Versions Compared

Old Version 3

changes.mady.by.user Marlon Morales

Saved on

compared with

New Version Current

changes.mady.by.user Marlon Morales

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

A network security group (NSG) includes rules that allow or deny traffic to a virtual network subnet, network interface, or both.

When you enable logging for an NSG, you can gather the following types of resource log information:

  • Event log: Entries are logged for which NSG rules are applied to virtual machines, based on MAC address.

  • Rule counter log: Contains entries for how many times each NSG rule is applied to allow or deny traffic. The status for these rules is collected every 300 seconds.

Info

Note: Resource logging is enabled separately for each NSG for which to collect the diagnostic data.

Anchor
nsg-event
nsg-event
Azure NSG Group Event: AzureNetworkSecurityGroupEvent

The event log contains information about which NSG rules are applied to virtual machines, based on MAC address . The and the following data information is logged for each event.

...

Log Structure

Expand
titleSample of NetworkSecurityGroupEvents from API (in JSON format)
{
"tables": [
{
"name": "PrimaryResult",
"columns": [
{
"name": "TenantId",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "ResourceId",
"type": "string"
},
{
"name": "Category",
"type": "string"
},
{
"name": "ResourceGroup",
"type": "string"
},
{
"name": "SubscriptionId",
"type": "string"
},
{
"name": "ResourceProvider",
"type": "string"
},
{
"name": "Resource",
"type": "string"
},
{
"name": "ResourceType",
"type": "string"
},
{
"name": "OperationName",
"type": "string"
},
{
"name": "ResultType",
"type": "string"
},
{
"name": "CorrelationId",
"type": "string"
},
{
"name": "ResultDescription",
"type": "string"
},
{
"name": "Tenant_g",
"type": "string"
},
{
"name": "JobId_g",
"type": "string"
},
{
"name": "RunbookName_s",
"type": "string"
},
{
"name": "StreamType_s",
"type": "string"
},
{
"name": "Caller_s",
"type": "string"
},
{
"name": "requestUri_s",
"type": "string"
},
{
"name": "Level",
"type": "string"
},
{
"name": "DurationMs",
"type": "long"
},
{
"name": "CallerIPAddress",
"type": "string"
},
{
"name": "OperationVersion",
"type": "string"
},
{
"name": "ResultSignature",
"type": "string"
},
{
"name": "id_s",
"type": "string"
},
{
"name": "status_s",
"type": "string"
},
{
"name": "LogicalServerName_s",
"type": "string"
},
{
"name": "Message",
"type": "string"
},
{
"name": "clientInfo_s",
"type": "string"
},
{
"name": "httpStatusCode_d",
"type": "real"
},
{
"name": "identity_claim_appid_g",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g",
"type": "string"
},
{
"name": "userAgent_s",
"type": "string"
},
{
"name": "ruleName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s",
"type": "string"
},
{
"name": "systemId_g",
"type": "string"
},
{
"name": "isAccessPolicyMatch_b",
"type": "bool"
},
{
"name": "EventName_s",
"type": "string"
},
{
"name": "httpMethod_s",
"type": "string"
},
{
"name": "subnetId_s",
"type": "string"
},
{
"name": "type_s",
"type": "string"
},
{
"name": "instanceId_s",
"type": "string"
},
{
"name": "macAddress_s",
"type": "string"
},
{
"name": "vnetResourceGuid_g",
"type": "string"
},
{
"name": "direction_s",
"type": "string"
},
{
"name": "subnetPrefix_s",
"type": "string"
},
{
"name": "primaryIPv4Address_s",
"type": "string"
},
{
"name": "conditions_sourcePortRange_s",
"type": "string"
},
{
"name": "priority_d",
"type": "real"
},
{
"name": "conditions_destinationPortRange_s",
"type": "string"
},
{
"name": "conditions_destinationIP_s",
"type": "string"
},
{
"name": "conditions_None_s",
"type": "string"
},
{
"name": "conditions_sourceIP_s",
"type": "string"
},
{
"name": "httpVersion_s",
"type": "string"
},
{
"name": "matchedConnections_d",
"type": "real"
},
{
"name": "startTime_t",
"type": "datetime"
},
{
"name": "endTime_t",
"type": "datetime"
},
{
"name": "DatabaseName_s",
"type": "string"
},
{
"name": "clientIP_s",
"type": "string"
},
{
"name": "host_s",
"type": "string"
},
{
"name": "requestQuery_s",
"type": "string"
},
{
"name": "sslEnabled_s",
"type": "string"
},
{
"name": "clientPort_d",
"type": "real"
},
{
"name": "httpStatus_d",
"type": "real"
},
{
"name": "receivedBytes_d",
"type": "real"
},
{
"name": "sentBytes_d",
