Overview
A network security group (NSG) includes rules that allow or deny traffic to a virtual network subnet, network interface, or both.
When you enable logging for an NSG, you can gather the following types of resource log information:
Event: Entries are logged for which NSG rules are applied to virtual machines, based on MAC address.
Rule counter: Contains entries for how many times each NSG rule is applied to allow or deny traffic. The status for these rules is collected every 300 seconds.
Resource logging is enabled separately for each NSG for which to collect diagnostic data.
Azure NSG Group Event: AzureNetworkSecurityGroupEvent
The event log contains information about which NSG rules are applied to virtual machines, based on MAC address. The following data is logged for each event.
Log Structure
Sample NetworkSecurityGroupEvents from API
{
"tables": [
{
"name": "PrimaryResult",
"columns": [
{
"name": "TenantId",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "ResourceId",
"type": "string"
},
{
"name": "Category",
"type": "string"
},
{
"name": "ResourceGroup",
"type": "string"
},
{
"name": "SubscriptionId",
"type": "string"
},
{
"name": "ResourceProvider",
"type": "string"
},
{
"name": "Resource",
"type": "string"
},
{
"name": "ResourceType",
"type": "string"
},
{
"name": "OperationName",
"type": "string"
},
{
"name": "ResultType",
"type": "string"
},
{
"name": "CorrelationId",
"type": "string"
},
{
"name": "ResultDescription",
"type": "string"
},
{
"name": "Tenant_g",
"type": "string"
},
{
"name": "JobId_g",
"type": "string"
},
{
"name": "RunbookName_s",
"type": "string"
},
{
"name": "StreamType_s",
"type": "string"
},
{
"name": "Caller_s",
"type": "string"
},
{
"name": "requestUri_s",
"type": "string"
},
{
"name": "Level",
"type": "string"
},
{
"name": "DurationMs",
"type": "long"
},
{
"name": "CallerIPAddress",
"type": "string"
},
{
"name": "OperationVersion",
"type": "string"
},
{
"name": "ResultSignature",
"type": "string"
},
{
"name": "id_s",
"type": "string"
},
{
"name": "status_s",
"type": "string"
},
{
"name": "LogicalServerName_s",
"type": "string"
},
{
"name": "Message",
"type": "string"
},
{
"name": "clientInfo_s",
"type": "string"
},
{
"name": "httpStatusCode_d",
"type": "real"
},
{
"name": "identity_claim_appid_g",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g",
"type": "string"
},
{
"name": "userAgent_s",
"type": "string"
},
{
"name": "ruleName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s",
"type": "string"
},
{
"name": "systemId_g",
"type": "string"
},
{
"name": "isAccessPolicyMatch_b",
"type": "bool"
},
{
"name": "EventName_s",
"type": "string"
},
{
"name": "httpMethod_s",
"type": "string"
},
{
"name": "subnetId_s",
"type": "string"
},
{
"name": "type_s",
"type": "string"
},
{
"name": "instanceId_s",
"type": "string"
},
{
"name": "macAddress_s",
"type": "string"
},
{
"name": "vnetResourceGuid_g",
"type": "string"
},
{
"name": "direction_s",
"type": "string"
},
{
"name": "subnetPrefix_s",
"type": "string"
},
{
"name": "primaryIPv4Address_s",
"type": "string"
},
{
"name": "conditions_sourcePortRange_s",
"type": "string"
},
{
"name": "priority_d",
"type": "real"
},
{
"name": "conditions_destinationPortRange_s",
"type": "string"
},
{
"name": "conditions_destinationIP_s",
"type": "string"
},
{
"name": "conditions_None_s",
"type": "string"
},
{
"name": "conditions_sourceIP_s",
"type": "string"
},
{
"name": "httpVersion_s",
"type": "string"
},
{
"name": "matchedConnections_d",
"type": "real"
},
{
"name": "startTime_t",
"type": "datetime"
},
{
"name": "endTime_t",
"type": "datetime"
},
{
"name": "DatabaseName_s",
"type": "string"
},
{
"name": "clientIP_s",
"type": "string"
},
{
"name": "host_s",
"type": "string"
},
{
"name": "requestQuery_s",
"type": "string"
},
{
"name": "sslEnabled_s",
"type": "string"
},
{
"name": "clientPort_d",
"type": "real"
},
{
"name": "httpStatus_d",
"type": "real"
},
{
