2 types of logs can be collected from Azure Firewall:
Diagnostic logs (legacy) - Diagnostic logs are the original Azure Firewall log queries that output log data in an unstructured or free-form text format.
Structured logs - Structured logs are a type of log data that are organized in a specific format. They use a predefined schema to structure log data in a way that makes it easy to search, filter, and analyze.
Â
Diagnostic logs (legacy)
Diagnostic logs are the original Azure Firewall log queries that output log data in an unstructured or free-form text format.
These log categories use Azure diagnostics mode and, in this mode, all data from any diagnostic setting is collected in the AzureDiagnostics table.
Snare Central supports collection of the ff. Azure Firewall diagnostics logs:
Contains all Network Rule log data and each match between data plane and network rule creates a log entry with the data plane packet and the matched rule's attributes.
Each new connection that matches one of your configured application rules results in a log for the accepted/denied connection.
Note: The Application rule log is saved to an Azure Monitor logs only if you've enabled it for each Azure Firewall.
AzureFirewallApplicationRule is a value derived from CATEGORY’s value.
SYSTEM
Will base its value on SOURCEIP if not empty; otherwise, it will use the domain value defined in the configuration.
DATE
Based on the extracted date value from CreatedDateTime.
TIME
Based on the extracted time value from CreatedDateTime.
DATETIME
Based on the extracted datetime value from CreatedDateTime and formatted usingRFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
COLLECTIONDATETIME
Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
ACTION
Data was extracted from msg_s field, it indicates the action taken by the firewall following the Application rule hit.
ACTIONREASON
Data was extracted from msg_s field, it indicates that there’s no rule that is triggered for a request, this field contains the reason for the action performed by the firewall.
CATEGORY
Based on Category, this field indicates the log category of the event, AzureFirewallApplicationRule is the fix value for this log type.
DESTINATIONPORT
Data was extracted from msg_s field, it indicates the request's destination port.
FQDN
Data was extracted from msg_s field, it indicates the request's target address in FQDN (Fully qualified Domain Name).
INGESTIONTIME
Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.
LOGID
Based on LogId, this field indicates a unique identifier for the record or log.
MSG
Based on msg_s, this field contains the information about the request processed by the Firewall.
OPERATIONNAME
Based on OperationName, this field indicates the name of the operation that this event represents, AzureFirewallApplicationRuleLog is the fix value for this log type.
POLICY
Data was extracted from msg_s field, it indicates the name of the policy in which the triggered rule resides.
PROTOCOL
Data was extracted from msg_s field, it indicates the request's network protocol. For example: HTTP, HTTPS.
RESOURCE
Based on Resource, this field indicates the name of the Firewall resource.
RESOURCEGROUP
Based on ResourceGroup, this field indicates the resource group name of the impacted resource.
RESOURCEID
Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.
RESOURCEPROVIDER
Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.
RESOURCETYPE
Based on ResourceType, this field indicates the type of the impacted resource, AZUREFIREWALLS is the fix value for all Azure Firewall logs.
RULE
Data was extracted from msg_s field, it indicates the name of the triggered rule.
RULECOLLECTION
Data was extracted from msg_s field, it indicates the name of the rule collection in which the triggered rule resides.
RULECOLLECTIONGROUP
Data was extracted from msg_s field, it indicates the name of the rule collection group in which the triggered rule resides.
SOURCEIP
Data was extracted from msg_s field, it indicates the request's source IP address.
SOURCEPORT
Data was extracted from msg_s field, it indicates the request's source port.
SOURCESYSTEM
Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.
SUBSCRIPTIONID
Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.
TENANTID
Based on TenantId, this field indicates the Log Analytics workspace ID.
TIMEGENERATED
Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.
TYPE
Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.
URL
Data was extracted from msg_s field, and this detail will be available only for HTTP or TLS-inspected HTTPS requests.
WORKSPACEID
A value that was derived from TenantId.
SNAREDATAMAP
All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.
