Versions Compared

Old Version 2

changes.mady.by.user Marlon Morales

Saved on

compared with

New Version Current

changes.mady.by.user Marlon Morales

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview

A network security group (NSG) includes rules that allow or deny traffic to a virtual network subnet, network interface, or both.

When you enable logging for an NSG, you can gather the following types of resource log:

  • Event log: Entries are logged for which NSG rules are applied to virtual machines, based on MAC address.

  • Rule counter log: Contains entries for how many times each NSG rule is applied to allow or deny traffic.

Info

Note: Resource logging is enabled separately for each NSG for which to collect the diagnostic data.

Anchor
nsg-event
nsg-event
Azure NSG Group Event: AzureNetworkSecurityGroupEvent

The event log contains information about which NSG rules are applied to virtual machines, based on MAC address and the following information is logged for each event.

Log Structure

Expand
titleSample of NetworkSecurityGroupEvents from API (in JSON format)
{
"tables": [
{
"name": "PrimaryResult",
"columns": [
{
"name": "TenantId",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "ResourceId",
"type": "string"
},
{
"name": "Category",
"type": "string"
},
{
"name": "ResourceGroup",
"type": "string"
},
{
"name": "SubscriptionId",
"type": "string"
},
{
"name": "ResourceProvider",
"type": "string"
},
{
"name": "Resource",
"type": "string"
},
{
"name": "ResourceType",
"type": "string"
},
{
"name": "OperationName",
"type": "string"
},
{
"name": "ResultType",
"type": "string"
},
{
"name": "CorrelationId",
"type": "string"
},
{
"name": "ResultDescription",
"type": "string"
},
{
"name": "Tenant_g",
"type": "string"
},
{
"name": "JobId_g",
"type": "string"
},
{
"name": "RunbookName_s",
"type": "string"
},
{
"name": "StreamType_s",
"type": "string"
},
{
"name": "Caller_s",
"type": "string"
},
{
"name": "requestUri_s",
"type": "string"
},
{
"name": "Level",
"type": "string"
},
{
"name": "DurationMs",
"type": "long"
},
{
"name": "CallerIPAddress",
"type": "string"
},
{
"name": "OperationVersion",
"type": "string"
},
{
"name": "ResultSignature",
"type": "string"
},
{
"name": "id_s",
"type": "string"
},
{
"name": "status_s",
"type": "string"
},
{
"name": "LogicalServerName_s",
"type": "string"
},
{
"name": "Message",
"type": "string"
},
{
"name": "clientInfo_s",
"type": "string"
},
{
"name": "httpStatusCode_d",
"type": "real"
},
{
"name": "identity_claim_appid_g",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g",
"type": "string"
},
{
"name": "userAgent_s",
"type": "string"
},
{
"name": "ruleName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s",
"type": "string"
},
{
"name": "systemId_g",
"type": "string"
},
{
"name": "isAccessPolicyMatch_b",
"type": "bool"
},
{
"name": "EventName_s",
"type": "string"
},
{
"name": "httpMethod_s",
"type": "string"
},
{
"name": "subnetId_s",
"type": "string"
},
{
"name": "type_s",
"type": "string"
},
{
"name": "instanceId_s",
"type": "string"
},
{
"name": "macAddress_s",
"type": "string"
},
{
"name": "vnetResourceGuid_g",
"type": "string"
},
{
"name": "direction_s",
"type": "string"
},
{
"name": "subnetPrefix_s",
"type": "string"
},
{
"name": "primaryIPv4Address_s",
"type": "string"
},
{
"name": "conditions_sourcePortRange_s",
"type": "string"
},
{
"name": "priority_d",
"type": "real"
},
{
"name": "conditions_destinationPortRange_s",
"type": "string"
},
{
"name": "conditions_destinationIP_s",
"type": "string"
},
{
"name": "conditions_None_s",
"type": "string"
},
{
"name": "conditions_sourceIP_s",
"type": "string"
},
{
"name": "httpVersion_s",
"type": "string"
},
{
"name": "matchedConnections_d",
"type": "real"
},
{
"name": "startTime_t",
"type": "datetime"
},
{
"name": "endTime_t",
"type": "datetime"
},
{
"name": "DatabaseName_s",
"type": "string"
},
{
"name": "clientIP_s",
"type": "string"
},
{
"name": "host_s",
"type": "string"
},
{
"name": "requestQuery_s",
"type": "string"
},
{
"name": "sslEnabled_s",
"type": "string"
},
{
"name": "clientPort_d",
"type": "real"
},
{
"name": "httpStatus_d",
"type": "real"
},
{
"name": "receivedBytes_d",
"type": "real"
},
{
"name": "sentBytes_d",
"type": "real"
},
{
"name": "timeTaken_d",