"name": "receivedBytes_d",
"type": "real"
},
{
"name": "sentBytes_d",
"type": "real"
},
{
"name": "timeTaken_d",
"type": "real"
},
{
"name": "resultDescription_ErrorJobs_s",
"type": "string"
},
{
"name": "resultDescription_ChildJobs_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_scope_s",
"type": "string"
},
{
"name": "workflowId_s",
"type": "string"
},
{
"name": "resource_location_s",
"type": "string"
},
{
"name": "resource_workflowId_g",
"type": "string"
},
{
"name": "resource_resourceGroupName_s",
"type": "string"
},
{
"name": "resource_subscriptionId_g",
"type": "string"
},
{
"name": "resource_runId_s",
"type": "string"
},
{
"name": "resource_workflowName_s",
"type": "string"
},
{
"name": "_schema_s",
"type": "string"
},
{
"name": "correlation_clientTrackingId_s",
"type": "string"
},
{
"name": "properties_sku_Family_s",
"type": "string"
},
{
"name": "properties_sku_Name_s",
"type": "string"
},
{
"name": "properties_tenantId_g",
"type": "string"
},
{
"name": "properties_enabledForDeployment_b",
"type": "bool"
},
{
"name": "code_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineId_s",
"type": "string"
},
{
"name": "resultDescription_Summary_ScheduleName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_Status_s",
"type": "string"
},
{
"name": "resultDescription_Summary_StatusDescription_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_TotalUpdatesInstalled_d",
"type": "real"
},
{
"name": "resultDescription_Summary_RebootRequired_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_TotalUpdatesFailed_d",
"type": "real"
},
{
"name": "resultDescription_Summary_InstallPercentage_d",
"type": "real"
},
{
"name": "resultDescription_Summary_StartDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resource_triggerName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_InitialRequiredUpdatesCount_d",
"type": "real"
},
{
"name": "properties_enabledForTemplateDeployment_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_s",
"type": "string"
},
{
"name": "resultDescription_Summary_DurationInMinutes_s",
"type": "string"
},
{
"name": "resource_originRunId_s",
"type": "string"
},
{
"name": "properties_enabledForDiskEncryption_b",
"type": "bool"
},
{
"name": "resource_actionName_s",
"type": "string"
},
{
"name": "correlation_actionTrackingId_g",
"type": "string"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resultDescription_Summary_DurationInMinutes_d",
"type": "real"
},
{
"name": "conditions_protocols_s",
"type": "string"
},
{
"name": "identity_claim_ipaddr_s",
"type": "string"
},
{
"name": "ElasticPoolName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_claims_authnmethodsreferences_s",
"type": "string"
},
{
"name": "RunOn_s",
"type": "string"
},
{
"name": "query_hash_s",
"type": "string"
},
{
"name": "SourceSystem",
"type": "string"
},
{
"name": "MG",
"type": "string"
},
{
"name": "ManagementGroupName",
"type": "string"
},
{
"name": "Computer",
"type": "string"
},
{
"name": "RawData",
"type": "string"
},
{
"name": "AdditionalFields",
"type": "dynamic"
},
{
"name": "Type",
"type": "string"
},
{
"name": "_ItemId",
"type": "string"
},
{
"name": "_ResourceId",
"type": "string"
},
{
"name": "IngestionTime",
"type": "datetime"
},
{
"name": "LogId",
"type": "string"
}
],
"rows": [
[
"3c17ed1c-6996-4e21-9d0f-8785b9245551",
"2023-06-20T00:47:14.399Z",
"/SUBSCRIPTIONS/EFAF3341-8916-416E-8D3C-37AB9DC5D4F7/RESOURCEGROUPS/TEST/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/NSG-1",
"NetworkSecurityGroupEvent",
"TEST",
"efaf3341-8916-416e-8d3c-37ab9dc5d4f7",
"MICROSOFT.NETWORK",
"NSG-1",
"NETWORKSECURITYGROUPS",
"NetworkSecurityGroupEvents",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"DefaultRule_AllowVnetOutBound",
"",
"6de438b4-8f8f-4541-9417-49580902a016",
null,
"",
"",
"",
"allow",
"",
"60-45-BD-40-53-2E",
"e30d725c-10d8-4b65-862f-11fb5a93f148",
"Out",
"1.2.3.0/24",
"1.2.3.4",
"0-65535",
65000,
"0-65535",
"",
"",
"",
"",