Â
Network rule log: AzureFirewallNetworkRule
Each new connection that matches one of your configured network rules results in a log for the accepted/denied connection.
Note: The Network rule log is sent to an Azure Monitor logs only if you've enabled it for each Azure Firewall.
AzureFirewallNetworkRule is a value derived from CATEGORY’s value.
SYSTEM
Will base its value on DESTINATIONIP if not empty; otherwise, it will use the domain value defined in the configuration.
DATE
Based on the extracted date value from CreatedDateTime.
TIME
Based on the extracted time value from CreatedDateTime.
DATETIME
Based on the extracted datetime value from CreatedDateTime and formatted usingRFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
COLLECTIONDATETIME
Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
ACTION
Data was extracted from msg_s field, it indicates the action taken by the firewall following the match with the Network Rule. This field is empty if OperationName is AzureFirewallNatRuleLo
CATEGORY
Based on Category, this field indicates the log category of the event, AzureFirewallNetworkRule is the fix value for this log type.
DESTINATIONIP
Data was extracted from msg_s field, it indicates the packet's destination IP address.
DESTINATIONPORT
Data was extracted from msg_s field, it indicates the packet's destination port.
INGESTIONTIME
Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.
LOGID
Based on LogId, this field indicates a unique identifier for the record or log.
MSG
Based on msg_s, this field contains the information about the packet processed by the Firewall.
OPERATIONNAME
Based on OperationName, this field indicates the name of the operation that this event represents. Possible values are AzureFirewallNatRuleLog, AzureFirewallNetworkRuleLog or AzureFirewallThreatIntelLog.
POLICY
Data was extracted from msg_s field, it indicates the name of the policy in which the triggered rule resides.
PROTOCOL
Data was extracted from msg_s field, it indicates the packet's network protocol.
RESOURCE
Based on Resource, this field indicates the name of the Firewall resource.
RESOURCEGROUP
Based on ResourceGroup, this field indicates the resource group name of the impacted resource.
RESOURCEID
Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.
RESOURCEPROVIDER
Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.
RESOURCETYPE
Based on ResourceType, this field indicates the type of the impacted resource, AZUREFIREWALLS is the fix value for all Azure Firewall logs.
RULE
Data was extracted from msg_s field, it indicates the name of the triggered rule.
RULECOLLECTION
Data was extracted from msg_s field, it indicates the name of the rule collection in which the triggered rule resides.
RULECOLLECTIONGROUP
Data was extracted from msg_s field, it indicates the name of the rule collection group in which the triggered rule resides.
SOURCEIP
Data was extracted from msg_s field, it indicates the packet's source IP address.
SOURCEPORT
Data was extracted from msg_s field, it indicates the packet's source port.
SOURCESYSTEM
Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.
SUBSCRIPTIONID
Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.
TENANTID
Based on TenantId, this field indicates the Log Analytics workspace ID.
TIMEGENERATED
Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.
TRANSLATEDIP
Data was extracted from msg_s field, it indicates the original destination IP address of the packet that was replaced by TranslatedIp.
TRANSLATEDPORT
Data was extracted from msg_s field, it indicates the original destination port of the packet that was replaced by TranslatedPort.
TYPE
Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.
WORKSPACEID
A value that was derived from TenantId.
SNAREDATAMAP
All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.
Â
Network rule log: AzureFirewallThreatIntelLog
Contains all Threat Intelligence events.
Note: The Threat Intelligence events is sent to Azure Monitor logs only if you’ve enabled it for each Azure Firewall.
AzureFirewallThreatIntelLog is a value derived from OPERATIONNAME’s value.
SYSTEM
Will base its value on DESTINATIONIP is not empty; otherwise, it will use the domain value defined in the configuration.
DATE
Based on the extracted date value from CreatedDateTime.
TIME
Based on the extracted time value from CreatedDateTime.
DATETIME
Based on the extracted datetime value from CreatedDateTime and formatted usingRFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
COLLECTIONDATETIME
Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
CATEGORY
Based on Category, this field indicates the log category of the event, AzureFirewallNetworkRule is the fix value for this log type.
