Azure Resource logs: Firewall logs

Overview

2 types of logs can be collected from Azure Firewall:

Diagnostic logs (legacy) - Diagnostic logs are the original Azure Firewall log queries that output log data in an unstructured or free-form text format.
Structured logs - Structured logs are a type of log data that are organized in a specific format. They use a predefined schema to structure log data in a way that makes it easy to search, filter, and analyze.

Diagnostic logs (legacy)

Diagnostic logs are the original Azure Firewall log queries that output log data in an unstructured or free-form text format.

These log categories use Azure diagnostics mode and, in this mode, all data from any diagnostic setting is collected in the AzureDiagnostics table.

Snare Central supports collection of the ff. Azure Firewall diagnostics logs:

Application rule log
Network rule log
DNS proxy log
Threat Intel log

Application rule log: AzureFirewallApplicationRule

Contains all Network Rule log data and each match between data plane and network rule creates a log entry with the data plane packet and the matched rule's attributes.

Each new connection that matches one of your configured application rules results in a log for the accepted/denied connection.

Note: The Application rule log is saved to an Azure Monitor logs only if you've enabled it for each Azure Firewall.

Log Structure

{
"tables": [
{
"name": "PrimaryResult",
"columns": [
{
"name": "TenantId",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "ResourceId",
"type": "string"
},
{
"name": "Category",
"type": "string"
},
{
"name": "ResourceGroup",
"type": "string"
},
{
"name": "SubscriptionId",
"type": "string"
},
{
"name": "ResourceProvider",
"type": "string"
},
{
"name": "Resource",
"type": "string"
},
{
"name": "ResourceType",
"type": "string"
},
{
"name": "OperationName",
"type": "string"
},
{
"name": "ResultType",
"type": "string"
},
{
"name": "CorrelationId",
"type": "string"
},
{
"name": "ResultDescription",
"type": "string"
},
{
"name": "Tenant_g",
"type": "string"
},
{
"name": "JobId_g",
"type": "string"
},
{
"name": "RunbookName_s",
"type": "string"
},
{
"name": "StreamType_s",
"type": "string"
},
{
"name": "Caller_s",
"type": "string"
},
{
"name": "requestUri_s",
"type": "string"
},
{
"name": "Level",
"type": "string"
},
{
"name": "DurationMs",
"type": "long"
},
{
"name": "CallerIPAddress",
"type": "string"
},
{
"name": "OperationVersion",
"type": "string"
},
{
"name": "ResultSignature",
"type": "string"
},
{
"name": "id_s",
"type": "string"
},
{
"name": "status_s",
"type": "string"
},
{
"name": "LogicalServerName_s",
"type": "string"
},
{
"name": "Message",
"type": "string"
},
{
"name": "clientInfo_s",
"type": "string"
},
{
"name": "httpStatusCode_d",
"type": "real"
},
{
"name": "identity_claim_appid_g",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g",
"type": "string"
},
{
"name": "userAgent_s",
"type": "string"
},
{
"name": "ruleName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s",
"type": "string"
},
{
"name": "systemId_g",
"type": "string"
},
{
"name": "isAccessPolicyMatch_b",
"type": "bool"
},
{
"name": "EventName_s",
"type": "string"
},
{
"name": "httpMethod_s",
"type": "string"
},
{
"name": "subnetId_s",
"type": "string"
},
{
"name": "type_s",
"type": "string"
},
{
"name": "instanceId_s",
"type": "string"
},
{
"name": "macAddress_s",
"type": "string"
},
{
"name": "vnetResourceGuid_g",
"type": "string"
},
{
"name": "direction_s",
"type": "string"
},
{
"name": "subnetPrefix_s",
"type": "string"
},
{
"name": "primaryIPv4Address_s",
"type": "string"
},
{
"name": "conditions_sourcePortRange_s",
"type": "string"
},
{
"name": "priority_d",
"type": "real"
},
{
"name": "conditions_destinationPortRange_s",
"type": "string"
},
{
"name": "conditions_destinationIP_s",
"type": "string"
},
{
"name": "conditions_None_s",
"type": "string"
},
{
"name": "conditions_sourceIP_s",
"type": "string"
},
{
"name": "httpVersion_s",
"type": "string"
},
{
"name": "matchedConnections_d",
"type": "real"
},
{
"name": "startTime_t",
"type": "datetime"
},
{
"name": "endTime_t",
"type": "datetime"
},
{
"name": "DatabaseName_s",
"type": "string"
},
{
"name": "clientIP_s",
"type": "string"
},
{
"name": "host_s",
"type": "string"
},
{
"name": "requestQuery_s",
"type": "string"
},
{
"name": "sslEnabled_s",
"type": "string"
},
{
"name": "clientPort_d",
"type": "real"
},
{
"name": "httpStatus_d",
"type": "real"
},
{
"name": "receivedBytes_d",
"type": "real"
},
{
"name": "sentBytes_d",
"type": "real"
},
{
"name": "timeTaken_d",
"type": "real"
},
{
"name": "resultDescription_ErrorJobs_s",
"type": "string"
},
{
"name": "resultDescription_ChildJobs_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_scope_s",
"type": "string"
},
{
"name": "workflowId_s",
"type": "string"
},
{
"name": "resource_location_s",
"type": "string"
},
{
"name": "resource_workflowId_g",
"type": "string"
},
{
"name": "resource_resourceGroupName_s",
"type": "string"
},
{
"name": "resource_subscriptionId_g",
"type": "string"
},
{
"name": "resource_runId_s",
"type": "string"
},
{
"name": "resource_workflowName_s",
"type": "string"
},
{
"name": "_schema_s",
"type": "string"
},
{
"name": "correlation_clientTrackingId_s",
"type": "string"
},
{
"name": "properties_sku_Family_s",
"type": "string"
},
{
"name": "properties_sku_Name_s",
"type": "string"
},
{
"name": "properties_tenantId_g",
"type": "string"
},
{
"name": "properties_enabledForDeployment_b",
"type": "bool"
},
{
"name": "code_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineId_s",
"type": "string"
},
{
"name": "resultDescription_Summary_ScheduleName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_Status_s",
"type": "string"
},
{
"name": "resultDescription_Summary_StatusDescription_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_TotalUpdatesInstalled_d",
"type": "real"
},
{
"name": "resultDescription_Summary_RebootRequired_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_TotalUpdatesFailed_d",
"type": "real"
},
{
"name": "resultDescription_Summary_InstallPercentage_d",
"type": "real"
},
{
"name": "resultDescription_Summary_StartDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resource_triggerName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_InitialRequiredUpdatesCount_d",
"type": "real"
},
{
"name": "properties_enabledForTemplateDeployment_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_s",
"type": "string"
},
{
"name": "resultDescription_Summary_DurationInMinutes_s",
"type": "string"
},
{
"name": "resource_originRunId_s",
"type": "string"
},
{
"name": "properties_enabledForDiskEncryption_b",
"type": "bool"
},
{
"name": "resource_actionName_s",
"type": "string"
},
{
"name": "correlation_actionTrackingId_g",
"type": "string"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resultDescription_Summary_DurationInMinutes_d",
"type": "real"
},
{
"name": "conditions_protocols_s",
"type": "string"
},
{
"name": "identity_claim_ipaddr_s",
"type": "string"
},
{
"name": "ElasticPoolName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_claims_authnmethodsreferences_s",
"type": "string"
},
{
"name": "RunOn_s",
"type": "string"
},
{
"name": "query_hash_s",
"type": "string"
},
{
"name": "SourceSystem",
"type": "string"
},
{
"name": "MG",
"type": "string"
},
{
"name": "ManagementGroupName",
"type": "string"
},
{
"name": "Computer",
"type": "string"
},
{
"name": "RawData",
"type": "string"
},
{
"name": "QueryId_d",
"type": "real"
},
{
"name": "QueryType_s",
"type": "string"
},
{
"name": "QueryClass_s",
"type": "string"
},
{
"name": "QueryName_s",
"type": "string"
},
{
"name": "RequestSize_d",
"type": "real"
},
{
"name": "DnssecOkBit_b",
"type": "bool"
},
{
"name": "EDNS0BufferSize_d",
"type": "real"
},
{
"name": "ResponseCode_s",
"type": "string"
},
{
"name": "ResponseFlags_s",
"type": "string"
},
{
"name": "ResponseSize_d",
"type": "real"
},
{
"name": "RequestDurationSecs_d",
"type": "real"
},
{
"name": "ErrorNumber_d",
"type": "real"
},
{
"name": "ErrorMessage_s",
"type": "string"
},
{
"name": "Fqdn_s",
"type": "string"
},
{
"name": "TargetUrl_s",
"type": "string"
},
{
"name": "IsTlsInspected_b",
"type": "bool"
},
{
"name": "WebCategory_s",
"type": "string"
},
{
"name": "IsExplicitProxyRequest_b",
"type": "bool"
},
{
"name": "clientIp_s",
"type": "string"
},
{
"name": "ruleSetType_s",
"type": "string"
},
{
"name": "ruleSetVersion_s",
"type": "string"
},
{
"name": "ruleId_s",
"type": "string"
},
{
"name": "ruleGroup_s",
"type": "string"
},
{
"name": "action_s",
"type": "string"
},
{
"name": "details_message_s",
"type": "string"
},
{
"name": "details_data_s",
"type": "string"
},
{
"name": "details_file_s",
"type": "string"
},
{
"name": "details_line_s",
"type": "string"
},
{
"name": "hostname_s",
"type": "string"
},
{
"name": "policyId_s",
"type": "string"
},
{
"name": "policyScope_s",
"type": "string"
},
{
"name": "policyScopeName_s",
"type": "string"
},
{
"name": "engine_s",
"type": "string"
},
{
"name": "WAFEvaluationTime_s",
"type": "string"
},
{
"name": "WAFMode_s",
"type": "string"
},
{
"name": "WAFPolicyID_s",
"type": "string"
},
{
"name": "Action_s",
"type": "string"
},
{
"name": "ActionReason_s",
"type": "string"
},
{
"name": "msg_s",
"type": "string"
},
{
"name": "Protocol_s",
"type": "string"
},
{
"name": "SourceIP",
"type": "string"
},
{
"name": "SourcePort_d",
"type": "real"
},
{
"name": "DestinationIp_s",
"type": "string"
},
{
"name": "DestinationPort_d",
"type": "real"
},
{
"name": "TranslatedIp_s",
"type": "string"
},
{
"name": "TranslatedPort_d",
"type": "real"
},
{
"name": "Policy_s",
"type": "string"
},
{
"name": "RuleCollectionGroup_s",
"type": "string"
},
{
"name": "RuleCollection_s",
"type": "string"
},
{
"name": "Rule_s",
"type": "string"
},
{
"name": "healthyHostCount_d",
"type": "real"
},
{
"name": "unHealthyHostCount_d",
"type": "real"
},
{
"name": "requestCount_d",
"type": "real"
},
{
"name": "latency_d",
"type": "real"
},
{
"name": "failedRequestCount_d",
"type": "real"
},
{
"name": "throughput_d",
"type": "real"
},
{
"name": "timeStamp_t",
"type": "datetime"
},
{
"name": "listenerName_s",
"type": "string"
},
{
"name": "backendPoolName_s",
"type": "string"
},
{
"name": "backendSettingName_s",
"type": "string"
},
{
"name": "originalRequestUriWithArgs_s",
"type": "string"
},
{
"name": "clientResponseTime_d",
"type": "real"
},
{
"name": "transactionId_g",
"type": "string"
},
{
"name": "sslCipher_s",
"type": "string"
},
{
"name": "sslProtocol_s",
"type": "string"
},
{
"name": "sslClientVerify_s",
"type": "string"
},
{
"name": "sslClientCertificateFingerprint_s",
"type": "string"
},
{
"name": "sslClientCertificateIssuerName_s",
"type": "string"
},
{
"name": "serverRouted_s",
"type": "string"
},
{
"name": "serverStatus_s",
"type": "string"
},
{
"name": "serverResponseLatency_s",
"type": "string"
},
{
"name": "upstreamSourcePort_s",
"type": "string"
},
{
"name": "originalHost_s",
"type": "string"
},
{
"name": "AdditionalFields",
"type": "dynamic"
},
{
"name": "Type",
"type": "string"
},
{
"name": "_ItemId",
"type": "string"
},
{
"name": "_ResourceId",
"type": "string"
},
{
"name": "LogType",
"type": "string"
},
{
"name": "Now",
"type": "datetime"
},
{
"name": "IngestionTime",
"type": "datetime"
},
{
"name": "LogId",
"type": "string"
}
],
"rows": [
[
"7457114a-457e-42fe-8901-427f414ddad5",
"2023-09-23T21:12:28.323492Z",
"/SUBSCRIPTIONS/708DEF1D-655D-42EE-BB93-A82FF1584A98/RESOURCEGROUPS/TEST/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/TEST-FW-1",
"AzureFirewallApplicationRule",
"TEST",
"708def1d-655d-42ee-bb93-a82ff1584a98",
"MICROSOFT.NETWORK",
"TEST-FW-1",
"AZUREFIREWALLS",
"AzureFirewallApplicationRuleLog",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
null,
null,
null,
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
null,
null,
"",
"",
"",
null,
"",
"",
null,
null,
"",
"",
"",
"",
"",
"",
"Azure",
"",
"",
"",
"",
null,
"",
"",
"",
null,
null,
null,
"",
"",
null,
null,
null,
"",
"",
"",
null,
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"HTTPS request from 192.1.1.1:47142 to youtube.com:443. Action: Deny. Policy: test-fw-1-FW-Pol. Rule Collection Group: AppRuleCollectionGrpTest1. Rule Collection: AppRuleDenyCol-1. Rule: deny youtube",
"",
"",
null,
"",
null,
"",
null,
"",
"",
"",
"",
null,
null,
null,
null,
null,
null,
null,
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"AzureDiagnostics",
"fe59232c-2400-415d-8302-8eec4ded140a",
"/subscriptions/708def1d-655d-42ee-bb93-a82ff1584a98/resourcegroups/test/providers/microsoft.network/azurefirewalls/test-fw-1",
"AzureFirewallApplicationRuleLog",
"2023-09-25T06:09:04.0267411Z",
"2023-09-23T21:13:17.4567279Z",
"fe59232c-2400-415d-8302-8eec4ded140a"
]
]
}
]
}