null,
null,
null,
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
null,
null,
"",
"",
"",
null,
"",
"",
null,
null,
"",
"",
"",
"",
"",
"",
"Azure",
"",
"",
"",
"",
null,
"AzureDiagnostics",
"768e99d0-9862-4c29-acce-5db965680101",
"/subscriptions/efaf3341-8916-416e-8d3c-37ab9dc5d4f7/resourcegroups/test/providers/microsoft.network/networksecuritygroups/NSG-1",
"2023-06-20T00:52:37.530055Z",
"768e99d0-9862-4c29-acce-5db965680101"
]
]
}
]
}
Table Fields
Field | Description |
|---|
TABLE | AzureNetworkSecurityGroupEvent was a value derived from TYPE + OPERATIONNAME. |
SYSTEM | Depends on PRIMARYIPV4ADDRESS field if not empty, else will depend on configured domain value. |
DATE | Extracted date value from CREATEDDATETIME. |
TIME | Extracted time value from CREATEDDATETIME. |
DATETIME | Extracted datetime value from CREATEDDATETIME and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format. |
COLLECTIONDATETIME | The datetime value when the log was collected from the API and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format. |
ADDITIONALFIELDS | If the total number of columns is at or above 500, the excess data is added to a dynamic property bag column called AdditionalFields as a property. |
ACTIONTYPE | Action done, either allow or deny, as specified in the rule. |
CATEGORY | NetworkSecurityGroupEvent is the fix value for this log type. |
CONDITIONSDESTINATIONIP | The value of Destination IP addresses ranges, as specified in the rule. |
CONDITIONSDESTINATIONPORTRANGE | The value of Destination port ranges, as specified in the rule. |
CONDITIONSSOURCEIP | The value of Source IP addresses/CIDR ranges, as specified in the rule. |
CONDITIONSSOURCEPORTRANGE | The value of Source port ranges, as specified in the rule. |
CONDITIONSPROTOCOLS | The value of Protocol, as specified in the rule. |
DIRECTION | Possible values: In or Out, as specified in the rule. |
INGESTIONTIME | A datetime value specifying the approximate time of ingestion into an Azure table. |
LOGID | A unique identifier for the record or log. |
MACADDRESS | MAC address of the VM associated with the NSG resource. |
OPERATIONNAME | NetworkSecurityGroupEvents is the fix value for this log type. |
PRIMARYIPV4ADDRESS | Private IP address of the VM associated with the NSG resource. |
PRIORITY | Priority of the rule set and configured on the NSG resource. |
RESOURCE | If empty, will use the value from Properties.resource as its value. |
RESOURCEGROUP | Resource group name of the impacted resource. |
RESOURCEID | A unique identifier for the resource that the record or log is associated with. |
RESOURCEPROVIDER | Id of the resource provider for the impacted resource, for this log type it will be MICROSOFT.NETWORK |
RESOURCETYPE | NETWORKSECURITYGROUPS is the fix value for all Azure NSG logs. |
RULENAME | Rule name set and configured on the NSG resource. |
SOURCESYSTEM | Azure is the fix value for all log types under AzureDiagnostics table. |
SUBNETPREFIX | Subnet of the VM associated with the NSG resource. |
SUBSCRIPTIONID | Subscription ID of the impacted resource. |
SYSTEMID | System ID of the network security group. |
TENANTID | The Log Analytics workspace ID. |
TIMEGENERATED | Timestamp when the event was generated by the Azure service processing the request corresponding the event. |
TYPE | AzureDiagnostics is the fix value for this log type. |
VNETRESOURCEGUID | Virtual network ID of the VM associated with the NSG resource. |
WORKSPACEID | Derived from TenantId if not empty, else will depend configured value for the Workspace ID. |
SNAREDATAMAP | All unclassified field/s in the log will be pushed into the SNAREDATAMAP using key=value format and separated by newline. |
Azure NSG Group Rule Counter: AzureNetworkSecurityGroupRuleCounter
The rule counter log contains information about each rule applied to resources. The following example data is logged each time a rule is applied.