"type": "real"
},
{
"name": "timeTaken_d",
"type": "real"
},
{
"name": "resultDescription_ErrorJobs_s",
"type": "string"
},
{
"name": "resultDescription_ChildJobs_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_scope_s",
"type": "string"
},
{
"name": "workflowId_s",
"type": "string"
},
{
"name": "resource_location_s",
"type": "string"
},
{
"name": "resource_workflowId_g",
"type": "string"
},
{
"name": "resource_resourceGroupName_s",
"type": "string"
},
{
"name": "resource_subscriptionId_g",
"type": "string"
},
{
"name": "resource_runId_s",
"type": "string"
},
{
"name": "resource_workflowName_s",
"type": "string"
},
{
"name": "_schema_s",
"type": "string"
},
{
"name": "correlation_clientTrackingId_s",
"type": "string"
},
{
"name": "properties_sku_Family_s",
"type": "string"
},
{
"name": "properties_sku_Name_s",
"type": "string"
},
{
"name": "properties_tenantId_g",
"type": "string"
},
{
"name": "properties_enabledForDeployment_b",
"type": "bool"
},
{
"name": "code_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineId_s",
"type": "string"
},
{
"name": "resultDescription_Summary_ScheduleName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_Status_s",
"type": "string"
},
{
"name": "resultDescription_Summary_StatusDescription_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_TotalUpdatesInstalled_d",
"type": "real"
},
{
"name": "resultDescription_Summary_RebootRequired_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_TotalUpdatesFailed_d",
"type": "real"
},
{
"name": "resultDescription_Summary_InstallPercentage_d",
"type": "real"
},
{
"name": "resultDescription_Summary_StartDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resource_triggerName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_InitialRequiredUpdatesCount_d",
"type": "real"
},
{
"name": "properties_enabledForTemplateDeployment_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_s",
"type": "string"
},
{
"name": "resultDescription_Summary_DurationInMinutes_s",
"type": "string"
},
{
"name": "resource_originRunId_s",
"type": "string"
},
{
"name": "properties_enabledForDiskEncryption_b",
"type": "bool"
},
{
"name": "resource_actionName_s",
"type": "string"
},
{
"name": "correlation_actionTrackingId_g",
"type": "string"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resultDescription_Summary_DurationInMinutes_d",
"type": "real"
},
{
"name": "conditions_protocols_s",
"type": "string"
},
{
"name": "identity_claim_ipaddr_s",
"type": "string"
},
{
"name": "ElasticPoolName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_claims_authnmethodsreferences_s",
"type": "string"
},
{
"name": "RunOn_s",
"type": "string"
},
{
"name": "query_hash_s",
"type": "string"
},
{
"name": "SourceSystem",
"type": "string"
},
{
"name": "MG",
"type": "string"
},
{
"name": "ManagementGroupName",
"type": "string"
},
{
"name": "Computer",
"type": "string"
},
{
"name": "RawData",
"type": "string"
},
{
"name": "AdditionalFields",
"type": "dynamic"
},
{
"name": "Type",
"type": "string"
},
{
"name": "_ItemId",
"type": "string"
},
{
"name": "_ResourceId",
"type": "string"
},
{
"name": "IngestionTime",
"type": "datetime"
},
{
"name": "LogId",
"type": "string"
}
],
"rows": [
[
"3c17ed1c-6996-4e21-9d0f-8785b9245551",
"2023-06-20T00:47:14.399Z",
"/SUBSCRIPTIONS/EFAF3341-8916-416E-8D3C-37AB9DC5D4F7/RESOURCEGROUPS/TEST/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/NSG-1",
"NetworkSecurityGroupEvent",
"TEST",
"efaf3341-8916-416e-8d3c-37ab9dc5d4f7",
"MICROSOFT.NETWORK",
"NSG-1",
"NETWORKSECURITYGROUPS",
"NetworkSecurityGroupEvents",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"DefaultRule_AllowVnetOutBound",
"",
"6de438b4-8f8f-4541-9417-49580902a016",
null,
"",
"",
"",
"allow",
"",
"60-45-BD-40-53-2E",
"e30d725c-10d8-4b65-862f-11fb5a93f148",
"Out",
"1.2.3.0/24",
"1.2.3.4",
"0-65535",
65000,
"0-65535",
"",
"",
"",
"",
null,
null,
null,
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
null,
null,
"",
"",
"",
null,
"",
"",
null,
null,
"",
"",
"",
"",
"",
"",
"Azure",
"",
"",
"",
"",
null,
"AzureDiagnostics",
"768e99d0-9862-4c29-acce-5db965680101",
"/subscriptions/efaf3341-8916-416e-8d3c-37ab9dc5d4f7/resourcegroups/test/providers/microsoft.network/networksecuritygroups/NSG-1",
"2023-06-20T00:52:37.530055Z",
"768e99d0-9862-4c29-acce-5db965680101"
]
]
}
]
}