Table Fields

Field	Description

Field	Description
TABLE	AzureFirewallApplicationRule is a value derived from CATEGORY’s value.
SYSTEM	Will base its value on SOURCEIP if not empty; otherwise, it will use the domain value defined in the configuration.
DATE	Based on the extracted date value from CreatedDateTime.
TIME	Based on the extracted time value from CreatedDateTime.
DATETIME	Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
COLLECTIONDATETIME	Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
ACTION	Data was extracted from msg_s field, it indicates the action taken by the firewall following the Application rule hit.
ACTIONREASON	Data was extracted from msg_s field, it indicates that there’s no rule that is triggered for a request, this field contains the reason for the action performed by the firewall.
CATEGORY	Based on Category, this field indicates the log category of the event, AzureFirewallApplicationRule is the fix value for this log type.
DESTINATIONPORT	Data was extracted from msg_s field, it indicates the request's destination port.
FQDN	Data was extracted from msg_s field, it indicates the request's target address in FQDN (Fully qualified Domain Name).
INGESTIONTIME	Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.
LOGID	Based on LogId, this field indicates a unique identifier for the record or log.
MSG	Based on msg_s, this field contains the information about the request processed by the Firewall.
OPERATIONNAME	Based on OperationName, this field indicates the name of the operation that this event represents, AzureFirewallApplicationRuleLog is the fix value for this log type.
POLICY	Data was extracted from msg_s field, it indicates the name of the policy in which the triggered rule resides.
PROTOCOL	Data was extracted from msg_s field, it indicates the request's network protocol. For example: HTTP, HTTPS.
RESOURCE	Based on Resource, this field indicates the name of the Firewall resource.
RESOURCEGROUP	Based on ResourceGroup, this field indicates the resource group name of the impacted resource.
RESOURCEID	Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.
RESOURCEPROVIDER	Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.
RESOURCETYPE	Based on ResourceType, this field indicates the type of the impacted resource, AZUREFIREWALLS is the fix value for all Azure Firewall logs.
RULE	Data was extracted from msg_s field, it indicates the name of the triggered rule.
RULECOLLECTION	Data was extracted from msg_s field, it indicates the name of the rule collection in which the triggered rule resides.
RULECOLLECTIONGROUP	Data was extracted from msg_s field, it indicates the name of the rule collection group in which the triggered rule resides.
SOURCEIP	Data was extracted from msg_s field, it indicates the request's source IP address.
SOURCEPORT	Data was extracted from msg_s field, it indicates the request's source port.
SOURCESYSTEM	Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.
SUBSCRIPTIONID	Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.
TENANTID	Based on TenantId, this field indicates the Log Analytics workspace ID.
TIMEGENERATED	Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.
TYPE	Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.
URL	Data was extracted from msg_s field, and this detail will be available only for HTTP or TLS-inspected HTTPS requests.
WORKSPACEID	A value that was derived from TenantId.
SNAREDATAMAP	All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.

Network rule log: AzureFirewallNetworkRule

Each new connection that matches one of your configured network rules results in a log for the accepted/denied connection.

Note: The Network rule log is sent to an Azure Monitor logs only if you've enabled it for each Azure Firewall.