INGESTIONTIME
Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.
LOGID
Based on LogId, this field indicates a unique identifier for the record or log.
MSG
Based on msg_s, this field contains the information about the DNS query processed by the Firewall.
OPERATIONNAME
Based on OperationName, this field indicates the name of the operation that this event represents, AzureFirewallThreatIntelLog is the fix value for this log type.
ACTION
Data was extracted from msg_s field, it indicates the action taken by the firewall following the Threat Intelligence hit.
DESTINATIONIP
Data was extracted from msg_s field, it indicates the packet's destination IP address.
DESTINATIONPORT
Data was extracted from msg_s field, it indicates the packet's destination port.
FQDN
Data was extracted from msg_s field, it indicates the request's target address in FQDN (Fully qualified Domain Name).
PROTOCOL
Data was extracted from msg_s field, it indicates the packet's network protocol. For example: UDP, TCP.
RESOURCE
Based on Resource, this field indicates the name of the Firewall resource.
RESOURCEGROUP
Based on ResourceGroup, this field indicates the resource group name of the impacted resource.
RESOURCEID
Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.
RESOURCEPROVIDER
Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.
RESOURCETYPE
Based on ResourceType, this field indicates the type of the impacted resource, AZUREFIREWALLS is the fix value for all Azure Firewall logs.
SOURCEIP
Data was extracted from msg_s field, it indicates the packet's source IP address.
SOURCEPORT
Data was extracted from msg_s field, it indicates the packet's source port.
SOURCESYSTEM
Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.
SUBSCRIPTIONID
Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.
TARGETURL
Data was extracted from msg_s field, it indicates the request's target address URL. Available only for HTTP or TLS-inspected HTTPS requests.
TENANTID
Based on TenantId, this field indicates the Log Analytics workspace ID.
THREATINTEL
Data was extracted from msg_s field, it indicates the description of the Threat that was identified by the firewall.
TIMEGENERATED
Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.
TYPE
Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.
WORKSPACEID
A value that was derived from TenantId.
SNAREDATAMAP
All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.
Â
DNS proxy log: AzureFirewallDnsProxy
Contains all DNS Proxy events log data and this log tracks DNS messages to a DNS server configured using DNS proxy.
AzureFirewallDnsProxy is a value derived from CATEGORY’s value.
SYSTEM
Will base its value on SOURCEIP if not empty; otherwise, it will use the domain value defined in the configuration.
DATE
Based on the extracted date value from CreatedDateTime.
TIME
Based on the extracted time value from CreatedDateTime.
DATETIME
Based on the extracted datetime value from CreatedDateTime and formatted usingRFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
COLLECTIONDATETIME
Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
CATEGORY
Based on Category, this field indicates the log category of the event, AzureFirewallDnsProxy is the fix value for this log type.
INGESTIONTIME
Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.
LOGID
Based on LogId, this field indicates a unique identifier for the record or log.
MSG
Based on msg_s, this field contains the information about the DNS query processed by the Firewall.
OPERATIONNAME
Based on OperationName, this field indicates the name of the operation that this event represents, AzureFirewallDnsProxyLog is the fix value for this log type.
PROTOCOL
Data was extracted from msg_s field, it indicates the protocol used to send the DNS query, for example: TCP, UDP
QUERYCLASS
Data was extracted from msg_s field, it indicates the DNS query's query class.
QUERYID
Data was extracted from msg_s field, it indicates the DNS query's query ID.
QUERYNAME
Data was extracted from msg_s field, it indicates the DNS query's name to resolve.
QUERYTYPE
Data was extracted from msg_s field, it indicates the DNS query's query type.
RESOURCE
Based on Resource, this field indicates the name of the Firewall resource.
RESOURCEGROUP
Based on ResourceGroup, this field indicates the resource group name of the impacted resource.
RESOURCEID
Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.
RESOURCEPROVIDER
Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.