Table Fields

Field

Description

TABLE

AzureNetworkSecurityGroupEvent

was

is a value derived from

TYPE

Azure +

OPERATIONNAME

CATEGORY’s value.

SYSTEM

Depends

Will base its value on PRIMARYIPV4ADDRESS

field

if not empty; otherwise,

else will depend on configured

it will use the domain value defined in the configuration.

DATE

Extracted

Based on the extracted date value from

CREATEDDATETIME

CreatedDateTime.

TIME

Extracted

Based on the extracted time value from

CREATEDDATETIME

CreatedDateTime.

DATETIME

Extracted

Based on the extracted datetime value from 

CREATEDDATETIME

CreatedDateTime and formatted usingRFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

COLLECTIONDATETIME

The datetime value when

Snare Central’s local date and time of the log

was collected

collection from the API

and

, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

ADDITIONALFIELDS

If the total number of columns is at or above 500, the excess

Based on AdditionalFields, this field contains the data is added to a dynamic property bag column

called AdditionalFields as a property

.

ACTIONTYPE

Action

Based on type_s, this field indicates the action done, either allow or deny, as specified in the rule.

CATEGORY

Based on Category, this field indicates the log category of the event, NetworkSecurityGroupEvent is the fix value for this log type.

CONDITIONSDESTINATIONIP

The

Based on conditions_destinationIP_s, this field indicates the value of

Destination

destination IP addresses ranges, as specified in the rule.

CONDITIONSDESTINATIONPORTRANGE

The

Based on conditions_destinationPortRange_s, this field indicates the value of

Destination

destination port ranges, as specified in the rule.

CONDITIONSSOURCEIP

The value of Source

Based on conditions_sourceIP_s, this field indicates the value of source IP addresses/CIDR ranges, as specified in the rule.

CONDITIONSSOURCEPORTRANGE

The

Based on conditions_sourcePortRange_s, this field indicates the value of

Source

source port ranges, as specified in the rule.

CONDITIONSPROTOCOLS

The

Based on conditions_protocols_s, this field indicates the value of

Protocol

protocol, as specified in the rule.

DIRECTION

Possible values:

Based on direction_s, this field indicates the request direction either In or Out, as specified in the rule.

INGESTIONTIME

A

Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.

LOGID

A

Based on LogId, this field indicates a unique identifier for the record or log.

MACADDRESS

Based on macAddress_s, this field indicates the MAC address of the VM associated with the NSG resource.

OPERATIONNAME

NetworkSecurityGroupEvents is the

Based on OperationName, this field indicates the name of the operation that this event represents, NetworkSecurityGroupEvents is the fix value for this log type.

PRIMARYIPV4ADDRESS

Private

Based on primaryIPv4Address_s, this field indicates the private IP address of the VM associated with the NSG resource.

PRIORITY

Priority

Based on priority_d, this field indicates the priority of the rule set and configured on the NSG resource.

RESOURCE

Based on Resource, this field indicates the name of the impacted resource.
If Resource is empty, will use the value from Properties.resource

 as

as its value.

RESOURCEGROUP

Resource

Based on ResourceGroup, this field indicates the resource group name of the impacted resource.

RESOURCEID

A

Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.

RESOURCEPROVIDER

Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource,

for this log type it will be

MICROSOFT.NETWORK

RESOURCETYPE

NETWORKSECURITYGROUPS

is the fix value for this log type.

RESOURCETYPE

Based on ResourceType, this field indicates the type of the impacted resource, NETWORKSECURITYGROUPS is the fix value for all Azure NSG logs.

RULENAME

Rule

Based on ruleName_s, this field indicates the rule name set and configured on the NSG resource.

SOURCESYSTEM

Azure is the

Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.

SUBNETPREFIX

Subnet

Based on subnetPrefix_s, this field indicates the subnet of the VM associated with the NSG resource.