Log Structure

{
"tables": [
{
"name": "PrimaryResult",
"columns": [
{
"name": "TenantId",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "ResourceId",
"type": "string"
},
{
"name": "Category",
"type": "string"
},
{
"name": "ResourceGroup",
"type": "string"
},
{
"name": "SubscriptionId",
"type": "string"
},
{
"name": "ResourceProvider",
"type": "string"
},
{
"name": "Resource",
"type": "string"
},
{
"name": "ResourceType",
"type": "string"
},
{
"name": "OperationName",
"type": "string"
},
{
"name": "ResultType",
"type": "string"
},
{
"name": "CorrelationId",
"type": "string"
},
{
"name": "ResultDescription",
"type": "string"
},
{
"name": "Tenant_g",
"type": "string"
},
{
"name": "JobId_g",
"type": "string"
},
{
"name": "RunbookName_s",
"type": "string"
},
{
"name": "StreamType_s",
"type": "string"
},
{
"name": "Caller_s",
"type": "string"
},
{
"name": "requestUri_s",
"type": "string"
},
{
"name": "Level",
"type": "string"
},
{
"name": "DurationMs",
"type": "long"
},
{
"name": "CallerIPAddress",
"type": "string"
},
{
"name": "OperationVersion",
"type": "string"
},
{
"name": "ResultSignature",
"type": "string"
},
{
"name": "id_s",
"type": "string"
},
{
"name": "status_s",
"type": "string"
},
{
"name": "LogicalServerName_s",
"type": "string"
},
{
"name": "Message",
"type": "string"
},
{
"name": "clientInfo_s",
"type": "string"
},
{
"name": "httpStatusCode_d",
"type": "real"
},
{
"name": "identity_claim_appid_g",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g",
"type": "string"
},
{
"name": "userAgent_s",
"type": "string"
},
{
"name": "ruleName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s",
"type": "string"
},
{
"name": "systemId_g",
"type": "string"
},
{
"name": "isAccessPolicyMatch_b",
"type": "bool"
},
{
"name": "EventName_s",
"type": "string"
},
{
"name": "httpMethod_s",
"type": "string"
},
{
"name": "subnetId_s",
"type": "string"
},
{
"name": "type_s",
"type": "string"
},
{
"name": "instanceId_s",
"type": "string"
},
{
"name": "macAddress_s",
"type": "string"
},
{
"name": "vnetResourceGuid_g",
"type": "string"
},
{
"name": "direction_s",
"type": "string"
},
{
"name": "subnetPrefix_s",
"type": "string"
},
{
"name": "primaryIPv4Address_s",
"type": "string"
},
{
"name": "conditions_sourcePortRange_s",
"type": "string"
},
{
"name": "priority_d",
"type": "real"
},
{
"name": "conditions_destinationPortRange_s",
"type": "string"
},
{
"name": "conditions_destinationIP_s",
"type": "string"
},
{
"name": "conditions_None_s",
"type": "string"
},
{
"name": "conditions_sourceIP_s",
"type": "string"
},
{
"name": "httpVersion_s",
"type": "string"
},
{
"name": "matchedConnections_d",
"type": "real"
},
{
"name": "startTime_t",
"type": "datetime"
},
{
"name": "endTime_t",
"type": "datetime"
},
{
"name": "DatabaseName_s",
"type": "string"
},
{
"name": "clientIP_s",
"type": "string"
},
{
"name": "host_s",
"type": "string"
},
{
"name": "requestQuery_s",
"type": "string"
},
{
"name": "sslEnabled_s",
"type": "string"
},
{
"name": "clientPort_d",
"type": "real"
},
{
"name": "httpStatus_d",
"type": "real"
},
{
"name": "receivedBytes_d",
"type": "real"
},
{
"name": "sentBytes_d",
"type": "real"
},
{
"name": "timeTaken_d",
"type": "real"
},
{
"name": "resultDescription_ErrorJobs_s",
"type": "string"
},
{
"name": "resultDescription_ChildJobs_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_scope_s",
"type": "string"
},
{
"name": "workflowId_s",
"type": "string"
},
{
"name": "resource_location_s",
"type": "string"
},
{
"name": "resource_workflowId_g",
"type": "string"
},
{
"name": "resource_resourceGroupName_s",
"type": "string"
},
{
"name": "resource_subscriptionId_g",
"type": "string"
},
{
"name": "resource_runId_s",
"type": "string"
},
{
"name": "resource_workflowName_s",
"type": "string"
},
{
"name": "_schema_s",
"type": "string"
},
{
"name": "correlation_clientTrackingId_s",
"type": "string"
},
{
"name": "properties_sku_Family_s",
"type": "string"
},
{
"name": "properties_sku_Name_s",
"type": "string"
},
{
"name": "properties_tenantId_g",
"type": "string"
},
{
"name": "properties_enabledForDeployment_b",
"type": "bool"
},
{
"name": "code_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineId_s",
"type": "string"
},
{
"name": "resultDescription_Summary_ScheduleName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_Status_s",
"type": "string"
},
{
"name": "resultDescription_Summary_StatusDescription_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_TotalUpdatesInstalled_d",
"type": "real"
},
{
"name": "resultDescription_Summary_RebootRequired_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_TotalUpdatesFailed_d",
"type": "real"
},
{
"name": "resultDescription_Summary_InstallPercentage_d",
"type": "real"
},
{
"name": "resultDescription_Summary_StartDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resource_triggerName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_InitialRequiredUpdatesCount_d",
"type": "real"
},
{
"name": "properties_enabledForTemplateDeployment_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_s",
"type": "string"
},
{
"name": "resultDescription_Summary_DurationInMinutes_s",
"type": "string"
},
{
"name": "resource_originRunId_s",
"type": "string"
},
{
"name": "properties_enabledForDiskEncryption_b",
"type": "bool"
},
{
"name": "resource_actionName_s",
"type": "string"
},
{
"name": "correlation_actionTrackingId_g",
"type": "string"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resultDescription_Summary_DurationInMinutes_d",
"type": "real"
},
{
"name": "conditions_protocols_s",
"type": "string"
},
{
"name": "identity_claim_ipaddr_s",
"type": "string"
},
{
"name": "ElasticPoolName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_claims_authnmethodsreferences_s",
"type": "string"
},
{
"name": "RunOn_s",
"type": "string"
},
{
"name": "query_hash_s",
"type": "string"
},
{
"name": "SourceSystem",
"type": "string"
},
{
"name": "MG",
"type": "string"
},
{
"name": "ManagementGroupName",
"type": "string"
},
{
"name": "Computer",
"type": "string"
},
{
"name": "RawData",
"type": "string"
},
{
"name": "QueryId_d",
"type": "real"
},
{
"name": "QueryType_s",
"type": "string"
},
{
"name": "QueryClass_s",
"type": "string"
},
{
"name": "QueryName_s",
"type": "string"
},
{
"name": "RequestSize_d",
"type": "real"
},
{
"name": "DnssecOkBit_b",
"type": "bool"
},
{
"name": "EDNS0BufferSize_d",
"type": "real"
},
{
"name": "ResponseCode_s",
"type": "string"
},
{
"name": "ResponseFlags_s",
"type": "string"
},
{
"name": "ResponseSize_d",
"type": "real"
},
{
"name": "RequestDurationSecs_d",
"type": "real"
},
{
"name": "ErrorNumber_d",
"type": "real"
},
{
"name": "ErrorMessage_s",
"type": "string"
},
{
"name": "Fqdn_s",
"type": "string"
},
{
"name": "TargetUrl_s",
"type": "string"
},
{
"name": "IsTlsInspected_b",
"type": "bool"
},
{
"name": "WebCategory_s",
"type": "string"
},
{
"name": "IsExplicitProxyRequest_b",
"type": "bool"
},
{
"name": "clientIp_s",
"type": "string"
},
{
"name": "ruleSetType_s",
"type": "string"
},
{
"name": "ruleSetVersion_s",
"type": "string"
},
{
"name": "ruleId_s",
"type": "string"
},
{
"name": "ruleGroup_s",
"type": "string"
},
{
"name": "action_s",
"type": "string"
},
{
"name": "details_message_s",
"type": "string"
},
{
"name": "details_data_s",
"type": "string"
},
{
"name": "details_file_s",
"type": "string"
},
{
"name": "details_line_s",
"type": "string"
},
{
"name": "hostname_s",
"type": "string"
},
{
"name": "policyId_s",
"type": "string"
},
{
"name": "policyScope_s",
"type": "string"
},
{
"name": "policyScopeName_s",
"type": "string"
},
{
"name": "engine_s",
"type": "string"
},
{
"name": "WAFEvaluationTime_s",
"type": "string"
},
{
"name": "WAFMode_s",
"type": "string"
},
{
"name": "WAFPolicyID_s",
"type": "string"
},
{
"name": "Action_s",
"type": "string"
},
{
"name": "ActionReason_s",
"type": "string"
},
{
"name": "msg_s",
"type": "string"
},
{
"name": "Protocol_s",
"type": "string"
},
{
"name": "SourceIP",
"type": "string"
},
{
"name": "SourcePort_d",
"type": "real"
},
{
"name": "DestinationIp_s",
"type": "string"
},
{
"name": "DestinationPort_d",
"type": "real"
},
{
"name": "TranslatedIp_s",
"type": "string"
},
{
"name": "TranslatedPort_d",
"type": "real"
},
{
"name": "Policy_s",
"type": "string"
},
{
"name": "RuleCollectionGroup_s",
"type": "string"
},
{
"name": "RuleCollection_s",
"type": "string"
},
{
"name": "Rule_s",
"type": "string"
},
{
"name": "healthyHostCount_d",
"type": "real"
},
{
"name": "unHealthyHostCount_d",
"type": "real"
},
{
"name": "requestCount_d",
"type": "real"
},
{
"name": "latency_d",
"type": "real"
},
{
"name": "failedRequestCount_d",
"type": "real"
},
{
"name": "throughput_d",
"type": "real"
},
{
"name": "timeStamp_t",
"type": "datetime"
},
{
"name": "listenerName_s",
"type": "string"
},
{
"name": "backendPoolName_s",
"type": "string"
},
{
"name": "backendSettingName_s",
"type": "string"
},
{
"name": "originalRequestUriWithArgs_s",
"type": "string"
},
{
"name": "clientResponseTime_d",
"type": "real"
},
{
"name": "transactionId_g",
"type": "string"
},
{
"name": "sslCipher_s",
"type": "string"
},
{
"name": "sslProtocol_s",
"type": "string"
},
{
"name": "sslClientVerify_s",
"type": "string"
},
{
"name": "sslClientCertificateFingerprint_s",
"type": "string"
},
{
"name": "sslClientCertificateIssuerName_s",
"type": "string"
},
{
"name": "serverRouted_s",
"type": "string"
},
{
"name": "serverStatus_s",
"type": "string"
},
{
"name": "serverResponseLatency_s",
"type": "string"
},
{
"name": "upstreamSourcePort_s",
"type": "string"
},
{
"name": "originalHost_s",
"type": "string"
},
{
"name": "AdditionalFields",
"type": "dynamic"
},
{
"name": "Type",
"type": "string"
},
{
"name": "_ItemId",
"type": "string"
},
{
"name": "_ResourceId",
"type": "string"
},
{
"name": "LogType",
"type": "string"
},
{
"name": "Now",
"type": "datetime"
},
{
"name": "IngestionTime",
"type": "datetime"
},
{
"name": "LogId",
"type": "string"
}
],
"rows": [
[
"632eee3a-1451-4d38-a588-4ae460067887",
"2023-09-21T10:26:52.102767Z",
"/SUBSCRIPTIONS/708DEF1D-655D-42EE-BB93-A82FF1584A98/RESOURCEGROUPS/TEST/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/TEST-FW-1",
"AzureFirewallNetworkRule",
"TEST",
"708def1d-655d-42ee-bb93-a82ff1584a98",
"MICROSOFT.NETWORK",
"TEST-FW-1",
"AZUREFIREWALLS",
"AzureFirewallNetworkRuleLog",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
null,
null,
null,
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
null,
null,
"",
"",
"",
null,
"",
"",
null,
null,
"",
"",
"",
"",
"",
"",
"Azure",
"",
"",
"",
"",
null,
"",
"",
"",
null,
null,
null,
"",
"",
null,
null,
null,
"",
"",
"",
null,
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"TCP request from 192.1.1.1:7843 to 1.2.3.4:22. Action: Allow.. Policy: test-fw-1-FW-Pol. Rule Collection Group: DefaultNetworkRuleCollectionGroup. Rule Collection: test-fw-1-net-rule. Rule: Net-ssh",
"",
"",
null,
"",
null,
"",
null,
"",
"",
"",
"",
null,
null,
null,
null,
null,
null,
null,
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"AzureDiagnostics",
"06b31c73-fdb4-4212-891c-716f7d550df2",
"/subscriptions/708def1d-655d-42ee-bb93-a82ff1584a98/resourcegroups/test/providers/microsoft.network/azurefirewalls/test-fw-1",
"AzureFirewallNetworkRuleLog",
"2023-09-28T06:43:00.5289165Z",
"2023-09-21T10:27:19.201126Z",
"06b31c73-fdb4-4212-891c-716f7d550df2"
]
]
}
]
}

Table Fields

Field	Description

Field	Description
TABLE	AzureFirewallNetworkRule is a value derived from CATEGORY’s value.
SYSTEM	Will base its value on DESTINATIONIP if not empty; otherwise, it will use the domain value defined in the configuration.
DATE	Based on the extracted date value from CreatedDateTime.
TIME	Based on the extracted time value from CreatedDateTime.
DATETIME	Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
COLLECTIONDATETIME	Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
ACTION	Data was extracted from msg_s field, it indicates the action taken by the firewall following the match with the Network Rule. This field is empty if OperationName is AzureFirewallNatRuleLo
CATEGORY	Based on Category, this field indicates the log category of the event, AzureFirewallNetworkRule is the fix value for this log type.
DESTINATIONIP	Data was extracted from msg_s field, it indicates the packet's destination IP address.
DESTINATIONPORT	Data was extracted from msg_s field, it indicates the packet's destination port.
INGESTIONTIME	Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.
LOGID	Based on LogId, this field indicates a unique identifier for the record or log.
MSG	Based on msg_s, this field contains the information about the packet processed by the Firewall.
OPERATIONNAME	Based on OperationName, this field indicates the name of the operation that this event represents. Possible values are AzureFirewallNatRuleLog, AzureFirewallNetworkRuleLog or AzureFirewallThreatIntelLog.
POLICY	Data was extracted from msg_s field, it indicates the name of the policy in which the triggered rule resides.
PROTOCOL	Data was extracted from msg_s field, it indicates the packet's network protocol.
RESOURCE	Based on Resource, this field indicates the name of the Firewall resource.
RESOURCEGROUP	Based on ResourceGroup, this field indicates the resource group name of the impacted resource.
RESOURCEID	Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.
RESOURCEPROVIDER	Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.
RESOURCETYPE	Based on ResourceType, this field indicates the type of the impacted resource, AZUREFIREWALLS is the fix value for all Azure Firewall logs.
RULE	Data was extracted from msg_s field, it indicates the name of the triggered rule.
RULECOLLECTION	Data was extracted from msg_s field, it indicates the name of the rule collection in which the triggered rule resides.
RULECOLLECTIONGROUP	Data was extracted from msg_s field, it indicates the name of the rule collection group in which the triggered rule resides.
SOURCEIP	Data was extracted from msg_s field, it indicates the packet's source IP address.
SOURCEPORT	Data was extracted from msg_s field, it indicates the packet's source port.
SOURCESYSTEM	Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.
SUBSCRIPTIONID	Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.
TENANTID	Based on TenantId, this field indicates the Log Analytics workspace ID.
TIMEGENERATED	Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.
TRANSLATEDIP	Data was extracted from msg_s field, it indicates the original destination IP address of the packet that was replaced by TranslatedIp.
TRANSLATEDPORT	Data was extracted from msg_s field, it indicates the original destination port of the packet that was replaced by TranslatedPort.
TYPE	Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.
WORKSPACEID	A value that was derived from TenantId.
SNAREDATAMAP	All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.

Network rule log: AzureFirewallThreatIntelLog

Contains all Threat Intelligence events.

Note: The Threat Intelligence events is sent to Azure Monitor logs only if you’ve enabled it for each Azure Firewall.