"type": "real"
},
{
"name": "resultDescription_ErrorJobs_s",
"type": "string"
},
{
"name": "resultDescription_ChildJobs_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_scope_s",
"type": "string"
},
{
"name": "workflowId_s",
"type": "string"
},
{
"name": "resource_location_s",
"type": "string"
},
{
"name": "resource_workflowId_g",
"type": "string"
},
{
"name": "resource_resourceGroupName_s",
"type": "string"
},
{
"name": "resource_subscriptionId_g",
"type": "string"
},
{
"name": "resource_runId_s",
"type": "string"
},
{
"name": "resource_workflowName_s",
"type": "string"
},
{
"name": "_schema_s",
"type": "string"
},
{
"name": "correlation_clientTrackingId_s",
"type": "string"
},
{
"name": "properties_sku_Family_s",
"type": "string"
},
{
"name": "properties_sku_Name_s",
"type": "string"
},
{
"name": "properties_tenantId_g",
"type": "string"
},
{
"name": "properties_enabledForDeployment_b",
"type": "bool"
},
{
"name": "code_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineId_s",
"type": "string"
},
{
"name": "resultDescription_Summary_ScheduleName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_Status_s",
"type": "string"
},
{
"name": "resultDescription_Summary_StatusDescription_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_TotalUpdatesInstalled_d",
"type": "real"
},
{
"name": "resultDescription_Summary_RebootRequired_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_TotalUpdatesFailed_d",
"type": "real"
},
{
"name": "resultDescription_Summary_InstallPercentage_d",
"type": "real"
},
{
"name": "resultDescription_Summary_StartDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resource_triggerName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_InitialRequiredUpdatesCount_d",
"type": "real"
},
{
"name": "properties_enabledForTemplateDeployment_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_s",
"type": "string"
},
{
"name": "resultDescription_Summary_DurationInMinutes_s",
"type": "string"
},
{
"name": "resource_originRunId_s",
"type": "string"
},
{
"name": "properties_enabledForDiskEncryption_b",
"type": "bool"
},
{
"name": "resource_actionName_s",
"type": "string"
},
{
"name": "correlation_actionTrackingId_g",
"type": "string"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resultDescription_Summary_DurationInMinutes_d",
"type": "real"
},
{
"name": "conditions_protocols_s",
"type": "string"
},
{
"name": "identity_claim_ipaddr_s",
"type": "string"
},
{
"name": "ElasticPoolName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_claims_authnmethodsreferences_s",
"type": "string"
},
{
"name": "RunOn_s",
"type": "string"
},
{
"name": "query_hash_s",
"type": "string"
},
{
"name": "SourceSystem",
"type": "string"
},
{
"name": "MG",
"type": "string"
},
{
"name": "ManagementGroupName",
"type": "string"
},
{
"name": "Computer",
"type": "string"
},
{
"name": "RawData",
"type": "string"
},
{
"name": "AdditionalFields",
"type": "dynamic"
},
{
"name": "Type",
"type": "string"
},
{
"name": "_ItemId",
"type": "string"
},
{
"name": "_ResourceId",
"type": "string"
},
{
"name": "IngestionTime",
"type": "datetime"
},
{
"name": "LogId",
"type": "string"
}
],
"rows": [
[
"3c17ed1c-6996-4e21-9d0f-8785b9245551",
"2023-06-20T00:47:14.399Z",
"/SUBSCRIPTIONS/EFAF3341-8916-416E-8D3C-37AB9DC5D4F7/RESOURCEGROUPS/TEST/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/NSG-1",
"NetworkSecurityGroupEvent",
"TEST",
"efaf3341-8916-416e-8d3c-37ab9dc5d4f7",
"MICROSOFT.NETWORK",
"NSG-1",
"NETWORKSECURITYGROUPS",
"NetworkSecurityGroupEvents",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"DefaultRule_AllowVnetOutBound",
"",
"6de438b4-8f8f-4541-9417-49580902a016",
null,
"",
"",
"",
"allow",
"",
"60-45-BD-40-53-2E",
"e30d725c-10d8-4b65-862f-11fb5a93f148",
"Out",
"1.2.3.0/24",
"1.2.3.4",
"0-65535",
65000,
"0-65535",
"",
"",
"",
"",
null,
null,
null,
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
null,
null,
"",
"",
"",
null,
"",
"",
null,
null,
"",
"",
"",
"",
"",
"",
"Azure",
"",
"",
"",
"",
null,
"AzureDiagnostics",
"768e99d0-9862-4c29-acce-5db965680101",
"/subscriptions/efaf3341-8916-416e-8d3c-37ab9dc5d4f7/resourcegroups/test/providers/microsoft.network/networksecuritygroups/NSG-1",
"2023-06-20T00:52:37.530055Z",
"768e99d0-9862-4c29-acce-5db965680101"
]
]
}
]
}