Log Structure
Sample NetworkSecurityGroupRuleCounter from API
{
"tables": [
{
"name": "PrimaryResult",
"columns": [
{
"name": "TenantId",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "ResourceId",
"type": "string"
},
{
"name": "Category",
"type": "string"
},
{
"name": "ResourceGroup",
"type": "string"
},
{
"name": "SubscriptionId",
"type": "string"
},
{
"name": "ResourceProvider",
"type": "string"
},
{
"name": "Resource",
"type": "string"
},
{
"name": "ResourceType",
"type": "string"
},
{
"name": "OperationName",
"type": "string"
},
{
"name": "ResultType",
"type": "string"
},
{
"name": "CorrelationId",
"type": "string"
},
{
"name": "ResultDescription",
"type": "string"
},
{
"name": "Tenant_g",
"type": "string"
},
{
"name": "JobId_g",
"type": "string"
},
{
"name": "RunbookName_s",
"type": "string"
},
{
"name": "StreamType_s",
"type": "string"
},
{
"name": "Caller_s",
"type": "string"
},
{
"name": "requestUri_s",
"type": "string"
},
{
"name": "Level",
"type": "string"
},
{
"name": "DurationMs",
"type": "long"
},
{
"name": "CallerIPAddress",
"type": "string"
},
{
"name": "OperationVersion",
"type": "string"
},
{
"name": "ResultSignature",
"type": "string"
},
{
"name": "id_s",
"type": "string"
},
{
"name": "status_s",
"type": "string"
},
{
"name": "LogicalServerName_s",
"type": "string"
},
{
"name": "Message",
"type": "string"
},
{
"name": "clientInfo_s",
"type": "string"
},
{
"name": "httpStatusCode_d",
"type": "real"
},
{
"name": "identity_claim_appid_g",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g",
"type": "string"
},
{
"name": "userAgent_s",
"type": "string"
},
{
"name": "ruleName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s",
"type": "string"
},
{
"name": "systemId_g",
"type": "string"
},
{
"name": "isAccessPolicyMatch_b",
"type": "bool"
},
{
"name": "EventName_s",
"type": "string"
},
{
"name": "httpMethod_s",
"type": "string"
},
{
"name": "subnetId_s",
"type": "string"
},
{
"name": "type_s",
"type": "string"
},
{
"name": "instanceId_s",
"type": "string"
},
{
"name": "macAddress_s",
"type": "string"
},
{
"name": "vnetResourceGuid_g",
"type": "string"
},
{
"name": "direction_s",
"type": "string"
},
{
"name": "subnetPrefix_s",
"type": "string"
},
{
"name": "primaryIPv4Address_s",
"type": "string"
},
{
"name": "conditions_sourcePortRange_s",
"type": "string"
},
{
"name": "priority_d",
"type": "real"
},
{
"name": "conditions_destinationPortRange_s",
"type": "string"
},
{
"name": "conditions_destinationIP_s",
"type": "string"
},
{
"name": "conditions_None_s",
"type": "string"
},
{
"name": "conditions_sourceIP_s",
"type": "string"
},
{
"name": "httpVersion_s",
"type": "string"
},
{
"name": "matchedConnections_d",
"type": "real"
},
{
"name": "startTime_t",
"type": "datetime"
},
{
"name": "endTime_t",
"type": "datetime"
},
{
"name": "DatabaseName_s",
"type": "string"
},
{
"name": "clientIP_s",
"type": "string"
},
{
"name": "host_s",
"type": "string"
},
{
"name": "requestQuery_s",
"type": "string"
},
{
"name": "sslEnabled_s",
"type": "string"
},
{
"name": "clientPort_d",
"type": "real"
},
{
"name": "httpStatus_d",
"type": "real"
},
{
"name": "receivedBytes_d",
"type": "real"
},
{
"name": "sentBytes_d",
"type": "real"
},
{
"name": "timeTaken_d",
"type": "real"
},
{
"name": "resultDescription_ErrorJobs_s",
"type": "string"
},
{
"name": "resultDescription_ChildJobs_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_scope_s",
"type": "string"
},
{
"name": "workflowId_s",
"type": "string"
},
{