Log Structure

{
"tables": [
{
"name": "PrimaryResult",
"columns": [
{
"name": "TenantId",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "ResourceId",
"type": "string"
},
{
"name": "Category",
"type": "string"
},
{
"name": "ResourceGroup",
"type": "string"
},
{
"name": "SubscriptionId",
"type": "string"
},
{
"name": "ResourceProvider",
"type": "string"
},
{
"name": "Resource",
"type": "string"
},
{
"name": "ResourceType",
"type": "string"
},
{
"name": "OperationName",
"type": "string"
},
{
"name": "ResultType",
"type": "string"
},
{
"name": "CorrelationId",
"type": "string"
},
{
"name": "ResultDescription",
"type": "string"
},
{
"name": "Tenant_g",
"type": "string"
},
{
"name": "JobId_g",
"type": "string"
},
{
"name": "RunbookName_s",
"type": "string"
},
{
"name": "StreamType_s",
"type": "string"
},
{
"name": "Caller_s",
"type": "string"
},
{
"name": "requestUri_s",
"type": "string"
},
{
"name": "Level",
"type": "string"
},
{
"name": "DurationMs",
"type": "long"
},
{
"name": "CallerIPAddress",
"type": "string"
},
{
"name": "OperationVersion",
"type": "string"
},
{
"name": "ResultSignature",
"type": "string"
},
{
"name": "id_s",
"type": "string"
},
{
"name": "status_s",
"type": "string"
},
{
"name": "LogicalServerName_s",
"type": "string"
},
{
"name": "Message",
"type": "string"
},
{
"name": "clientInfo_s",
"type": "string"
},
{
"name": "httpStatusCode_d",
"type": "real"
},
{
"name": "identity_claim_appid_g",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g",
"type": "string"
},
{
"name": "userAgent_s",
"type": "string"
},
{
"name": "ruleName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s",
"type": "string"
},
{
"name": "systemId_g",
"type": "string"
},
{
"name": "isAccessPolicyMatch_b",
"type": "bool"
},
{
"name": "EventName_s",
"type": "string"
},
{
"name": "httpMethod_s",
"type": "string"
},
{
"name": "subnetId_s",
"type": "string"
},
{
"name": "type_s",
"type": "string"
},
{
"name": "instanceId_s",
"type": "string"
},
{
"name": "macAddress_s",
"type": "string"
},
{
"name": "vnetResourceGuid_g",
"type": "string"
},
{
"name": "direction_s",
"type": "string"
},
{
"name": "subnetPrefix_s",
"type": "string"
},
{
"name": "primaryIPv4Address_s",
"type": "string"
},
{
"name": "conditions_sourcePortRange_s",
"type": "string"
},
{
"name": "priority_d",
"type": "real"
},
{
"name": "conditions_destinationPortRange_s",
"type": "string"
},
{
"name": "conditions_destinationIP_s",
"type": "string"
},
{
"name": "conditions_None_s",
"type": "string"
},
{
"name": "conditions_sourceIP_s",
"type": "string"
},
{
"name": "httpVersion_s",
"type": "string"
},
{
"name": "matchedConnections_d",
"type": "real"
},
{
"name": "startTime_t",
"type": "datetime"
},
{
"name": "endTime_t",
"type": "datetime"
},
{
"name": "DatabaseName_s",
"type": "string"
},
{
"name": "clientIP_s",
"type": "string"
},
{
"name": "host_s",
"type": "string"
},
{
"name": "requestQuery_s",
"type": "string"
},
{
"name": "sslEnabled_s",
"type": "string"
},
{
"name": "clientPort_d",
"type": "real"
},
{
"name": "httpStatus_d",
"type": "real"
},
{
"name": "receivedBytes_d",
"type": "real"
},
{
"name": "sentBytes_d",
"type": "real"
},
{
"name": "timeTaken_d",
"type": "real"
},
{
"name": "resultDescription_ErrorJobs_s",
"type": "string"
},
{
"name": "resultDescription_ChildJobs_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_scope_s",
"type": "string"
},
{
"name": "workflowId_s",
"type": "string"
},
{
"name": "resource_location_s",
"type": "string"
},
{
"name": "resource_workflowId_g",
"type": "string"
},
{
"name": "resource_resourceGroupName_s",
"type": "string"
},
{
"name": "resource_subscriptionId_g",
"type": "string"
},
{
"name": "resource_runId_s",
"type": "string"
},
{
"name": "resource_workflowName_s",
"type": "string"
},
{
"name": "_schema_s",
"type": "string"
},
{
"name": "correlation_clientTrackingId_s",
"type": "string"
},
{
"name": "properties_sku_Family_s",
"type": "string"
},
{
"name": "properties_sku_Name_s",
"type": "string"
},
{
"name": "properties_tenantId_g",
"type": "string"
},
{
"name": "properties_enabledForDeployment_b",
"type": "bool"
},
{
"name": "code_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineId_s",
"type": "string"
},
{
"name": "resultDescription_Summary_ScheduleName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_Status_s",
"type": "string"
},
{
"name": "resultDescription_Summary_StatusDescription_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_TotalUpdatesInstalled_d",
"type": "real"
},
{
"name": "resultDescription_Summary_RebootRequired_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_TotalUpdatesFailed_d",
"type": "real"
},
{
"name": "resultDescription_Summary_InstallPercentage_d",
"type": "real"
},
{
"name": "resultDescription_Summary_StartDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resource_triggerName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_InitialRequiredUpdatesCount_d",
"type": "real"
},
{
"name": "properties_enabledForTemplateDeployment_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_s",
"type": "string"
},
{
"name": "resultDescription_Summary_DurationInMinutes_s",
"type": "string"
},
{
"name": "resource_originRunId_s",
"type": "string"
},
{
"name": "properties_enabledForDiskEncryption_b",
"type": "bool"
},
{
"name": "resource_actionName_s",
"type": "string"
},
{
"name": "correlation_actionTrackingId_g",
"type": "string"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resultDescription_Summary_DurationInMinutes_d",
"type": "real"
},
{
"name": "conditions_protocols_s",
"type": "string"
},
{
"name": "identity_claim_ipaddr_s",
"type": "string"
},
{
"name": "ElasticPoolName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_claims_authnmethodsreferences_s",
"type": "string"
},
{
"name": "RunOn_s",
"type": "string"
},
{
"name": "query_hash_s",
"type": "string"
},
{
"name": "SourceSystem",
"type": "string"
},
{
"name": "MG",
"type": "string"
},
{
"name": "ManagementGroupName",
"type": "string"
},
{
"name": "Computer",
"type": "string"
},
{
"name": "RawData",
"type": "string"
},
{
"name": "contentType_s",
"type": "string"
},
{
"name": "error_info_s",
"type": "string"
},
{
"name": "Url_s",
"type": "string"
},
{
"name": "ThreatDescription_s",
"type": "string"
},
{
"name": "connectionSerialNumber_d",
"type": "real"
},
{
"name": "noOfConnectionRequests_d",
"type": "real"
},
{
"name": "QueryId_d",
"type": "real"
},
{
"name": "QueryType_s",
"type": "string"
},
{
"name": "QueryClass_s",
"type": "string"
},
{
"name": "QueryName_s",
"type": "string"
},
{
"name": "RequestSize_d",
"type": "real"
},
{
"name": "DnssecOkBit_b",
"type": "bool"
},
{
"name": "EDNS0BufferSize_d",
"type": "real"
},
{
"name": "ResponseCode_s",
"type": "string"
},
{
"name": "ResponseFlags_s",
"type": "string"
},
{
"name": "ResponseSize_d",
"type": "real"
},
{
"name": "RequestDurationSecs_d",
"type": "real"
},
{
"name": "ErrorNumber_d",
"type": "real"
},
{
"name": "ErrorMessage_s",
"type": "string"
},
{
"name": "Fqdn_s",
"type": "string"
},
{
"name": "TargetUrl_s",
"type": "string"
},
{
"name": "IsTlsInspected_b",
"type": "bool"
},
{
"name": "WebCategory_s",
"type": "string"
},
{
"name": "IsExplicitProxyRequest_b",
"type": "bool"
},
{
"name": "clientIp_s",
"type": "string"
},
{
"name": "ruleSetType_s",
"type": "string"
},
{
"name": "ruleSetVersion_s",
"type": "string"
},
{
"name": "ruleId_s",
"type": "string"
},
{
"name": "ruleGroup_s",
"type": "string"
},
{
"name": "action_s",
"type": "string"
},
{
"name": "details_message_s",
"type": "string"
},
{
"name": "details_data_s",
"type": "string"
},
{
"name": "details_file_s",
"type": "string"
},
{
"name": "details_line_s",
"type": "string"
},
{
"name": "hostname_s",
"type": "string"
},
{
"name": "policyId_s",
"type": "string"
},
{
"name": "policyScope_s",
"type": "string"
},
{
"name": "policyScopeName_s",
"type": "string"
},
{
"name": "engine_s",
"type": "string"
},
{
"name": "WAFEvaluationTime_s",
"type": "string"
},
{
"name": "WAFMode_s",
"type": "string"
},
{
"name": "WAFPolicyID_s",
"type": "string"
},
{
"name": "Action_s",
"type": "string"
},
{
"name": "ActionReason_s",
"type": "string"
},
{
"name": "msg_s",
"type": "string"
},
{
"name": "Protocol_s",
"type": "string"
},
{
"name": "SourceIP",
"type": "string"
},
{
"name": "SourcePort_d",
"type": "real"
},
{
"name": "DestinationIp_s",
"type": "string"
},
{
"name": "DestinationPort_d",
"type": "real"
},
{
"name": "TranslatedIp_s",
"type": "string"
},
{
"name": "TranslatedPort_d",
"type": "real"
},
{
"name": "Policy_s",
"type": "string"
},
{
"name": "RuleCollectionGroup_s",
"type": "string"
},
{
"name": "RuleCollection_s",
"type": "string"
},
{
"name": "Rule_s",
"type": "string"
},
{
"name": "healthyHostCount_d",
"type": "real"
},
{
"name": "unHealthyHostCount_d",
"type": "real"
},
{
"name": "requestCount_d",
"type": "real"
},
{
"name": "latency_d",
"type": "real"
},
{
"name": "failedRequestCount_d",
"type": "real"
},
{
"name": "throughput_d",
"type": "real"
},
{
"name": "timeStamp_t",
"type": "datetime"
},
{
"name": "listenerName_s",
"type": "string"
},
{
"name": "backendPoolName_s",
"type": "string"
},
{
"name": "backendSettingName_s",
"type": "string"
},
{
"name": "originalRequestUriWithArgs_s",
"type": "string"
},
{
"name": "clientResponseTime_d",
"type": "real"
},
{
"name": "transactionId_g",
"type": "string"
},
{
"name": "sslCipher_s",
"type": "string"
},
{
"name": "sslProtocol_s",
"type": "string"
},
{
"name": "sslClientVerify_s",
"type": "string"
},
{
"name": "sslClientCertificateFingerprint_s",
"type": "string"
},
{
"name": "sslClientCertificateIssuerName_s",
"type": "string"
},
{
"name": "serverRouted_s",
"type": "string"
},
{
"name": "serverStatus_s",
"type": "string"
},
{
"name": "serverResponseLatency_s",
"type": "string"
},
{
"name": "upstreamSourcePort_s",
"type": "string"
},
{
"name": "originalHost_s",
"type": "string"
},
{
"name": "AdditionalFields",
"type": "dynamic"
},
{
"name": "Type",
"type": "string"
},
{
"name": "_ItemId",
"type": "string"
},
{
"name": "_ResourceId",
"type": "string"
},
{
"name": "Now",
"type": "datetime"
},
{
"name": "IngestionTime",
"type": "datetime"
},
{
"name": "LogId",
"type": "string"
}
],
"rows": [
[
"46bbecfb-5195-4842-8e59-3c7e22f17f50",
"2024-03-06T07:29:26.383192Z",
"/SUBSCRIPTIONS/8F943978-0029-42F7-8374-D5EDFD109DEB/RESOURCEGROUPS/TEST/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/DEMO-FW-1",
"AzureFirewallNetworkRule",
"TEST",
"8f943978-0029-42f7-8374-d5edfd109deb",
"MICROSOFT.NETWORK",
"DEMO-FW-1",
"AZUREFIREWALLS",
"AzureFirewallThreatIntelLog",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
null,
null,
null,
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
null,
null,
"",
"",
"",
null,
"",
"",
null,
null,
"",
"",
"",
"",
"",
"",
"Azure",
"",
"",
"",
"",
"",
"",
"",
"",
null,
null,
null,
"",
"",
"",
null,
null,
null,
"",
"",
null,
null,
null,
"",
"",
"",
null,
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"TCP request from 127.0.0.1:8080 to 192.168.1.1:80. Action: Alert. TargetUrl: https://www.microsoft.com/en-us/about. Fqdn: www.microsoft.com. ThreatIntel: Destination reported by Threat Intelligence",
"",
"",
null,
"",
null,
"",
null,
"",
"",
"",
"",
null,
null,
null,
null,
null,
null,
null,
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"AzureDiagnostics",
"27894c96-855a-489a-90ca-46ece09bec3e",
"/subscriptions/8f943978-0029-42f7-8374-d5edfd109deb/resourcegroups/test/providers/microsoft.network/azurefirewalls/demo-fw-1",
"2024-03-06T07:44:16.2523115Z",
"2024-03-06T07:30:23.1758251Z",
"27894c96-855a-489a-90ca-46ece09bec3e"
]
]
}
]
}