Table Fields

Field

Description

TABLE

AzureActivity was

AzureNetworkSecurityGroupEvent is a value derived from

TYPE

Azure + CATEGORY’s value.

SYSTEM

Depends on CALLERIPADDRESS field

Will base its value on PRIMARYIPV4ADDRESS if not empty; otherwise,

else will depend on configured

it will use the domain value defined in the configuration.

DATE

Extracted

Based on the extracted date value from

CREATEDDATETIME

CreatedDateTime.

TIME

Extracted

Based on the extracted time value from

CREATEDDATETIME

CreatedDateTime.

DATETIME

Extracted

Based on the extracted datetime value from 

CREATEDDATETIME

CreatedDateTime and formatted usingRFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

COLLECTIONDATETIME

The datetime value when

Snare Central’s local date and time of the log

was collected

collection from the API

and

, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

ADDITIONALFIELDS

Based on AdditionalFields, this field contains the data is added to a dynamic property bag column.

ACTIONTYPE

Based on type_s, this field indicates the action done, either allow or deny, as specified in the rule.

CATEGORY

Based on Category, this field indicates the log category of the event, NetworkSecurityGroupEvent is the fix value for this log type.

CONDITIONSDESTINATIONIP

Based on conditions_destinationIP_s, this field indicates the value of destination IP addresses ranges, as specified in the rule.

CONDITIONSDESTINATIONPORTRANGE

Based on conditions_destinationPortRange_s, this field indicates the value of destination port ranges, as specified in the rule.

CONDITIONSSOURCEIP

Based on conditions_sourceIP_s, this field indicates the value of source IP addresses/CIDR ranges, as specified in the rule.

CONDITIONSSOURCEPORTRANGE

Based on conditions_sourcePortRange_s, this field indicates the value of source port ranges, as specified in the rule.

CONDITIONSPROTOCOLS

Based on conditions_protocols_s, this field indicates the value of protocol, as specified in the rule.

DIRECTION

Based on direction_s, this field indicates the request direction either In or Out, as specified in the rule.

INGESTIONTIME

Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.

LOGID

Based on LogId, this field indicates a unique identifier for the record or log.

MACADDRESS

Based on macAddress_s, this field indicates the MAC address of the VM associated with the NSG resource.

OPERATIONNAME

Based on OperationName, this field indicates the name of the operation that this event represents, NetworkSecurityGroupEvents is the fix value for this log type.

PRIMARYIPV4ADDRESS

Based on primaryIPv4Address_s, this field indicates the private IP address of the VM associated with the NSG resource.

PRIORITY

Based on priority_d, this field indicates the priority of the rule set and configured on the NSG resource.

RESOURCE

Based on Resource, this field indicates the name of the impacted resource.
If Resource is empty, will use the value from Properties.resource as its value.

RESOURCEGROUP

Based on ResourceGroup, this field indicates the resource group name of the impacted resource.

RESOURCEID

Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.

RESOURCEPROVIDER

Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.

RESOURCETYPE

Based on ResourceType, this field indicates the type of the impacted resource, NETWORKSECURITYGROUPS is the fix value for all Azure NSG logs.

RULENAME

Based on ruleName_s, this field indicates the rule name set and configured on the NSG resource.

