
"name": "resource_originRunId_s",
"type": "string"
},
{
"name": "properties_enabledForDiskEncryption_b",
"type": "bool"
},
{
"name": "resource_actionName_s",
"type": "string"
},
{
"name": "correlation_actionTrackingId_g",
"type": "string"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resultDescription_Summary_DurationInMinutes_d",
"type": "real"
},
{
"name": "conditions_protocols_s",
"type": "string"
},
{
"name": "identity_claim_ipaddr_s",
"type": "string"
},
{
"name": "ElasticPoolName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_claims_authnmethodsreferences_s",
"type": "string"
},
{
"name": "RunOn_s",
"type": "string"
},
{
"name": "query_hash_s",
"type": "string"
},
{
"name": "SourceSystem",
"type": "string"
},
{
"name": "MG",
"type": "string"
},
{
"name": "ManagementGroupName",
"type": "string"
},
{
"name": "Computer",
"type": "string"
},
{
"name": "RawData",
"type": "string"
},
{
"name": "AdditionalFields",
"type": "dynamic"
},
{
"name": "Type",
"type": "string"
},
{
"name": "_ItemId",
"type": "string"
},
{
"name": "_ResourceId",
"type": "string"
},
{
"name": "IngestionTime",
"type": "datetime"
},
{
"name": "LogId",
"type": "string"
}
],
"rows": [
[
"a4888c77-0dc5-4d98-863f-0f96c7ede660",
"2023-06-20T00:47:14.399Z",
"/SUBSCRIPTIONS/708DEF1D-655D-42EE-BB93-A82FF1584A98/RESOURCEGROUPS/TEST/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/NSG-1",
"NetworkSecurityGroupRuleCounter",
"TEST",
"708def1d-655d-42ee-bb93-a82ff1584a98",
"MICROSOFT.NETWORK",
"NSG-1",
"NETWORKSECURITYGROUPS",
"NetworkSecurityGroupCounters",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"DefaultRule_AllowVnetOutBound",
"",
"97d097c1-23a4-4c56-8a06-88f0178851fc",
null,
"",
"",
"",
"allow",
"",
"60-45-BD-40-53-2E",
"964f299a-1ed9-463c-bcc5-d6849b28cac5",
"Out",
"1.2.3.0/24",
"1.2.3.4",
"",
null,
"",
"",
"",
"",
"",
0,
null,
null,
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
null,
null,
"",
"",
"",
null,
"",
"",
null,
null,
"",
"",
"",
"",
"",
"",
"Azure",
"",
"",
"",
"",
null,
"AzureDiagnostics",
"a611ada7-9691-4920-b162-090aaa499d7b",
"/subscriptions/708def1d-655d-42ee-bb93-a82ff1584a98/resourcegroups/test/providers/microsoft.network/networksecuritygroups/snaretestvm1-nsg",
"2023-06-20T00:51:40.6057254Z",
"a611ada7-9691-4920-b162-090aaa499d7b"
]
]
}
]
}

Table Fields

Field

Description

TABLE

AzureActivity AzureNetworkSecurityGroupCounters was a value derived from TYPE + OPERATIONNAME.

SYSTEM

Depends on CALLERIPADDRESS PRIMARYIPV4ADDRESS field if not empty, else will depend on configured domain value.

DATE

Extracted date value from CREATEDDATETIME.

TIME

Extracted time value from CREATEDDATETIME.

DATETIME

Extracted datetime value from CREATEDDATETIME and formatted usingRFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

COLLECTIONDATETIME

The datetime value when the log was collected from the API and formatted usingRFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

ADDITIONALFIELDS

If the total number of columns is at or above 500, the excess data is added to a dynamic property bag column called AdditionalFields as a property.

ACTIONTYPE

Action done, either allow or deny, as specified in the rule.

CATEGORY

NetworkSecurityGroupRuleCounter is the fix value for this log type.

DIRECTION

Possible values: In or Out, as specified in the rule.

INGESTIONTIME

A datetime value specifying the approximate time of ingestion into an Azure table.

LOGID

A unique identifier for the record or log.

MACADDRESS

MAC address of the VM associated with the NSG resource.

MATCHEDCONNECTIONS

No description in the external documentation.

OPERATIONNAME

NetworkSecurityGroupCounters is the fix value for this log type.

PRIMARYIPV4ADDRESS

Private IP address of the VM associated with the NSG resource.

RESOURCE

If empty, will use the value from Properties.resource as its value.

RESOURCEGROUP

Resource group name of the impacted resource.

RESOURCEID

A unique identifier for the resource that the record or log is associated with.

RESOURCEPROVIDER

Id of the resource provider for the impacted resource, for this log type it will be MICROSOFT.NETWORK

RESOURCETYPE

NETWORKSECURITYGROUPS is the fix value for all Azure NSG logs.

RULENAME

Rule name set and configured on the NSG resource.

SOURCESYSTEM

Azure is the fix value for all log types under AzureDiagnostics table.

SUBNETPREFIX

Subnet of the VM associated with the NSG resource.

SUBSCRIPTIONID

Subscription ID of the impacted resource.

SYSTEMID

System ID of the network security group.

TENANTID

The Log Analytics workspace ID.

TIMEGENERATED

Timestamp when the event was generated by the Azure service processing the request corresponding the event.

TYPE

AzureDiagnostics is the fix value for this log type.

VNETRESOURCEGUID

Virtual network ID of the VM associated with the NSG resource.

WORKSPACEID

Derived from TenantId if not empty, else will depend configured value for the Workspace ID.

SNAREDATAMAP

All unclassified field/s in the log will be pushed into the SNAREDATAMAP using key=value format and separated by newline.

Notes

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log

https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azurediagnostics