SUBSCRIPTIONID

Subscription

Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.

SYSTEMID

System

Based on systemId_g, this field indicates the system ID of the network security group.

TENANTID

The

Based on TenantId, this field indicates the Log Analytics workspace ID.

TIMEGENERATED

Timestamp

Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.

TYPE

Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.

VNETRESOURCEGUID

Virtual

Based on vnetResourceGuid_g, this field indicates the virtual network ID of the VM associated with the NSG resource.

WORKSPACEID

Derived from TenantId if not empty, else will depend configured value for the Workspace ID

A value that was derived from TenantId.

SNAREDATAMAP

All unclassified field

/s in the log

(s) parsed from this log type will be pushed into the SNAREDATAMAP

using

in key=value format and separated by newline.

Anchor
nsg-ctr
nsg-ctr
Azure NSG Group Rule Counter: AzureNetworkSecurityGroupRuleCounter

The rule counter log contains information about each rule applied to resources. The following example data is logged each time a rule is applied

The status for these rules is collected every 300 seconds.

Log Structure

Expand
titleSample of NetworkSecurityGroupRuleCounter from API (in JSON format)
{
"tables": [
{
"name": "PrimaryResult",
"columns": [
{
"name": "TenantId",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "ResourceId",
"type": "string"
},
{
"name": "Category",
"type": "string"
},
{
"name": "ResourceGroup",
"type": "string"
},
{
"name": "SubscriptionId",
"type": "string"
},
{
"name": "ResourceProvider",
"type": "string"
},
{
"name": "Resource",
"type": "string"
},
{
"name": "ResourceType",
"type": "string"
},
{
"name": "OperationName",
"type": "string"
},
{
"name": "ResultType",
"type": "string"
},
{
"name": "CorrelationId",
"type": "string"
},
{
"name": "ResultDescription",
"type": "string"
},
{
"name": "Tenant_g",
"type": "string"
},
{
"name": "JobId_g",
"type": "string"
},
{
"name": "RunbookName_s",
"type": "string"
},
{
"name": "StreamType_s",
"type": "string"
},
{
"name": "Caller_s",
"type": "string"
},
{
"name": "requestUri_s",
"type": "string"
},
{
"name": "Level",
"type": "string"
},
{
"name": "DurationMs",
"type": "long"
},
{
"name": "CallerIPAddress",
"type": "string"
},
{
"name": "OperationVersion",
"type": "string"
},
{
"name": "ResultSignature",
"type": "string"
},
{
"name": "id_s",
"type": "string"
},
{
"name": "status_s",
"type": "string"
},
{
"name": "LogicalServerName_s",
"type": "string"
},
{
"name": "Message",
"type": "string"
},
{
"name": "clientInfo_s",
"type": "string"
},
{
"name": "httpStatusCode_d",
"type": "real"
},
{
"name": "identity_claim_appid_g",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g",
"type": "string"
},
{
"name": "userAgent_s",
"type": "string"
},
{
"name": "ruleName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s",
"type": "string"
},
{
"name": "systemId_g",
"type": "string"
},
{
"name": "isAccessPolicyMatch_b",
"type": "bool"
},
{
"name": "EventName_s",
"type": "string"
},
{
"name": "httpMethod_s",
"type": "string"
},
{
"name": "subnetId_s",
"type": "string"
},
{
"name": "type_s",
"type": "string"
},
{
"name": "instanceId_s",
"type": "string"
},
{
"name": "macAddress_s",
"type": "string"
},
{
"name": "vnetResourceGuid_g",
"type": "string"
},
{
"name": "direction_s",
"type": "string"
},
{
"name": "subnetPrefix_s",
"type": "string"
},
{
"name": "primaryIPv4Address_s",
"type": "string"
},
{
"name": "conditions_sourcePortRange_s",
"type": "string"
},
{
"name": "priority_d",
"type": "real"
},
{
"name": "conditions_destinationPortRange_s",
"type": "string"
},
{
"name": "conditions_destinationIP_s",
"type": "string"
},
{
"name": "conditions_None_s",
"type": "string"
},
{
"name": "conditions_sourceIP_s",
"type": "string"
},
{
"name": "httpVersion_s",
"type": "string"
},
{
"name": "matchedConnections_d",
"type": "real"
},
{
"name": "startTime_t",
"type": "datetime"
},
{
"name": "endTime_t",
"type": "datetime"
},
{
"name": "DatabaseName_s",
"type": "string"
},
{
"name": "clientIP_s",
"type": "string"
},
{
"name": "host_s",
"type": "string"
},
{
"name": "requestQuery_s",
"type": "string"
},
{
"name": "sslEnabled_s",
"type": "string"
},
{
"name": "clientPort_d",
"type": "real"
},
{
"name": "httpStatus_d",
"type": "real"
},
{
"name": "receivedBytes_d",