SOURCESYSTEM

Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.

SUBNETPREFIX

Based on subnetPrefix_s, this field indicates the subnet of the VM associated with the NSG resource.

SUBSCRIPTIONID

Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.

SYSTEMID

Based on systemId_g, this field indicates the system ID of the network security group.

TENANTID

Based on TenantId, this field indicates the Log Analytics workspace ID.

TIMEGENERATED

Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.

TYPE

Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.

VNETRESOURCEGUID

Based on vnetResourceGuid_g, this field indicates the virtual network ID of the VM associated with the NSG resource.

WORKSPACEID

A value that was derived from TenantId.

SNAREDATAMAP

All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.

Anchor
nsg-ctr
nsg-ctr
Azure NSG Group Rule Counter: AzureNetworkSecurityGroupRuleCounter

The rule counter log contains information about each rule applied to resources.

The status for these rules is collected every 300 seconds.

Log Structure

Expand
titleSample of NetworkSecurityGroupRuleCounter from API (in JSON format)
{
"tables": [
{
"name": "PrimaryResult",
"columns": [
{
"name": "TenantId",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "ResourceId",
"type": "string"
},
{
"name": "Category",
"type": "string"
},
{
"name": "ResourceGroup",
"type": "string"
},
{
"name": "SubscriptionId",
"type": "string"
},
{
"name": "ResourceProvider",
"type": "string"
},
{
"name": "Resource",
"type": "string"
},
{
"name": "ResourceType",
"type": "string"
},
{
"name": "OperationName",
"type": "string"
},
{
"name": "ResultType",
"type": "string"
},
{
"name": "CorrelationId",
"type": "string"
},
{
"name": "ResultDescription",
"type": "string"
},
{
"name": "Tenant_g",
"type": "string"
},
{
"name": "JobId_g",
"type": "string"
},
{
"name": "RunbookName_s",
"type": "string"
},
{
"name": "StreamType_s",
"type": "string"
},
{
"name": "Caller_s",
"type": "string"
},
{
"name": "requestUri_s",
"type": "string"
},
{
"name": "Level",
"type": "string"
},
{
"name": "DurationMs",
"type": "long"
},
{
"name": "CallerIPAddress",
"type": "string"
},
{
"name": "OperationVersion",
"type": "string"
},
{
"name": "ResultSignature",
"type": "string"
},
{
"name": "id_s",
"type": "string"
},
{
"name": "status_s",
"type": "string"
},
{
"name": "LogicalServerName_s",
"type": "string"
},
{
"name": "Message",
"type": "string"
},
{
"name": "clientInfo_s",
"type": "string"
},
{
"name": "httpStatusCode_d",
"type": "real"
},
{
"name": "identity_claim_appid_g",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g",
"type": "string"
},
{
"name": "userAgent_s",
"type": "string"
},
{
"name": "ruleName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s",
"type": "string"
},
{
"name": "systemId_g",
"type": "string"
},
{
"name": "isAccessPolicyMatch_b",
"type": "bool"
},
{
"name": "EventName_s",
"type": "string"
},
{
"name": "httpMethod_s",
"type": "string"
},
{
"name": "subnetId_s",
"type": "string"
},
{
"name": "type_s",
"type": "string"
},
{
"name": "instanceId_s",
"type": "string"
},
{
"name": "macAddress_s",
"type": "string"
},
{
"name": "vnetResourceGuid_g",
"type": "string"
},
{
"name": "direction_s",
"type": "string"
},
{
"name": "subnetPrefix_s",
"type": "string"
},
{
"name": "primaryIPv4Address_s",
"type": "string"
},
{
"name": "conditions_sourcePortRange_s",
"type": "string"
},
{
"name": "priority_d",
"type": "real"
},
{
"name": "conditions_destinationPortRange_s",
"type": "string"
},
{
"name": "conditions_destinationIP_s",
"type": "string"
},
{
"name": "conditions_None_s",
"type": "string"
},
{
"name": "conditions_sourceIP_s",
"type": "string"
},
{
"name": "httpVersion_s",
"type": "string"
},
{
"name": "matchedConnections_d",
"type": "real"
},
{
"name": "startTime_t",
"type": "datetime"
},
{
"name": "endTime_t",
"type": "datetime"
},
{
"name": "DatabaseName_s",
"type": "string"
},
{
"name": "clientIP_s",
"type": "string"
},
{
"name": "host_s",
"type": "string"
},
{
"name": "requestQuery_s",
"type": "string"
},
{
"name": "sslEnabled_s",
"type": "string"
},
{
"name": "clientPort_d",
"type": "real"
},
{
"name": "httpStatus_d",
"type": "real"
},
{
"name": "receivedBytes_d",
"type": "real"
},
{
"name": "sentBytes_d",
"type": "real"