Table Fields

Field	Description

Field	Description
TABLE	AzureFirewallThreatIntelLog is a value derived from OPERATIONNAME’s value.
SYSTEM	Will base its value on DESTINATIONIP is not empty; otherwise, it will use the domain value defined in the configuration.
DATE	Based on the extracted date value from CreatedDateTime.
TIME	Based on the extracted time value from CreatedDateTime.
DATETIME	Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
COLLECTIONDATETIME	Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
CATEGORY	Based on Category, this field indicates the log category of the event, AzureFirewallNetworkRule is the fix value for this log type.
INGESTIONTIME	Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.
LOGID	Based on LogId, this field indicates a unique identifier for the record or log.
MSG	Based on msg_s, this field contains the information about the DNS query processed by the Firewall.
OPERATIONNAME	Based on OperationName, this field indicates the name of the operation that this event represents, AzureFirewallThreatIntelLog is the fix value for this log type.
ACTION	Data was extracted from msg_s field, it indicates the action taken by the firewall following the Threat Intelligence hit.
DESTINATIONIP	Data was extracted from msg_s field, it indicates the packet's destination IP address.
DESTINATIONPORT	Data was extracted from msg_s field, it indicates the packet's destination port.
FQDN	Data was extracted from msg_s field, it indicates the request's target address in FQDN (Fully qualified Domain Name).
PROTOCOL	Data was extracted from msg_s field, it indicates the packet's network protocol. For example: UDP, TCP.
RESOURCE	Based on Resource, this field indicates the name of the Firewall resource.
RESOURCEGROUP	Based on ResourceGroup, this field indicates the resource group name of the impacted resource.
RESOURCEID	Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.
RESOURCEPROVIDER	Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.
RESOURCETYPE	Based on ResourceType, this field indicates the type of the impacted resource, AZUREFIREWALLS is the fix value for all Azure Firewall logs.
SOURCEIP	Data was extracted from msg_s field, it indicates the packet's source IP address.
SOURCEPORT	Data was extracted from msg_s field, it indicates the packet's source port.
SOURCESYSTEM	Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.
SUBSCRIPTIONID	Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.
TARGETURL	Data was extracted from msg_s field, it indicates the request's target address URL. Available only for HTTP or TLS-inspected HTTPS requests.
TENANTID	Based on TenantId, this field indicates the Log Analytics workspace ID.
THREATINTEL	Data was extracted from msg_s field, it indicates the description of the Threat that was identified by the firewall.
TIMEGENERATED	Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.
TYPE	Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.
WORKSPACEID	A value that was derived from TenantId.
SNAREDATAMAP	All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.

DNS proxy log: AzureFirewallDnsProxy

Contains all DNS Proxy events log data and this log tracks DNS messages to a DNS server configured using DNS proxy.

Log Structure

{
"tables": [
{
"name": "PrimaryResult",
"columns": [
{
"name": "TenantId",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "ResourceId",
"type": "string"
},
{
"name": "Category",
"type": "string"
},
{
"name": "ResourceGroup",
"type": "string"
},
{
"name": "SubscriptionId",
"type": "string"
},
{
"name": "ResourceProvider",
"type": "string"
},
{
"name": "Resource",
"type": "string"
},
{
"name": "ResourceType",
"type": "string"
},
{
"name": "OperationName",
"type": "string"
},
{
"name": "ResultType",
"type": "string"
},
{
"name": "CorrelationId",
"type": "string"
},
{
"name": "ResultDescription",
"type": "string"
},
{
"name": "Tenant_g",
"type": "string"
},
{
"name": "JobId_g",
"type": "string"
},
{
"name": "RunbookName_s",
"type": "string"
},
{
"name": "StreamType_s",
"type": "string"
},
{
"name": "Caller_s",
"type": "string"
},
{
"name": "requestUri_s",
"type": "string"
},
{
"name": "Level",
"type": "string"
},
{
"name": "DurationMs",
"type": "long"
},
{
"name": "CallerIPAddress",
"type": "string"
},
{
"name": "OperationVersion",
"type": "string"
},
{
"name": "ResultSignature",
"type": "string"
},
{
"name": "id_s",
"type": "string"
},
{
"name": "status_s",
"type": "string"
},
{
"name": "LogicalServerName_s",
"type": "string"
},
{
"name": "Message",
"type": "string"
},
{
"name": "clientInfo_s",
"type": "string"
},
{
"name": "httpStatusCode_d",
"type": "real"
},
{
"name": "identity_claim_appid_g",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g",
"type": "string"
},
{
"name": "userAgent_s",
"type": "string"
},
{
"name": "ruleName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s",
"type": "string"
},
{
"name": "systemId_g",
"type": "string"
},
{
"name": "isAccessPolicyMatch_b",
"type": "bool"
},
{
"name": "EventName_s",
"type": "string"
},
{
"name": "httpMethod_s",
"type": "string"
},
{
"name": "subnetId_s",
"type": "string"
},
{
"name": "type_s",
"type": "string"
},
{
"name": "instanceId_s",
"type": "string"
},
{
"name": "macAddress_s",
"type": "string"
},
{
"name": "vnetResourceGuid_g",
"type": "string"
},
{
"name": "direction_s",
"type": "string"
},
{
"name": "subnetPrefix_s",
"type": "string"
},
{
"name": "primaryIPv4Address_s",
"type": "string"
},
{
"name": "conditions_sourcePortRange_s",
"type": "string"
},
{
"name": "priority_d",
"type": "real"
},
{
"name": "conditions_destinationPortRange_s",
"type": "string"
},
{
"name": "conditions_destinationIP_s",
"type": "string"
},
{
"name": "conditions_None_s",
"type": "string"
},
{
"name": "conditions_sourceIP_s",
"type": "string"
},
{
"name": "httpVersion_s",
"type": "string"
},
{
"name": "matchedConnections_d",
"type": "real"
},
{
"name": "startTime_t",
"type": "datetime"
},
{
"name": "endTime_t",
"type": "datetime"
},
{
"name": "DatabaseName_s",
"type": "string"
},
{
"name": "clientIP_s",
"type": "string"
},
{
"name": "host_s",
"type": "string"
},
{
"name": "requestQuery_s",
"type": "string"
},
{
"name": "sslEnabled_s",
"type": "string"
},
{
"name": "clientPort_d",
"type": "real"
},
{
"name": "httpStatus_d",
"type": "real"
},
{
"name": "receivedBytes_d",
"type": "real"
},
{
"name": "sentBytes_d",
"type": "real"
},
{
"name": "timeTaken_d",
"type": "real"
},
{
"name": "resultDescription_ErrorJobs_s",
"type": "string"
},
{
"name": "resultDescription_ChildJobs_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_scope_s",
"type": "string"
},
{
"name": "workflowId_s",
"type": "string"
},
{
"name": "resource_location_s",
"type": "string"
},
{
"name": "resource_workflowId_g",
"type": "string"
},
{
"name": "resource_resourceGroupName_s",
"type": "string"
},
{
"name": "resource_subscriptionId_g",
"type": "string"
},
{
"name": "resource_runId_s",
"type": "string"
},
{
"name": "resource_workflowName_s",
"type": "string"
},
{
"name": "_schema_s",
"type": "string"
},
{
"name": "correlation_clientTrackingId_s",
"type": "string"
},
{
"name": "properties_sku_Family_s",
"type": "string"
},
{
"name": "properties_sku_Name_s",
"type": "string"
},
{
"name": "properties_tenantId_g",
"type": "string"
},
{
"name": "properties_enabledForDeployment_b",
"type": "bool"
},
{
"name": "code_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineId_s",
"type": "string"
},
{
"name": "resultDescription_Summary_ScheduleName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_Status_s",
"type": "string"
},
{
"name": "resultDescription_Summary_StatusDescription_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_TotalUpdatesInstalled_d",
"type": "real"
},
{
"name": "resultDescription_Summary_RebootRequired_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_TotalUpdatesFailed_d",
"type": "real"
},
{
"name": "resultDescription_Summary_InstallPercentage_d",
"type": "real"
},
{
"name": "resultDescription_Summary_StartDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resource_triggerName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_InitialRequiredUpdatesCount_d",
"type": "real"
},
{
"name": "properties_enabledForTemplateDeployment_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_s",
"type": "string"
},
{
"name": "resultDescription_Summary_DurationInMinutes_s",
"type": "string"
},
{
"name": "resource_originRunId_s",
"type": "string"
},
{
"name": "properties_enabledForDiskEncryption_b",
"type": "bool"
},
{
"name": "resource_actionName_s",
"type": "string"
},
{
"name": "correlation_actionTrackingId_g",
"type": "string"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resultDescription_Summary_DurationInMinutes_d",
"type": "real"
},
{
"name": "conditions_protocols_s",
"type": "string"
},
{
"name": "identity_claim_ipaddr_s",
"type": "string"
},
{
"name": "ElasticPoolName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_claims_authnmethodsreferences_s",
"type": "string"
},
{
"name": "RunOn_s",
"type": "string"
},
{
"name": "query_hash_s",
"type": "string"
},
{
"name": "SourceSystem",
"type": "string"
},
{
"name": "MG",
"type": "string"
},
{
"name": "ManagementGroupName",
"type": "string"
},
{
"name": "Computer",
"type": "string"
},
{
"name": "RawData",
"type": "string"
},
{
"name": "QueryId_d",
"type": "real"
},
{
"name": "QueryType_s",
"type": "string"
},
{
"name": "QueryClass_s",
"type": "string"
},
{
"name": "QueryName_s",
"type": "string"
},
{
"name": "RequestSize_d",
"type": "real"
},
{
"name": "DnssecOkBit_b",
"type": "bool"
},
{
"name": "EDNS0BufferSize_d",
"type": "real"
},
{
"name": "ResponseCode_s",
"type": "string"
},
{
"name": "ResponseFlags_s",
"type": "string"
},
{
"name": "ResponseSize_d",
"type": "real"
},
{
"name": "RequestDurationSecs_d",
"type": "real"
},
{
"name": "ErrorNumber_d",
"type": "real"
},
{
"name": "ErrorMessage_s",
"type": "string"
},
{
"name": "Fqdn_s",
"type": "string"
},
{
"name": "TargetUrl_s",
"type": "string"
},
{
"name": "IsTlsInspected_b",
"type": "bool"
},
{
"name": "WebCategory_s",
"type": "string"
},
{
"name": "IsExplicitProxyRequest_b",
"type": "bool"
},
{
"name": "clientIp_s",
"type": "string"
},
{
"name": "ruleSetType_s",
"type": "string"
},
{
"name": "ruleSetVersion_s",
"type": "string"
},
{
"name": "ruleId_s",
"type": "string"
},
{
"name": "ruleGroup_s",
"type": "string"
},
{
"name": "action_s",
"type": "string"
},
{
"name": "details_message_s",
"type": "string"
},
{
"name": "details_data_s",
"type": "string"
},
{
"name": "details_file_s",
"type": "string"
},
{
"name": "details_line_s",
"type": "string"
},
{
"name": "hostname_s",
"type": "string"
},
{
"name": "policyId_s",
"type": "string"
},
{
"name": "policyScope_s",
"type": "string"
},
{
"name": "policyScopeName_s",
"type": "string"
},
{
"name": "engine_s",
"type": "string"
},
{
"name": "WAFEvaluationTime_s",
"type": "string"
},
{
"name": "WAFMode_s",
"type": "string"
},
{
"name": "WAFPolicyID_s",
"type": "string"
},
{
"name": "Action_s",
"type": "string"
},
{
"name": "ActionReason_s",
"type": "string"
},
{
"name": "msg_s",
"type": "string"
},
{
"name": "Protocol_s",
"type": "string"
},
{
"name": "SourceIP",
"type": "string"
},
{
"name": "SourcePort_d",
"type": "real"
},
{
"name": "DestinationIp_s",
"type": "string"
},
{
"name": "DestinationPort_d",
"type": "real"
},
{
"name": "TranslatedIp_s",
"type": "string"
},
{
"name": "TranslatedPort_d",
"type": "real"
},
{
"name": "Policy_s",
"type": "string"
},
{
"name": "RuleCollectionGroup_s",
"type": "string"
},
{
"name": "RuleCollection_s",
"type": "string"
},
{
"name": "Rule_s",
"type": "string"
},
{
"name": "healthyHostCount_d",
"type": "real"
},
{
"name": "unHealthyHostCount_d",
"type": "real"
},
{
"name": "requestCount_d",
"type": "real"
},
{
"name": "latency_d",
"type": "real"
},
{
"name": "failedRequestCount_d",
"type": "real"
},
{
"name": "throughput_d",
"type": "real"
},
{
"name": "timeStamp_t",
"type": "datetime"
},
{
"name": "listenerName_s",
"type": "string"
},
{
"name": "backendPoolName_s",
"type": "string"
},
{
"name": "backendSettingName_s",
"type": "string"
},
{
"name": "originalRequestUriWithArgs_s",
"type": "string"
},
{
"name": "clientResponseTime_d",
"type": "real"
},
{
"name": "transactionId_g",
"type": "string"
},
{
"name": "sslCipher_s",
"type": "string"
},
{
"name": "sslProtocol_s",
"type": "string"
},
{
"name": "sslClientVerify_s",
"type": "string"
},
{
"name": "sslClientCertificateFingerprint_s",
"type": "string"
},
{
"name": "sslClientCertificateIssuerName_s",
"type": "string"
},
{
"name": "serverRouted_s",
"type": "string"
},
{
"name": "serverStatus_s",
"type": "string"
},
{
"name": "serverResponseLatency_s",
"type": "string"
},
{
"name": "upstreamSourcePort_s",
"type": "string"
},
{
"name": "originalHost_s",
"type": "string"
},
{
"name": "AdditionalFields",
"type": "dynamic"
},
{
"name": "Type",
"type": "string"
},
{
"name": "_ItemId",
"type": "string"
},
{
"name": "_ResourceId",
"type": "string"
},
{
"name": "LogType",
"type": "string"
},
{
"name": "Now",
"type": "datetime"
},
{
"name": "IngestionTime",
"type": "datetime"
},
{
"name": "LogId",
"type": "string"
}
],
"rows": [
[
"9def7ef1-3da3-4471-9f5f-854c0b245d13",
"2023-09-22T07:11:12.664872Z",
"/SUBSCRIPTIONS/708DEF1D-655D-42EE-BB93-A82FF1584A98/RESOURCEGROUPS/TEST/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/TEST-FW-1",
"AzureFirewallDnsProxy",
"TEST",
"708def1d-655d-42ee-bb93-a82ff1584a98",
"MICROSOFT.NETWORK",
"TEST-FW-1",
"AZUREFIREWALLS",
"AzureFirewallDnsProxyLog",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
null,
null,
null,
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
null,
null,
"",
"",
"",
null,
"",
"",
null,
null,
"",
"",
"",
"",
"",
"",
"Azure",
"",
"",
"",
"",
null,
"",
"",
"",
null,
null,
null,
"",
"",
null,
null,
null,
"",
"",
"",
null,
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"DNS Request: 192.1.1.1:5528 - 14180 A IN adservice.google.com. udp 38 false 512 NOERROR qr,rd,ra 74 0.008398524s",
"",
"",
null,
"",
null,
"",
null,
"",
"",
"",
"",
null,
null,
null,
null,
null,
null,
null,
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"AzureDiagnostics",
"dd7d2ccd-2b65-4567-b172-647351099737",
"/subscriptions/708def1d-655d-42ee-bb93-a82ff1584a98/resourcegroups/test/providers/microsoft.network/azurefirewalls/test-fw-1",
"AzureFirewallDnsProxyLog",
"2023-09-25T08:12:03.1839571Z",
"2023-09-22T07:12:20.9428256Z",
"dd7d2ccd-2b65-4567-b172-647351099737"
]
]
}
]
}