RESOURCETYPE
Based on ResourceType, this field indicates the type of the impacted resource, AZUREFIREWALLS is the fix value for all Azure Firewall logs.
RESPONSECODE
Data was extracted from msg_s field, it indicates the DNS response code.
RESPONSEFLAGS
Data was extracted from msg_s field, it indicates the DNS response flags.
SOURCEIP
Data was extracted from msg_s field, it indicates the DNS query's source IP address.
SOURCEPORT
Data was extracted from msg_s field, it indicates the DNS query's source port.
SOURCESYSTEM
Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.
SUBSCRIPTIONID
Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.
TENANTID
Based on TenantId, this field indicates the Log Analytics workspace ID.
TIMEGENERATED
Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.
TYPE
Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.
WORKSPACEID
A value that was derived from TenantId.
SNAREDATAMAP
All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.
Â
Structured logs
Structured logs are a type of log data that are organized in a specific format. They use a predefined schema to structure log data in a way that makes it easy to search, filter, and analyze.
Unlike unstructured logs, which consist of free-form text, structured logs have a consistent format that machines can parse and analyze.
Azure Firewall's structured logs provide a more detailed view of firewall events. They include information such as source and destination IP addresses, protocols, port numbers, and action taken by the firewall.
Snare Central supports collection of these structured firewall logs:
Contains all Network Rule log data. Each match between data plane and network rule creates a log entry with the data plane packet and the matched rule's attributes.
AzureAZFWApplicationRule is a value derived from Azure + CATEGORY’s value.
SYSTEM
Will base its value on SOURCEIP if not empty; otherwise, it will use the domain value defined in the configuration.
DATE
Based on the extracted date value from CreatedDateTime.
TIME
Based on the extracted time value from CreatedDateTime.
DATETIME
Based on the extracted datetime value from CreatedDateTime and formatted usingRFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
COLLECTIONDATETIME
Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
ACTION
Based on Action_s, this field indicates the action taken by the firewall following the Application rule hit.
ACTIONREASON
Based on ActionReason_s, this field indicates that there’s no rule that is triggered for a request, this field contains the reason for the action performed by the firewall.
CATEGORY
Based on Category, this field indicates the log category of the event, AZFWApplicationRule is the fix value for this log type.
DESTINATIONPORT
Based on DestinationPort_d, this field indicates the request's destination port.
FQDN
Based on Fqdn_s, this field indicates the request's target address in FQDN (Fully qualified Domain Name).
INGESTIONTIME
Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.
ISEXPLICITPROXYREQUEST
Based on IsExplicitProxyRequest_b, this field will be set to true if the request is received on an explicit proxy port, false otherwise.
ISTLSINSPECTED
Based on IsTlsInspected_b, this field will be set to true if the connection is TLS inspected, false otherwise.
LOGID
Based on LogId, this field indicates a unique identifier for the record or log.
POLICY
Based on Policy_s, this field indicates the name of the policy in which the triggered rule resides.
PROTOCOL
Based on Protocol_s, this field indicates the request's network protocol.
RESOURCE
Based on Resource, this field indicates the name of the Firewall resource.
RESOURCEGROUP
Based on ResourceGroup, this field indicates the resource group name of the impacted resource.
RESOURCEID
Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.
RESOURCEPROVIDER
Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.
RESOURCETYPE
Based on ResourceType, this field indicates the type of the impacted resource, AZUREFIREWALLS is the fix value for all Azure Firewall logs.
RULE
Based on Rule_s, this field indicates the name of the triggered rule.
RULECOLLECTION
Based on RuleCollection_s, this field indicates the name of the rule collection in which the triggered rule resides.
RULECOLLECTIONGROUP
Based on RuleCollectionGroup_s, this field indicates the name of the rule collection group in which the triggered rule resides.
SOURCEIP
Based on SourceIP, this field indicates the request's source IP address.
SOURCEPORT
Based on SourcePort_d, this field indicates the request's source port.