},
{
"name": "timeTaken_d",
"type": "real"
},
{
"name": "resultDescription_ErrorJobs_s",
"type": "string"
},
{
"name": "resultDescription_ChildJobs_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_scope_s",
"type": "string"
},
{
"name": "workflowId_s",
"type": "string"
},
{
"name": "resource_location_s",
"type": "string"
},
{
"name": "resource_workflowId_g",
"type": "string"
},
{
"name": "resource_resourceGroupName_s",
"type": "string"
},
{
"name": "resource_subscriptionId_g",
"type": "string"
},
{
"name": "resource_runId_s",
"type": "string"
},
{
"name": "resource_workflowName_s",
"type": "string"
},
{
"name": "_schema_s",
"type": "string"
},
{
"name": "correlation_clientTrackingId_s",
"type": "string"
},
{
"name": "properties_sku_Family_s",
"type": "string"
},
{
"name": "properties_sku_Name_s",
"type": "string"
},
{
"name": "properties_tenantId_g",
"type": "string"
},
{
"name": "properties_enabledForDeployment_b",
"type": "bool"
},
{
"name": "code_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineId_s",
"type": "string"
},
{
"name": "resultDescription_Summary_ScheduleName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_Status_s",
"type": "string"
},
{
"name": "resultDescription_Summary_StatusDescription_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_TotalUpdatesInstalled_d",
"type": "real"
},
{
"name": "resultDescription_Summary_RebootRequired_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_TotalUpdatesFailed_d",
"type": "real"
},
{
"name": "resultDescription_Summary_InstallPercentage_d",
"type": "real"
},
{
"name": "resultDescription_Summary_StartDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resource_triggerName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_InitialRequiredUpdatesCount_d",
"type": "real"
},
{
"name": "properties_enabledForTemplateDeployment_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_s",
"type": "string"
},
{
"name": "resultDescription_Summary_DurationInMinutes_s",
"type": "string"
},
{
"name": "resource_originRunId_s",
"type": "string"
},
{
"name": "properties_enabledForDiskEncryption_b",
"type": "bool"
},
{
"name": "resource_actionName_s",
"type": "string"
},
{
"name": "correlation_actionTrackingId_g",
"type": "string"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resultDescription_Summary_DurationInMinutes_d",
"type": "real"
},
{
"name": "conditions_protocols_s",
"type": "string"
},
{
"name": "identity_claim_ipaddr_s",
"type": "string"
},
{
"name": "ElasticPoolName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_claims_authnmethodsreferences_s",
"type": "string"
},
{
"name": "RunOn_s",
"type": "string"
},
{
"name": "query_hash_s",
"type": "string"
},
{
"name": "SourceSystem",
"type": "string"
},
{
"name": "MG",
"type": "string"
},
{
"name": "ManagementGroupName",
"type": "string"
},
{
"name": "Computer",
"type": "string"
},
{
"name": "RawData",
"type": "string"
},
{
"name": "AdditionalFields",
"type": "dynamic"
},
{
"name": "Type",
"type": "string"
},
{
"name": "_ItemId",
"type": "string"
},
{
"name": "_ResourceId",
"type": "string"
},
{
"name": "IngestionTime",
"type": "datetime"
},
{
"name": "LogId",
"type": "string"
}
],
"rows": [
[
"a4888c77-0dc5-4d98-863f-0f96c7ede660",
"2023-06-20T00:47:14.399Z",
"/SUBSCRIPTIONS/708DEF1D-655D-42EE-BB93-A82FF1584A98/RESOURCEGROUPS/TEST/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/NSG-1",
"NetworkSecurityGroupRuleCounter",
"TEST",
"708def1d-655d-42ee-bb93-a82ff1584a98",
"MICROSOFT.NETWORK",
"NSG-1",
"NETWORKSECURITYGROUPS",
"NetworkSecurityGroupCounters",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"DefaultRule_AllowVnetOutBound",
"",
"97d097c1-23a4-4c56-8a06-88f0178851fc",
null,
"",
"",
"",
"allow",
"",
"60-45-BD-40-53-2E",
"964f299a-1ed9-463c-bcc5-d6849b28cac5",
"Out",
"1.2.3.0/24",
"1.2.3.4",
"",
null,
"",
"",
"",
"",
"",
0,
null,
null,
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
null,
null,
"",
"",
"",
null,
"",
"",
null,
null,
"",
"",
"",
"",
"",
"",
"Azure",
"",
"",
"",
"",
null,
"AzureDiagnostics",
"a611ada7-9691-4920-b162-090aaa499d7b",
"/subscriptions/708def1d-655d-42ee-bb93-a82ff1584a98/resourcegroups/test/providers/microsoft.network/networksecuritygroups/snaretestvm1-nsg",
"2023-06-20T00:51:40.6057254Z",
"a611ada7-9691-4920-b162-090aaa499d7b"
]
]
}
]
}