Table Fields

Field	Description

Field	Description
TABLE	AzureFirewallDnsProxy is a value derived from CATEGORY’s value.
SYSTEM	Will base its value on SOURCEIP if not empty; otherwise, it will use the domain value defined in the configuration.
DATE	Based on the extracted date value from CreatedDateTime.
TIME	Based on the extracted time value from CreatedDateTime.
DATETIME	Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
COLLECTIONDATETIME	Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
CATEGORY	Based on Category, this field indicates the log category of the event, AzureFirewallDnsProxy is the fix value for this log type.
INGESTIONTIME	Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.
LOGID	Based on LogId, this field indicates a unique identifier for the record or log.
MSG	Based on msg_s, this field contains the information about the DNS query processed by the Firewall.
OPERATIONNAME	Based on OperationName, this field indicates the name of the operation that this event represents, AzureFirewallDnsProxyLog is the fix value for this log type.
PROTOCOL	Data was extracted from msg_s field, it indicates the protocol used to send the DNS query, for example: TCP, UDP
QUERYCLASS	Data was extracted from msg_s field, it indicates the DNS query's query class.
QUERYID	Data was extracted from msg_s field, it indicates the DNS query's query ID.
QUERYNAME	Data was extracted from msg_s field, it indicates the DNS query's name to resolve.
QUERYTYPE	Data was extracted from msg_s field, it indicates the DNS query's query type.
RESOURCE	Based on Resource, this field indicates the name of the Firewall resource.
RESOURCEGROUP	Based on ResourceGroup, this field indicates the resource group name of the impacted resource.
RESOURCEID	Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.
RESOURCEPROVIDER	Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.
RESOURCETYPE	Based on ResourceType, this field indicates the type of the impacted resource, AZUREFIREWALLS is the fix value for all Azure Firewall logs.
RESPONSECODE	Data was extracted from msg_s field, it indicates the DNS response code.
RESPONSEFLAGS	Data was extracted from msg_s field, it indicates the DNS response flags.
SOURCEIP	Data was extracted from msg_s field, it indicates the DNS query's source IP address.
SOURCEPORT	Data was extracted from msg_s field, it indicates the DNS query's source port.
SOURCESYSTEM	Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.
SUBSCRIPTIONID	Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.
TENANTID	Based on TenantId, this field indicates the Log Analytics workspace ID.
TIMEGENERATED	Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.
TYPE	Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.
WORKSPACEID	A value that was derived from TenantId.
SNAREDATAMAP	All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.

Structured logs

Structured logs are a type of log data that are organized in a specific format. They use a predefined schema to structure log data in a way that makes it easy to search, filter, and analyze.

Unlike unstructured logs, which consist of free-form text, structured logs have a consistent format that machines can parse and analyze.

Azure Firewall's structured logs provide a more detailed view of firewall events. They include information such as source and destination IP addresses, protocols, port numbers, and action taken by the firewall.

Snare Central supports collection of these structured firewall logs:

Application rule log
Network rule log
NAT rule log
DNS proxy log
Threat Intel log

Application rule log: AzureAZFWApplicationRule

Contains all Network Rule log data. Each match between data plane and network rule creates a log entry with the data plane packet and the matched rule's attributes.