"type": "real"
},
{
"name": "sentBytes_d",
"type": "real"
},
{
"name": "timeTaken_d",
"type": "real"
},
{
"name": "resultDescription_ErrorJobs_s",
"type": "string"
},
{
"name": "resultDescription_ChildJobs_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_scope_s",
"type": "string"
},
{
"name": "workflowId_s",
"type": "string"
},
{
"name": "resource_location_s",
"type": "string"
},
{
"name": "resource_workflowId_g",
"type": "string"
},
{
"name": "resource_resourceGroupName_s",
"type": "string"
},
{
"name": "resource_subscriptionId_g",
"type": "string"
},
{
"name": "resource_runId_s",
"type": "string"
},
{
"name": "resource_workflowName_s",
"type": "string"
},
{
"name": "_schema_s",
"type": "string"
},
{
"name": "correlation_clientTrackingId_s",
"type": "string"
},
{
"name": "properties_sku_Family_s",
"type": "string"
},
{
"name": "properties_sku_Name_s",
"type": "string"
},
{
"name": "properties_tenantId_g",
"type": "string"
},
{
"name": "properties_enabledForDeployment_b",
"type": "bool"
},
{
"name": "code_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineId_s",
"type": "string"
},
{
"name": "resultDescription_Summary_ScheduleName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_Status_s",
"type": "string"
},
{
"name": "resultDescription_Summary_StatusDescription_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_TotalUpdatesInstalled_d",
"type": "real"
},
{
"name": "resultDescription_Summary_RebootRequired_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_TotalUpdatesFailed_d",
"type": "real"
},
{
"name": "resultDescription_Summary_InstallPercentage_d",
"type": "real"
},
{
"name": "resultDescription_Summary_StartDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resource_triggerName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_InitialRequiredUpdatesCount_d",
"type": "real"
},
{
"name": "properties_enabledForTemplateDeployment_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_s",
"type": "string"
},
{
"name": "resultDescription_Summary_DurationInMinutes_s",
"type": "string"
},
{
"name": "resource_originRunId_s",
"type": "string"
},
{
"name": "properties_enabledForDiskEncryption_b",
"type": "bool"
},
{
"name": "resource_actionName_s",
"type": "string"
},
{
"name": "correlation_actionTrackingId_g",
"type": "string"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resultDescription_Summary_DurationInMinutes_d",
"type": "real"
},
{
"name": "conditions_protocols_s",
"type": "string"
},
{
"name": "identity_claim_ipaddr_s",
"type": "string"
},
{
"name": "ElasticPoolName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_claims_authnmethodsreferences_s",
"type": "string"
},
{
"name": "RunOn_s",
"type": "string"
},
{
"name": "query_hash_s",
"type": "string"
},
{
"name": "SourceSystem",
"type": "string"
},
{
"name": "MG",
"type": "string"
},
{
"name": "ManagementGroupName",
"type": "string"
},
{
"name": "Computer",
"type": "string"
},
{
"name": "RawData",
"type": "string"
},
{
"name": "AdditionalFields",
"type": "dynamic"
},
{
"name": "Type",
"type": "string"
},
{
"name": "_ItemId",
"type": "string"
},
{
"name": "_ResourceId",
"type": "string"
},
{
"name": "IngestionTime",
"type": "datetime"
},
{
"name": "LogId",
"type": "string"
}
],
"rows": [
[
"a4888c77-0dc5-4d98-863f-0f96c7ede660",
"2023-06-20T00:47:14.399Z",
"/SUBSCRIPTIONS/708DEF1D-655D-42EE-BB93-A82FF1584A98/RESOURCEGROUPS/TEST/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/NSG-1",
"NetworkSecurityGroupRuleCounter",
"TEST",
"708def1d-655d-42ee-bb93-a82ff1584a98",
"MICROSOFT.NETWORK",
"NSG-1",
"NETWORKSECURITYGROUPS",
"NetworkSecurityGroupCounters",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"DefaultRule_AllowVnetOutBound",
"",
"97d097c1-23a4-4c56-8a06-88f0178851fc",
null,
"",
"",
"",
"allow",
"",
"60-45-BD-40-53-2E",
"964f299a-1ed9-463c-bcc5-d6849b28cac5",
"Out",
"1.2.3.0/24",
"1.2.3.4",
"",
null,
"",
"",
"",
"",
"",
0,
null,
null,
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
null,
null,
"",
"",
"",
null,
"",
"",
null,
null,
"",
"",
"",
"",
"",
"",
"Azure",
"",
"",
"",
"",
null,
"AzureDiagnostics",
"a611ada7-9691-4920-b162-090aaa499d7b",
"/subscriptions/708def1d-655d-42ee-bb93-a82ff1584a98/resourcegroups/test/providers/microsoft.network/networksecuritygroups/snaretestvm1-nsg",
"2023-06-20T00:51:40.6057254Z",
"a611ada7-9691-4920-b162-090aaa499d7b"
]
]
}
]
}