SOURCESYSTEM
Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.
SUBSCRIPTIONID
Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.
TENANTID
Based on TenantId, this field indicates the Log Analytics workspace ID.
TIMEGENERATED
Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.
TYPE
Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.
WORKSPACEID
A value that was derived from TenantId.
SNAREDATAMAP
All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.
Â
Network rule log: AzureAZFWNetworkRule
Contains all Network Rule log data. Each match between data plane and network rule creates a log entry with the data plane packet and the matched rule's attributes.
Â
Log Structure
Â
Table Fields
Field
Description
Field
Description
TABLE
AzureAZFWNetworkRule is a value derived from Azure + CATEGORY’s value.
SYSTEM
Will base its value on DESTINATIONIP if not empty; otherwise, it will use the domain value defined in the configuration.
DATE
Based on the extracted date value from CreatedDateTime.
TIME
Based on the extracted time value from CreatedDateTime.
DATETIME
Based on the extracted datetime value from CreatedDateTime and formatted usingRFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
COLLECTIONDATETIME
Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
ACTION
Based on Action_s, this field indicates the action taken by the firewall following the match with this Network Rule.
ACTIONREASON
Based on ActionReason_s, this field is set when no rule is triggered for a packet, this field contains the reason for the action performed by the firewall.
CATEGORY
Based on Category, this field indicates the log category of the event, AZFWNetworkRule is the fix value for this log type.
DESTINATIONIP
Based on DestinationIp_s, this field indicates the packet's destination IP address.
DESTINATIONPORT
Based on DestinationPort_d, this field indicates the packet's destination port.
INGESTIONTIME
Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.
LOGID
Based on LogId, this field indicates a unique identifier for the record or log.
POLICY
Based on Policy_s, this field indicates the name of the policy in which the triggered rule resides.
PROTOCOL
Based on Protocol_s, this field indicates the packet's network protocol.
RESOURCE
Based on Resource, this field indicates the name of the Firewall resource.
RESOURCEGROUP
Based on ResourceGroup, this field indicates the resource group name of the impacted resource.
RESOURCEID
Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.
RESOURCEPROVIDER
Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.
RESOURCETYPE
Based on ResourceType, this field indicates the type of the impacted resource, AZUREFIREWALLS is the fix value for all Azure Firewall logs.
RULE
Based on Rule_s, this field indicates the name of the triggered rule.
RULECOLLECTION
Based on RuleCollection_s, this field indicates the name of the rule collection in which the triggered rule resides.
RULECOLLECTIONGROUP
Based on RuleCollectionGroup_s, this field indicates the name of the rule collection group in which the triggered rule resides.
SOURCEIP
Based on SourceIP, this field indicates the packet's source IP address.
SOURCEPORT
Based on SourcePort_d, this field indicates the packet's source port.
SOURCESYSTEM
Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.
SUBSCRIPTIONID
Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.
TENANTID
Based on TenantId, this field indicates the Log Analytics workspace ID.
TIMEGENERATED
Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.
TYPE
Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.
WORKSPACEID
A value that was derived from TenantId.
SNAREDATAMAP
All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.
Â
NAT rule log: AzureAZFWNetworkRule
Contains all DNAT (Destination Network Address Translation) events log data. Each match between data plane and DNAT rule creates a log entry with the data plane packet and the matched rule's attributes.
Â
Log Structure
Â
Table Fields
Field
Description
Field
Description
TABLE
AzureAZFWNatRule is a value derived from Azure + CATEGORY’s value.
SYSTEM
Will base its value on DESTINATIONIP if not empty; otherwise, it will use the domain value defined in the configuration.
DATE
Based on the extracted date value from CreatedDateTime.
TIME
Based on the extracted time value from CreatedDateTime.
DATETIME
Based on the extracted datetime value from CreatedDateTime and formatted usingRFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
COLLECTIONDATETIME
Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
CATEGORY
Based on Category, this field indicates the log category of the event, AZFWNatRule is the fix value for this log type.