Table Fields

Field

Description

TABLE

AzureActivity was

AzureNetworkSecurityGroupCounters is a value derived from

TYPE

Azure + CATEGORY’s value.

SYSTEM

Depends on CALLERIPADDRESS field

Will base its value on PRIMARYIPV4ADDRESS if not empty; otherwise,

else will depend on configured

it will use the domain value defined in the configuration.

DATE

Extracted

Based on the extracted date value from

CREATEDDATETIME

CreatedDateTime.

TIME

Extracted

Based on the extracted time value from

CREATEDDATETIME

CreatedDateTime.

DATETIME

Extracted

Based on the extracted datetime value from 

CREATEDDATETIME

CreatedDateTime and formatted usingRFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

COLLECTIONDATETIME

The datetime value when

Snare Central’s local date and time of the log

was collected

collection from the API

and

, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

ADDITIONALFIELDS

Based on AdditionalFields, this field contains the data is added to a dynamic property bag column.

ACTIONTYPE

Based on type_s, this field indicates the action done, either allow or deny, as specified in the rule.

CATEGORY

Based on Category, this field indicates the log category of the event, NetworkSecurityGroupRuleCounter is the fix value for this log type.

DIRECTION

Based on direction_s, this field indicates the request direction either In or Out, as specified in the rule.

INGESTIONTIME

Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.

LOGID

Based on LogId, this field indicates a unique identifier for the record or log.

MACADDRESS

Based on macAddress_s, this field indicates the MAC address of the VM associated with the NSG resource.

MATCHEDCONNECTIONS

Based on matchedConnections_d, there’s no available documentation for this field.

OPERATIONNAME

Based on OperationName, this field indicates the name of the operation that this event represents, NetworkSecurityGroupCounters is the fix value for this log type.

PRIMARYIPV4ADDRESS

Based on primaryIPv4Address_s, this field indicates the private IP address of the VM associated with the NSG resource.

RESOURCE

Based on Resource, this field indicates the name of the impacted resource.
If Resource is empty, will use the value from Properties.resource as its value.

RESOURCEGROUP

Based on ResourceGroup, this field indicates the resource group name of the impacted resource.

RESOURCEID

Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.

RESOURCEPROVIDER

Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.

RESOURCETYPE

Based on ResourceType, this field indicates the type of the impacted resource, NETWORKSECURITYGROUPS is the fix value for all Azure NSG logs.

RULENAME

Based on ruleName_s, this field indicates the rule name set and configured on the NSG resource.

SOURCESYSTEM

Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.

SUBNETPREFIX

Based on subnetPrefix_s, this field indicates the subnet of the VM associated with the NSG resource.

SUBSCRIPTIONID

Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.

SYSTEMID

Based on systemId_g, this field indicates the system ID of the network security group.

TENANTID

Based on TenantId, this field indicates the Log Analytics workspace ID.

TIMEGENERATED

Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.

TYPE

Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.

VNETRESOURCEGUID

Based on vnetResourceGuid_g, this field indicates the virtual network ID of the VM associated with the NSG resource.

WORKSPACEID

A value that was derived from TenantId.

SNAREDATAMAP

All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.

Notes

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log

https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azurediagnostics