Table Fields

Field

Description

TABLE

AzureNetworkSecurityGroupCounters

was

is a value derived from

TYPE

Azure +

OPERATIONNAME

CATEGORY’s value.

SYSTEM

Depends

Will base its value on PRIMARYIPV4ADDRESS

field

if not empty; otherwise,

else will depend on configured

it will use the domain value defined in the configuration.

DATE

Extracted

Based on the extracted date value from

CREATEDDATETIME

CreatedDateTime.

TIME

Extracted

Based on the extracted time value from

CREATEDDATETIME

CreatedDateTime.

DATETIME

Extracted

Based on the extracted datetime value from 

CREATEDDATETIME

CreatedDateTime and formatted usingRFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

COLLECTIONDATETIME

The datetime value when

Snare Central’s local date and time of the log

was collected

collection from the API

and

, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

ADDITIONALFIELDS

If the total number of columns is at or above 500, the excess

Based on AdditionalFields, this field contains the data is added to a dynamic property bag column

called AdditionalFields as a property

.

ACTIONTYPE

Action

Based on type_s, this field indicates the action done, either allow or deny, as specified in the rule.

CATEGORY

Based on Category, this field indicates the log category of the event, NetworkSecurityGroupRuleCounter is the fix value for this log type.

DIRECTION

Possible values:

Based on direction_s, this field indicates the request direction either In or Out, as specified in the rule.

INGESTIONTIME

A

Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.

LOGID

A

Based on LogId, this field indicates a unique identifier for the record or log.

MACADDRESS

Based on macAddress_s, this field indicates the MAC address of the VM associated with the NSG resource.

MATCHEDCONNECTIONS

No description in the external documentation

Based on matchedConnections_d, there’s no available documentation for this field.

OPERATIONNAME

Based on OperationName, this field indicates the name of the operation that this event represents, NetworkSecurityGroupCounters is the fix value for this log type.

PRIMARYIPV4ADDRESS

Private

Based on primaryIPv4Address_s, this field indicates the private IP address of the VM associated with the NSG resource.

RESOURCE

Based on Resource, this field indicates the name of the impacted resource.
If Resource is empty, will use the value from Properties.resource

 as

as its value.

RESOURCEGROUP

Resource

Based on ResourceGroup, this field indicates the resource group name of the impacted resource.

RESOURCEID

A

Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.

RESOURCEPROVIDER

Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type

it will be MICROSOFT

.

NETWORK

RESOURCETYPE

Based on ResourceType, this field indicates the type of the impacted resource, NETWORKSECURITYGROUPS is the fix value for all Azure NSG logs.

RULENAME

Rule

Based on ruleName_s, this field indicates the rule name set and configured on the NSG resource.

SOURCESYSTEM

Azure is the

Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.

SUBNETPREFIX

Subnet

Based on subnetPrefix_s, this field indicates the subnet of the VM associated

with the NSG resource.

SUBSCRIPTIONID

Subscription

with the NSG resource.

SUBSCRIPTIONID

Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.

SYSTEMID

System

Based on systemId_g, this field indicates the system ID of the network security group.

TENANTID

The

Based on TenantId, this field indicates the Log Analytics workspace ID.

TIMEGENERATED

Timestamp

Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.

TYPE

Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.

VNETRESOURCEGUID

Virtual

Based on vnetResourceGuid_g, this field indicates the virtual network ID of the VM associated with the NSG resource.

WORKSPACEID

Derived

A value that was derived from TenantId

if not empty, else will depend configured value for the Workspace ID

.

SNAREDATAMAP

All unclassified field

/s in the log

(s) parsed from this log type will be pushed into the SNAREDATAMAP

using

in key=value format and separated by newline.

Notes

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log

...