...
Field | Description |
---|---|
TABLE | AzureNetworkSecurityGroupEvent was is a value derived from Azure + CATEGORY’s value. |
SYSTEM | Will base its value on PRIMARYIPV4ADDRESSis if not empty; otherwise, it will use the domain value defined in the configuration. |
DATE | Based on the extracted date value from CreatedDateTime. |
TIME | Based on the extracted time value from CreatedDateTime. |
DATETIME | Based on the extracted datetime value from CreatedDateTime and formatted usingRFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format. |
COLLECTIONDATETIME | The datetime value when Snare Central’s local date and time of the log was collected collection from the API and , formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format. |
ADDITIONALFIELDS | Based on AdditionalFields, where this field contains the data is added to a dynamic property bag column. |
ACTIONTYPE | Based on type_s, where this field indicates the action done, either allow or deny, as specified in the rule. |
CATEGORY | Based on Category, where this field indicates the log category of the event, NetworkSecurityGroupEvent is the fix value for this log type. |
CONDITIONSDESTINATIONIP | Based on conditions_destinationIP_s, where this field indicates the value of destination IP addresses ranges, as specified in the rule. |
CONDITIONSDESTINATIONPORTRANGE | Based on conditions_destinationPortRange_s, where this field indicates the value of destination port ranges, as specified in the rule. |
CONDITIONSSOURCEIP | Based on conditions_sourceIP_s, where this field indicates the value of source IP addresses/CIDR ranges, as specified in the rule. |
CONDITIONSSOURCEPORTRANGE | Based on conditions_sourcePortRange_s, where this field indicates the value of source port ranges, as specified in the rule. |
CONDITIONSPROTOCOLS | Based on conditions_protocols_s, where this field indicates the value of protocol, as specified in the rule. |
DIRECTION | Based on direction_s, where this field indicates the request direction either In or Out, as specified in the rule. |
INGESTIONTIME | Based on IngestionTime, where this field indicates the datetime value specifying the approximate time of ingestion into an Azure table. |
LOGID | Based on LogId, where this field indicates a unique identifier for the record or log. |
MACADDRESS | Based on macAddress_s, where this field indicates the MAC address of the VM associated with the NSG resource. |
OPERATIONNAME | Based on OperationName, where this field indicates the name of the operation that this event represents, NetworkSecurityGroupEvents is the fix value for this log type. |
PRIMARYIPV4ADDRESS | Based on primaryIPv4Address_s, where this field indicates the private IP address of the VM associated with the NSG resource. |
PRIORITY | Based on priority_d, where this field indicates the priority of the rule set and configured on the NSG resource. |
RESOURCE | Based on Resource, where this field indicates the name of the impacted resource. |
RESOURCEGROUP | Based on ResourceGroup, where this field indicates the resource group name of the impacted resource. |
RESOURCEID | Based on ResourceId, where this field indicates a unique identifier for the resource that the record or log is associated with. |
RESOURCEPROVIDER | Based on ResourceProvider, where this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type. |
RESOURCETYPE | Based on ResourceType, where this field indicates the type of the impacted resource, NETWORKSECURITYGROUPS is the fix value for all Azure NSG logs. |
RULENAME | Based on ruleName_s, where this field indicates the rule name set and configured on the NSG resource. |
SOURCESYSTEM | Based on SourceSystem, where this field contains Azure as fix value for all log types under AzureDiagnostics table. |
SUBNETPREFIX | Based on subnetPrefix_s, where this field indicates the subnet of the VM associated with the NSG resource. |
SUBSCRIPTIONID | Based on SubscriptionId, where this field indicates the subscription ID of the impacted resource. |
SYSTEMID | Based on systemId_g, where this field indicates the system ID of the network security group. |
TENANTID | Based on TenantId, where this field indicates the Log Analytics workspace ID. |
TIMEGENERATED | Based on TimeGenerated, where this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event. |
TYPE | Based on Type, where this field indicates the name of the table, AzureDiagnostics is the fix value for this log type. |
VNETRESOURCEGUID | Based on vnetResourceGuid_g, where this field indicates the virtual network ID of the VM associated with the NSG resource. |
WORKSPACEID | A value that was derived from TenantId. |
SNAREDATAMAP | All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline. |
...
Field | Description |
---|---|
TABLE | AzureNetworkSecurityGroupCounters was is a value derived from Azure + CATEGORY’s value. |
SYSTEM | Will base its value on PRIMARYIPV4ADDRESSis if not empty; otherwise, it will use the domain value defined in the configuration. |
DATE | Based on the extracted date value from CreatedDateTime. |
TIME | Based on the extracted time value from CreatedDateTime. |
DATETIME | Based on the extracted datetime value from CreatedDateTime and formatted usingRFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format. |
COLLECTIONDATETIME | The datetime value when Snare Central’s local date and time of the log was collected collection from the API and , formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format. |
ADDITIONALFIELDS | Based on AdditionalFields, where this field contains the data is added to a dynamic property bag column. |
ACTIONTYPE | Based on type_s, where this field indicates the action done, either allow or deny, as specified in the rule. |
CATEGORY | Based on Category, where this field indicates the log category of the event, NetworkSecurityGroupRuleCounter is the fix value for this log type. |
DIRECTION | Based on direction_s, where this field indicates the request direction either In or Out, as specified in the rule. |
INGESTIONTIME | Based on IngestionTime, where this field indicates the datetime value specifying the approximate time of ingestion into an Azure table. |
LOGID | Based on LogId, where this field indicates a unique identifier for the record or log. |
MACADDRESS | Based on macAddress_s, where this field indicates the MAC address of the VM associated with the NSG resource. |
MATCHEDCONNECTIONS | Based on matchedConnections_d, there’s no available documentation for this field. |
OPERATIONNAME | Based on OperationName, where this field indicates the name of the operation that this event represents, NetworkSecurityGroupCounters is the fix value for this log type. |
PRIMARYIPV4ADDRESS | Based on primaryIPv4Address_s, where this field indicates the private IP address of the VM associated with the NSG resource. |
RESOURCE | Based on Resource, where this field indicates the name of the impacted resource. |
RESOURCEGROUP | Based on ResourceGroup, where this field indicates the resource group name of the impacted resource. |
RESOURCEID | Based on ResourceId, where this field indicates a unique identifier for the resource that the record or log is associated with. |
RESOURCEPROVIDER | Based on ResourceProvider, where this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type. |
RESOURCETYPE | Based on ResourceType, where this field indicates the type of the impacted resource, NETWORKSECURITYGROUPS is the fix value for all Azure NSG logs. |
RULENAME | Based on ruleName_s, where this field indicates the rule name set and configured on the NSG resource. |
SOURCESYSTEM | Based on SourceSystem, where this field contains Azure as fix value for all log types under AzureDiagnostics table. |
SUBNETPREFIX | Based on subnetPrefix_s, where this field indicates the subnet of the VM associated with the NSG resource. |
SUBSCRIPTIONID | Based on SubscriptionId, where this field indicates the subscription ID of the impacted resource. |
SYSTEMID | Based on systemId_g, where this field indicates the system ID of the network security group. |
TENANTID | Based on TenantId, where this field indicates the Log Analytics workspace ID. |
TIMEGENERATED | Based on TimeGenerated, where this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event. |
TYPE | Based on Type, where this field indicates the name of the table, AzureDiagnostics is the fix value for this log type. |
VNETRESOURCEGUID | Based on vnetResourceGuid_g, where this field indicates the virtual network ID of the VM associated with the NSG resource. |
WORKSPACEID | A value that was derived from TenantId. |
SNAREDATAMAP | All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline. |
...