Log Structure

{
"tables": [
{
"name": "PrimaryResult",
"columns": [
{
"name": "TenantId",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "ResourceId",
"type": "string"
},
{
"name": "Category",
"type": "string"
},
{
"name": "ResourceGroup",
"type": "string"
},
{
"name": "SubscriptionId",
"type": "string"
},
{
"name": "ResourceProvider",
"type": "string"
},
{
"name": "Resource",
"type": "string"
},
{
"name": "ResourceType",
"type": "string"
},
{
"name": "OperationName",
"type": "string"
},
{
"name": "ResultType",
"type": "string"
},
{
"name": "CorrelationId",
"type": "string"
},
{
"name": "ResultDescription",
"type": "string"
},
{
"name": "Tenant_g",
"type": "string"
},
{
"name": "JobId_g",
"type": "string"
},
{
"name": "RunbookName_s",
"type": "string"
},
{
"name": "StreamType_s",
"type": "string"
},
{
"name": "Caller_s",
"type": "string"
},
{
"name": "requestUri_s",
"type": "string"
},
{
"name": "Level",
"type": "string"
},
{
"name": "DurationMs",
"type": "long"
},
{
"name": "CallerIPAddress",
"type": "string"
},
{
"name": "OperationVersion",
"type": "string"
},
{
"name": "ResultSignature",
"type": "string"
},
{
"name": "id_s",
"type": "string"
},
{
"name": "status_s",
"type": "string"
},
{
"name": "LogicalServerName_s",
"type": "string"
},
{
"name": "Message",
"type": "string"
},
{
"name": "clientInfo_s",
"type": "string"
},
{
"name": "httpStatusCode_d",
"type": "real"
},
{
"name": "identity_claim_appid_g",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g",
"type": "string"
},
{
"name": "userAgent_s",
"type": "string"
},
{
"name": "ruleName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s",
"type": "string"
},
{
"name": "systemId_g",
"type": "string"
},
{
"name": "isAccessPolicyMatch_b",
"type": "bool"
},
{
"name": "EventName_s",
"type": "string"
},
{
"name": "httpMethod_s",
"type": "string"
},
{
"name": "subnetId_s",
"type": "string"
},
{
"name": "type_s",
"type": "string"
},
{
"name": "instanceId_s",
"type": "string"
},
{
"name": "macAddress_s",
"type": "string"
},
{
"name": "vnetResourceGuid_g",
"type": "string"
},
{
"name": "direction_s",
"type": "string"
},
{
"name": "subnetPrefix_s",
"type": "string"
},
{
"name": "primaryIPv4Address_s",
"type": "string"
},
{
"name": "conditions_sourcePortRange_s",
"type": "string"
},
{
"name": "priority_d",
"type": "real"
},
{
"name": "conditions_destinationPortRange_s",
"type": "string"
},
{
"name": "conditions_destinationIP_s",
"type": "string"
},
{
"name": "conditions_None_s",
"type": "string"
},
{
"name": "conditions_sourceIP_s",
"type": "string"
},
{
"name": "httpVersion_s",
"type": "string"
},
{
"name": "matchedConnections_d",
"type": "real"
},
{
"name": "startTime_t",
"type": "datetime"
},
{
"name": "endTime_t",
"type": "datetime"
},
{
"name": "DatabaseName_s",
"type": "string"
},
{
"name": "clientIP_s",
"type": "string"
},
{
"name": "host_s",
"type": "string"
},
{
"name": "requestQuery_s",
"type": "string"
},
{
"name": "sslEnabled_s",
"type": "string"
},
{
"name": "clientPort_d",
"type": "real"
},
{
"name": "httpStatus_d",
"type": "real"
},
{
"name": "receivedBytes_d",
"type": "real"
},
{
"name": "sentBytes_d",
"type": "real"
},
{
"name": "timeTaken_d",
"type": "real"
},
{
"name": "resultDescription_ErrorJobs_s",
"type": "string"
},
{
"name": "resultDescription_ChildJobs_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_scope_s",
"type": "string"
},
{
"name": "workflowId_s",
"type": "string"
},
{
"name": "resource_location_s",
"type": "string"
},
{
"name": "resource_workflowId_g",
"type": "string"
},
{
"name": "resource_resourceGroupName_s",
"type": "string"
},
{
"name": "resource_subscriptionId_g",
"type": "string"
},
{
"name": "resource_runId_s",
"type": "string"
},
{
"name": "resource_workflowName_s",
"type": "string"
},
{
"name": "_schema_s",
"type": "string"
},
{
"name": "correlation_clientTrackingId_s",
"type": "string"
},
{
"name": "properties_sku_Family_s",
"type": "string"
},
{
"name": "properties_sku_Name_s",
"type": "string"
},
{
"name": "properties_tenantId_g",
"type": "string"
},
{
"name": "properties_enabledForDeployment_b",
"type": "bool"
},
{
"name": "code_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineId_s",
"type": "string"
},
{
"name": "resultDescription_Summary_ScheduleName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_Status_s",
"type": "string"
},
{
"name": "resultDescription_Summary_StatusDescription_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_TotalUpdatesInstalled_d",
"type": "real"
},
{
"name": "resultDescription_Summary_RebootRequired_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_TotalUpdatesFailed_d",
"type": "real"
},
{
"name": "resultDescription_Summary_InstallPercentage_d",
"type": "real"
},
{
"name": "resultDescription_Summary_StartDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resource_triggerName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_InitialRequiredUpdatesCount_d",
"type": "real"
},
{
"name": "properties_enabledForTemplateDeployment_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_s",
"type": "string"
},
{
"name": "resultDescription_Summary_DurationInMinutes_s",
"type": "string"
},
{
"name": "resource_originRunId_s",
"type": "string"
},
{
"name": "properties_enabledForDiskEncryption_b",
"type": "bool"
},
{
"name": "resource_actionName_s",
"type": "string"
},
{
"name": "correlation_actionTrackingId_g",
"type": "string"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resultDescription_Summary_DurationInMinutes_d",
"type": "real"
},
{
"name": "conditions_protocols_s",
"type": "string"
},
{
"name": "identity_claim_ipaddr_s",
"type": "string"
},
{
"name": "ElasticPoolName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_claims_authnmethodsreferences_s",
"type": "string"
},
{
"name": "RunOn_s",
"type": "string"
},
{
"name": "query_hash_s",
"type": "string"
},
{
"name": "SourceSystem",
"type": "string"
},
{
"name": "MG",
"type": "string"
},
{
"name": "ManagementGroupName",
"type": "string"
},
{
"name": "Computer",
"type": "string"
},
{
"name": "RawData",
"type": "string"
},
{
"name": "QueryId_d",
"type": "real"
},
{
"name": "QueryType_s",
"type": "string"
},
{
"name": "QueryClass_s",
"type": "string"
},
{
"name": "QueryName_s",
"type": "string"
},
{
"name": "RequestSize_d",
"type": "real"
},
{
"name": "DnssecOkBit_b",
"type": "bool"
},
{
"name": "EDNS0BufferSize_d",
"type": "real"
},
{
"name": "ResponseCode_s",
"type": "string"
},
{
"name": "ResponseFlags_s",
"type": "string"
},
{
"name": "ResponseSize_d",
"type": "real"
},
{
"name": "RequestDurationSecs_d",
"type": "real"
},
{
"name": "ErrorNumber_d",
"type": "real"
},
{
"name": "ErrorMessage_s",
"type": "string"
},
{
"name": "Fqdn_s",
"type": "string"
},
{
"name": "TargetUrl_s",
"type": "string"
},
{
"name": "IsTlsInspected_b",
"type": "bool"
},
{
"name": "WebCategory_s",
"type": "string"
},
{
"name": "IsExplicitProxyRequest_b",
"type": "bool"
},
{
"name": "clientIp_s",
"type": "string"
},
{
"name": "ruleSetType_s",
"type": "string"
},
{
"name": "ruleSetVersion_s",
"type": "string"
},
{
"name": "ruleId_s",
"type": "string"
},
{
"name": "ruleGroup_s",
"type": "string"
},
{
"name": "action_s",
"type": "string"
},
{
"name": "details_message_s",
"type": "string"
},
{
"name": "details_data_s",
"type": "string"
},
{
"name": "details_file_s",
"type": "string"
},
{
"name": "details_line_s",
"type": "string"
},
{
"name": "hostname_s",
"type": "string"
},
{
"name": "policyId_s",
"type": "string"
},
{
"name": "policyScope_s",
"type": "string"
},
{
"name": "policyScopeName_s",
"type": "string"
},
{
"name": "engine_s",
"type": "string"
},
{
"name": "WAFEvaluationTime_s",
"type": "string"
},
{
"name": "WAFMode_s",
"type": "string"
},
{
"name": "WAFPolicyID_s",
"type": "string"
},
{
"name": "Action_s",
"type": "string"
},
{
"name": "ActionReason_s",
"type": "string"
},
{
"name": "msg_s",
"type": "string"
},
{
"name": "Protocol_s",
"type": "string"
},
{
"name": "SourceIP",
"type": "string"
},
{
"name": "SourcePort_d",
"type": "real"
},
{
"name": "DestinationIp_s",
"type": "string"
},
{
"name": "DestinationPort_d",
"type": "real"
},
{
"name": "TranslatedIp_s",
"type": "string"
},
{
"name": "TranslatedPort_d",
"type": "real"
},
{
"name": "Policy_s",
"type": "string"
},
{
"name": "RuleCollectionGroup_s",
"type": "string"
},
{
"name": "RuleCollection_s",
"type": "string"
},
{
"name": "Rule_s",
"type": "string"
},
{
"name": "healthyHostCount_d",
"type": "real"
},
{
"name": "unHealthyHostCount_d",
"type": "real"
},
{
"name": "requestCount_d",
"type": "real"
},
{
"name": "latency_d",
"type": "real"
},
{
"name": "failedRequestCount_d",
"type": "real"
},
{
"name": "throughput_d",
"type": "real"
},
{
"name": "timeStamp_t",
"type": "datetime"
},
{
"name": "listenerName_s",
"type": "string"
},
{
"name": "backendPoolName_s",
"type": "string"
},
{
"name": "backendSettingName_s",
"type": "string"
},
{
"name": "originalRequestUriWithArgs_s",
"type": "string"
},
{
"name": "clientResponseTime_d",
"type": "real"
},
{
"name": "transactionId_g",
"type": "string"
},
{
"name": "sslCipher_s",
"type": "string"
},
{
"name": "sslProtocol_s",
"type": "string"
},
{
"name": "sslClientVerify_s",
"type": "string"
},
{
"name": "sslClientCertificateFingerprint_s",
"type": "string"
},
{
"name": "sslClientCertificateIssuerName_s",
"type": "string"
},
{
"name": "serverRouted_s",
"type": "string"
},
{
"name": "serverStatus_s",
"type": "string"
},
{
"name": "serverResponseLatency_s",
"type": "string"
},
{
"name": "upstreamSourcePort_s",
"type": "string"
},
{
"name": "originalHost_s",
"type": "string"
},
{
"name": "AdditionalFields",
"type": "dynamic"
},
{
"name": "Type",
"type": "string"
},
{
"name": "_ItemId",
"type": "string"
},
{
"name": "_ResourceId",
"type": "string"
},
{
"name": "LogType",
"type": "string"
},
{
"name": "Now",
"type": "datetime"
},
{
"name": "IngestionTime",
"type": "datetime"
},
{
"name": "LogId",
"type": "string"
}
],
"rows": [
[
"766904ce-39ee-403f-a25d-6f1a0a42ab4f",
"2023-09-22T07:30:24.116032Z",
"/SUBSCRIPTIONS/708DEF1D-655D-42EE-BB93-A82FF1584A98/RESOURCEGROUPS/TEST/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/TEST-FW-1",
"AZFWApplicationRule",
"TEST",
"708def1d-655d-42ee-bb93-a82ff1584a98",
"MICROSOFT.NETWORK",
"TEST-FW-1",
"AZUREFIREWALLS",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
null,
null,
null,
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
null,
null,
"",
"",
"",
null,
"",
"",
null,
null,
"",
"",
"",
"",
"",
"",
"Azure",
"",
"",
"",
"",
null,
"",
"",
"",
null,
null,
null,
"",
"",
null,
null,
null,
"",
"www.google.com",
"",
false,
"",
false,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"Allow",
"",
"",
"HTTPS",
"1.2.3.4",
56148,
"",
443,
"",
null,
"test-fw-1-FW-Pol",
"DefaultApplicationRuleCollectionGroup",
"test-fw-1-app-rule",
"app-web",
null,
null,
null,
null,
null,
null,
null,
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"AzureDiagnostics",
"ba003f46-d508-4170-9be8-8603af3d233d",
"/subscriptions/708def1d-655d-42ee-bb93-a82ff1584a98/resourcegroups/test/providers/microsoft.network/azurefirewalls/test-fw-1",
"",
"2023-10-02T02:10:29.2656432Z",
"2023-09-22T07:31:15.6215941Z",
"ba003f46-d508-4170-9be8-8603af3d233d"
]
]
}
]
}

Table Fields

Field	Description

Field	Description
TABLE	AzureAZFWApplicationRule is a value derived from Azure + CATEGORY’s value.
SYSTEM	Will base its value on SOURCEIP if not empty; otherwise, it will use the domain value defined in the configuration.
DATE	Based on the extracted date value from CreatedDateTime.
TIME	Based on the extracted time value from CreatedDateTime.
DATETIME	Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
COLLECTIONDATETIME	Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
ACTION	Based on Action_s, this field indicates the action taken by the firewall following the Application rule hit.
ACTIONREASON	Based on ActionReason_s, this field indicates that there’s no rule that is triggered for a request, this field contains the reason for the action performed by the firewall.
CATEGORY	Based on Category, this field indicates the log category of the event, AZFWApplicationRule is the fix value for this log type.
DESTINATIONPORT	Based on DestinationPort_d, this field indicates the request's destination port.
FQDN	Based on Fqdn_s, this field indicates the request's target address in FQDN (Fully qualified Domain Name).
INGESTIONTIME	Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.
ISEXPLICITPROXYREQUEST	Based on IsExplicitProxyRequest_b, this field will be set to true if the request is received on an explicit proxy port, false otherwise.
ISTLSINSPECTED	Based on IsTlsInspected_b, this field will be set to true if the connection is TLS inspected, false otherwise.
LOGID	Based on LogId, this field indicates a unique identifier for the record or log.
POLICY	Based on Policy_s, this field indicates the name of the policy in which the triggered rule resides.
PROTOCOL	Based on Protocol_s, this field indicates the request's network protocol.
RESOURCE	Based on Resource, this field indicates the name of the Firewall resource.
RESOURCEGROUP	Based on ResourceGroup, this field indicates the resource group name of the impacted resource.
RESOURCEID	Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.
RESOURCEPROVIDER	Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.
RESOURCETYPE	Based on ResourceType, this field indicates the type of the impacted resource, AZUREFIREWALLS is the fix value for all Azure Firewall logs.
RULE	Based on Rule_s, this field indicates the name of the triggered rule.
RULECOLLECTION	Based on RuleCollection_s, this field indicates the name of the rule collection in which the triggered rule resides.
RULECOLLECTIONGROUP	Based on RuleCollectionGroup_s, this field indicates the name of the rule collection group in which the triggered rule resides.
SOURCEIP	Based on SourceIP, this field indicates the request's source IP address.
SOURCEPORT	Based on SourcePort_d, this field indicates the request's source port.
SOURCESYSTEM	Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.
SUBSCRIPTIONID	Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.
TENANTID	Based on TenantId, this field indicates the Log Analytics workspace ID.
TIMEGENERATED	Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.
TYPE	Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.
WORKSPACEID	A value that was derived from TenantId.
SNAREDATAMAP	All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.