"name": "resource_location_s",
"type": "string"
},
{
"name": "resource_workflowId_g",
"type": "string"
},
{
"name": "resource_resourceGroupName_s",
"type": "string"
},
{
"name": "resource_subscriptionId_g",
"type": "string"
},
{
"name": "resource_runId_s",
"type": "string"
},
{
"name": "resource_workflowName_s",
"type": "string"
},
{
"name": "_schema_s",
"type": "string"
},
{
"name": "correlation_clientTrackingId_s",
"type": "string"
},
{
"name": "properties_sku_Family_s",
"type": "string"
},
{
"name": "properties_sku_Name_s",
"type": "string"
},
{
"name": "properties_tenantId_g",
"type": "string"
},
{
"name": "properties_enabledForDeployment_b",
"type": "bool"
},
{
"name": "code_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineId_s",
"type": "string"
},
{
"name": "resultDescription_Summary_ScheduleName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_Status_s",
"type": "string"
},
{
"name": "resultDescription_Summary_StatusDescription_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_TotalUpdatesInstalled_d",
"type": "real"
},
{
"name": "resultDescription_Summary_RebootRequired_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_TotalUpdatesFailed_d",
"type": "real"
},
{
"name": "resultDescription_Summary_InstallPercentage_d",
"type": "real"
},
{
"name": "resultDescription_Summary_StartDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resource_triggerName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_InitialRequiredUpdatesCount_d",
"type": "real"
},
{
"name": "properties_enabledForTemplateDeployment_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_s",
"type": "string"
},
{
"name": "resultDescription_Summary_DurationInMinutes_s",
"type": "string"
},
{
"name": "resource_originRunId_s",
"type": "string"
},
{
"name": "properties_enabledForDiskEncryption_b",
"type": "bool"
},
{
"name": "resource_actionName_s",
"type": "string"
},
{
"name": "correlation_actionTrackingId_g",
"type": "string"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resultDescription_Summary_DurationInMinutes_d",
"type": "real"
},
{
"name": "conditions_protocols_s",
"type": "string"
},
{
"name": "identity_claim_ipaddr_s",
"type": "string"
},
{
"name": "ElasticPoolName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_claims_authnmethodsreferences_s",
"type": "string"
},
{
"name": "RunOn_s",
"type": "string"
},
{
"name": "query_hash_s",
"type": "string"
},
{
"name": "SourceSystem",
"type": "string"
},
{
"name": "MG",
"type": "string"
},
{
"name": "ManagementGroupName",
"type": "string"
},
{
"name": "Computer",
"type": "string"
},
{
"name": "RawData",
"type": "string"
},
{
"name": "AdditionalFields",
"type": "dynamic"
},
{
"name": "Type",
"type": "string"
},
{
"name": "_ItemId",
"type": "string"
},
{
"name": "_ResourceId",
"type": "string"
},
{
"name": "IngestionTime",
"type": "datetime"
},
{
"name": "LogId",
"type": "string"
}
],
"rows": [
[
"a4888c77-0dc5-4d98-863f-0f96c7ede660",
"2023-06-20T00:47:14.399Z",
"/SUBSCRIPTIONS/708DEF1D-655D-42EE-BB93-A82FF1584A98/RESOURCEGROUPS/TEST/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/NSG-1",
"NetworkSecurityGroupRuleCounter",
"TEST",
"708def1d-655d-42ee-bb93-a82ff1584a98",
"MICROSOFT.NETWORK",
"NSG-1",
"NETWORKSECURITYGROUPS",
"NetworkSecurityGroupCounters",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"DefaultRule_AllowVnetOutBound",
"",
"97d097c1-23a4-4c56-8a06-88f0178851fc",
null,
"",
"",
"",
"allow",
"",
"60-45-BD-40-53-2E",
"964f299a-1ed9-463c-bcc5-d6849b28cac5",