Network rule log: AzureAZFWNetworkRule

Contains all Network Rule log data. Each match between data plane and network rule creates a log entry with the data plane packet and the matched rule's attributes.

Log Structure

Table Fields

Field	Description

Field	Description
TABLE	AzureAZFWNetworkRule is a value derived from Azure + CATEGORY’s value.
SYSTEM	Will base its value on DESTINATIONIP if not empty; otherwise, it will use the domain value defined in the configuration.
DATE	Based on the extracted date value from CreatedDateTime.
TIME	Based on the extracted time value from CreatedDateTime.
DATETIME	Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
COLLECTIONDATETIME	Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
ACTION	Based on Action_s, this field indicates the action taken by the firewall following the match with this Network Rule.
ACTIONREASON	Based on ActionReason_s, this field is set when no rule is triggered for a packet, this field contains the reason for the action performed by the firewall.
CATEGORY	Based on Category, this field indicates the log category of the event, AZFWNetworkRule is the fix value for this log type.
DESTINATIONIP	Based on DestinationIp_s, this field indicates the packet's destination IP address.
DESTINATIONPORT	Based on DestinationPort_d, this field indicates the packet's destination port.
INGESTIONTIME	Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.
LOGID	Based on LogId, this field indicates a unique identifier for the record or log.
POLICY	Based on Policy_s, this field indicates the name of the policy in which the triggered rule resides.
PROTOCOL	Based on Protocol_s, this field indicates the packet's network protocol.
RESOURCE	Based on Resource, this field indicates the name of the Firewall resource.
RESOURCEGROUP	Based on ResourceGroup, this field indicates the resource group name of the impacted resource.
RESOURCEID	Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.
RESOURCEPROVIDER	Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.
RESOURCETYPE	Based on ResourceType, this field indicates the type of the impacted resource, AZUREFIREWALLS is the fix value for all Azure Firewall logs.
RULE	Based on Rule_s, this field indicates the name of the triggered rule.
RULECOLLECTION	Based on RuleCollection_s, this field indicates the name of the rule collection in which the triggered rule resides.
RULECOLLECTIONGROUP	Based on RuleCollectionGroup_s, this field indicates the name of the rule collection group in which the triggered rule resides.
SOURCEIP	Based on SourceIP, this field indicates the packet's source IP address.
SOURCEPORT	Based on SourcePort_d, this field indicates the packet's source port.
SOURCESYSTEM	Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.
SUBSCRIPTIONID	Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.
TENANTID	Based on TenantId, this field indicates the Log Analytics workspace ID.
TIMEGENERATED	Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.
TYPE	Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.
WORKSPACEID	A value that was derived from TenantId.
SNAREDATAMAP	All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.

NAT rule log: AzureAZFWNetworkRule

Contains all DNAT (Destination Network Address Translation) events log data. Each match between data plane and DNAT rule creates a log entry with the data plane packet and the matched rule's attributes.

Log Structure

Table Fields

Field	Description

Field	Description
TABLE	AzureAZFWNatRule is a value derived from Azure + CATEGORY’s value.
SYSTEM	Will base its value on DESTINATIONIP if not empty; otherwise, it will use the domain value defined in the configuration.
DATE	Based on the extracted date value from CreatedDateTime.
TIME	Based on the extracted time value from CreatedDateTime.
DATETIME	Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
COLLECTIONDATETIME	Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
CATEGORY	Based on Category, this field indicates the log category of the event, AZFWNatRule is the fix value for this log type.
DESTINATIONIP	Based on DestinationIp_s, this field indicates the packet's destination IP address.
DESTINATIONPORT	Based on DestinationPort_d, this field indicates the packet's destination port.
INGESTIONTIME	Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.
LOGID	Based on LogId, this field indicates a unique identifier for the record or log.
POLICY	Based on Policy_s, this field indicates the name of the policy in which the triggered rule resides.
PROTOCOL	Based on Protocol_s, this field indicates the packet's network protocol, for example: UDP, TCP.
RESOURCE	Based on Resource, this field indicates the name of the Firewall resource.
RESOURCEGROUP	Based on ResourceGroup, this field indicates the resource group name of the impacted resource.
RESOURCEID	Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.
RESOURCEPROVIDER	Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.
RESOURCETYPE	Based on ResourceType, this field indicates the type of the impacted resource, AZUREFIREWALLS is the fix value for all Azure Firewall logs.
RULE	Based on Rule_s, this field indicates the name of the triggered rule.
RULECOLLECTION	Based on RuleCollection_s, this field indicates the name of the rule collection in which the triggered rule resides.
RULECOLLECTIONGROUP	Based on RuleCollectionGroup_s, this field indicates the name of the rule collection group in which the triggered rule resides.
SOURCEIP	Based on SourceIP, this field indicates the packet's source IP address.
SOURCEPORT	Based on SourcePort_d, this field indicates the packet's source port.
SOURCESYSTEM	Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.
SUBSCRIPTIONID	Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.
TENANTID	Based on TenantId, this field indicates the Log Analytics workspace ID.
TIMEGENERATED	Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.
TRANSLATEDIP	Based on TranslatedIp_s, this field indicates the original destination IP address of the packet that was replaced by TranslatedIp.
TRANSLATEDPORT	Based on TranslatedPort_d, this field indicates the original destination port of the packet that was replaced by TranslatedPort.
TYPE	Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.
WORKSPACEID	A value that was derived from TenantId.
SNAREDATAMAP	All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.

DNS proxy log: AzureAZFWDnsQuery

Contains all DNS Proxy events log data.

Log Structure

Table Fields

Field	Description

Field	Description
TABLE	AzureAZFWDnsQuery is a value derived from Azure + CATEGORY’s value.
SYSTEM	Will base its value on SOURCEIP if not empty; otherwise, it will use the domain value defined in the configuration.
DATE	Based on the extracted date value from CreatedDateTime.
TIME	Based on the extracted time value from CreatedDateTime.
DATETIME	Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
COLLECTIONDATETIME	Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
CATEGORY	Based on Category, this field indicates the log category of the event, AZFWDnsQuery is the fix value for this log type.
INGESTIONTIME	Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.
LOGID	Based on LogId, this field indicates a unique identifier for the record or log.
PROTOCOL	Based on Protocol_s, this field indicates the protocol used to send the DNS query, for example: TCP, UDP.
QUERYCLASS	Based on QueryClass_s, this field indicates the DNS query's query class.
QUERYID	Based on QueryId_d, this field indicates the DNS query's query ID.
QUERYNAME	Based on QueryName_s, this field indicates the DNS query's name to resolve.
QUERYTYPE	Based on QueryType_s, this field indicates the DNS query's query type.
RESOURCE	Based on Resource, this field indicates the name of the Firewall resource.
RESOURCEGROUP	Based on ResourceGroup, this field indicates the resource group name of the impacted resource.
RESOURCEID	Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.
RESOURCEPROVIDER	Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.
RESOURCETYPE	Based on ResourceType, this field indicates the type of the impacted resource, AZUREFIREWALLS is the fix value for all Azure Firewall logs.
RESPONSECODE	Based on ResponseCode_s, this field indicates the DNS response code.
RESPONSEFLAGS	Based on ResponseFlags_s, this field indicates the DNS response flags, comma separated.
SOURCEIP	Based on SourceIP, this field indicates the DNS query's source IP address.
SOURCEPORT	Based on Category, this field indicates the DNS query's source Port.
SOURCESYSTEM	Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.
SUBSCRIPTIONID	Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.
TENANTID	Based on TenantId, this field indicates the Log Analytics workspace ID.
TIMEGENERATED	Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.
TYPE	Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.
WORKSPACEID	A value that was derived from TenantId.
SNAREDATAMAP	All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.

Threat Intel log: AzureAZFWThreatIntel

Contains all Threat Intelligence events.

Log Structure

Table Fields

Field	Description

Field	Description
TABLE	AzureAZFWThreatIntel is a value derived from Azure + CATEGORY’s value.
SYSTEM	Will base its value on DESTINATIONIP if not empty; otherwise, it will use the domain value defined in the configuration.
DATE	Based on the extracted date value from CreatedDateTime.
TIME	Based on the extracted time value from CreatedDateTime.
DATETIME	Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
COLLECTIONDATETIME	Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
CATEGORY	Based on Category, this field indicates the log category of the event, AZFWThreatIntel is the fix value for this log type.
INGESTIONTIME	Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.
LOGID	Based on LogId, this field indicates a unique identifier for the record or log.
ACTION	Based on Action_s, this field indicates the action taken by the firewall following the Threat Intelligence hit.
DESTINATIONIP	Based on DestinationIp_s, this field indicates the packet's destination IP address.
DESTINATIONPORT	Based on DestinationPort_d, this field indicates the packet's destination port.
FQDN	Based on Fqdn_s, this field indicates the request's target address in FQDN (Fully qualified Domain Name).
ISTLSINSPECTED	Based on IsTlsInspected_b, this field indicates whether the connection is TLS inspected or not.
PROTOCOL	Based on Protocol_s, this field indicates the packet's network protocol. For example: UDP, TCP.
RESOURCE	Based on Resource, this field indicates the name of the Firewall resource.
RESOURCEGROUP	Based on ResourceGroup, this field indicates the resource group name of the impacted resource.
RESOURCEID	Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.
RESOURCEPROVIDER	Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.
RESOURCETYPE	Based on ResourceType, this field indicates the type of the impacted resource, AZUREFIREWALLS is the fix value for all Azure Firewall logs.
SOURCEIP	Based on SourceIP, this field indicates the packet's source IP address.
SOURCEPORT	Based on SourcePort_d, this field indicates the packet's source port.
SOURCESYSTEM	Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.
SUBSCRIPTIONID	Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.
TARGETURL	Based on TargetUrl_s, this field indicates the request's target address URL. Available only for HTTP or TLS-inspected HTTPS requests.
TENANTID	Based on TenantId, this field indicates the Log Analytics workspace ID.
THREATDESCRIPTION	Based on ThreatDescription_s, this field indicates the description of the Threat that was identified by the firewall.
TIMEGENERATED	Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.
TYPE	Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.
WORKSPACEID	A value that was derived from TenantId.
SNAREDATAMAP	All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.

Notes

https://learn.microsoft.com/en-us/azure/firewall/firewall-structured-logs

https://learn.microsoft.com/en-us/azure/firewall/firewall-diagnostics

https://learn.microsoft.com/en-us/azure/firewall/diagnostic-logs

https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azfwapplicationrule

https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azfwnetworkrule

https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azfwnatrule

https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azfwdnsquery

https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azfwthreatintel