"Out",
"1.2.3.0/24",
"1.2.3.4",
"",
null,
"",
"",
"",
"",
"",
0,
null,
null,
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
null,
null,
"",
"",
"",
null,
"",
"",
null,
null,
"",
"",
"",
"",
"",
"",
"Azure",
"",
"",
"",
"",
null,
"AzureDiagnostics",
"a611ada7-9691-4920-b162-090aaa499d7b",
"/subscriptions/708def1d-655d-42ee-bb93-a82ff1584a98/resourcegroups/test/providers/microsoft.network/networksecuritygroups/snaretestvm1-nsg",
"2023-06-20T00:51:40.6057254Z",
"a611ada7-9691-4920-b162-090aaa499d7b"
]
]
}
]
}
Table Fields
Field | Description |
|---|
TABLE | AzureNetworkSecurityGroupCounters was a value derived from TYPE + OPERATIONNAME. |
SYSTEM | Depends on PRIMARYIPV4ADDRESS field if not empty, else will depend on configured domain value. |
DATE | Extracted date value from CREATEDDATETIME. |
TIME | Extracted time value from CREATEDDATETIME. |
DATETIME | Extracted datetime value from CREATEDDATETIME and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format. |
COLLECTIONDATETIME | The datetime value when the log was collected from the API and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format. |
ADDITIONALFIELDS | If the total number of columns is at or above 500, the excess data is added to a dynamic property bag column called AdditionalFields as a property. |
ACTIONTYPE | Action done, either allow or deny, as specified in the rule. |
CATEGORY | NetworkSecurityGroupRuleCounter is the fix value for this log type. |
DIRECTION | Possible values: In or Out, as specified in the rule. |
INGESTIONTIME | A datetime value specifying the approximate time of ingestion into an Azure table. |
LOGID | A unique identifier for the record or log. |
MACADDRESS | MAC address of the VM associated with the NSG resource. |
MATCHEDCONNECTIONS | No description in the external documentation. |
OPERATIONNAME | NetworkSecurityGroupCounters is the fix value for this log type. |
PRIMARYIPV4ADDRESS | Private IP address of the VM associated with the NSG resource. |
RESOURCE | If empty, will use the value from Properties.resource as its value. |
RESOURCEGROUP | Resource group name of the impacted resource. |
RESOURCEID | A unique identifier for the resource that the record or log is associated with. |
RESOURCEPROVIDER | Id of the resource provider for the impacted resource, for this log type it will be MICROSOFT.NETWORK |
RESOURCETYPE | NETWORKSECURITYGROUPS is the fix value for all Azure NSG logs. |
RULENAME | Rule name set and configured on the NSG resource. |
SOURCESYSTEM | Azure is the fix value for all log types under AzureDiagnostics table. |
SUBNETPREFIX | Subnet of the VM associated with the NSG resource. |
SUBSCRIPTIONID | Subscription ID of the impacted resource. |
SYSTEMID | System ID of the network security group. |
TENANTID | The Log Analytics workspace ID. |
TIMEGENERATED | Timestamp when the event was generated by the Azure service processing the request corresponding the event. |
TYPE | AzureDiagnostics is the fix value for this log type. |
VNETRESOURCEGUID | Virtual network ID of the VM associated with the NSG resource. |
WORKSPACEID | Derived from TenantId if not empty, else will depend configured value for the Workspace ID. |
SNAREDATAMAP | All unclassified field/s in the log will be pushed into the SNAREDATAMAP using key=value format and separated by newline. |
Notes
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log
https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azurediagnostics