DESTINATIONIP
Based on DestinationIp_s, this field indicates the packet's destination IP address.
DESTINATIONPORT
Based on DestinationPort_d, this field indicates the packet's destination port.
INGESTIONTIME
Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.
LOGID
Based on LogId, this field indicates a unique identifier for the record or log.
POLICY
Based on Policy_s, this field indicates the name of the policy in which the triggered rule resides.
PROTOCOL
Based on Protocol_s, this field indicates the packet's network protocol, for example: UDP, TCP.
RESOURCE
Based on Resource, this field indicates the name of the Firewall resource.
RESOURCEGROUP
Based on ResourceGroup, this field indicates the resource group name of the impacted resource.
RESOURCEID
Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.
RESOURCEPROVIDER
Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.
RESOURCETYPE
Based on ResourceType, this field indicates the type of the impacted resource, AZUREFIREWALLS is the fix value for all Azure Firewall logs.
RULE
Based on Rule_s, this field indicates the name of the triggered rule.
RULECOLLECTION
Based on RuleCollection_s, this field indicates the name of the rule collection in which the triggered rule resides.
RULECOLLECTIONGROUP
Based on RuleCollectionGroup_s, this field indicates the name of the rule collection group in which the triggered rule resides.
SOURCEIP
Based on SourceIP, this field indicates the packet's source IP address.
SOURCEPORT
Based on SourcePort_d, this field indicates the packet's source port.
SOURCESYSTEM
Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.
SUBSCRIPTIONID
Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.
TENANTID
Based on TenantId, this field indicates the Log Analytics workspace ID.
TIMEGENERATED
Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.
TRANSLATEDIP
Based on TranslatedIp_s, this field indicates the original destination IP address of the packet that was replaced by TranslatedIp.
TRANSLATEDPORT
Based on TranslatedPort_d, this field indicates the original destination port of the packet that was replaced by TranslatedPort.
TYPE
Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.
WORKSPACEID
A value that was derived from TenantId.
SNAREDATAMAP
All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.
Â
DNS proxy log: AzureAZFWDnsQuery
Contains all DNS Proxy events log data.
Â
Log Structure
Â
Table Fields
Field
Description
Field
Description
TABLE
AzureAZFWDnsQuery is a value derived from Azure + CATEGORY’s value.
SYSTEM
Will base its value on SOURCEIP if not empty; otherwise, it will use the domain value defined in the configuration.
DATE
Based on the extracted date value from CreatedDateTime.
TIME
Based on the extracted time value from CreatedDateTime.
DATETIME
Based on the extracted datetime value from CreatedDateTime and formatted usingRFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
COLLECTIONDATETIME
Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
CATEGORY
Based on Category, this field indicates the log category of the event, AZFWDnsQuery is the fix value for this log type.
INGESTIONTIME
Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.
LOGID
Based on LogId, this field indicates a unique identifier for the record or log.
PROTOCOL
Based on Protocol_s, this field indicates the protocol used to send the DNS query, for example: TCP, UDP.
QUERYCLASS
Based on QueryClass_s, this field indicates the DNS query's query class.
QUERYID
Based on QueryId_d, this field indicates the DNS query's query ID.
QUERYNAME
Based on QueryName_s, this field indicates the DNS query's name to resolve.
QUERYTYPE
Based on QueryType_s, this field indicates the DNS query's query type.
RESOURCE
Based on Resource, this field indicates the name of the Firewall resource.
RESOURCEGROUP
Based on ResourceGroup, this field indicates the resource group name of the impacted resource.
RESOURCEID
Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.
RESOURCEPROVIDER
Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.
RESOURCETYPE
Based on ResourceType, this field indicates the type of the impacted resource, AZUREFIREWALLS is the fix value for all Azure Firewall logs.
RESPONSECODE
Based on ResponseCode_s, this field indicates the DNS response code.
RESPONSEFLAGS
Based on ResponseFlags_s, this field indicates the DNS response flags, comma separated.
SOURCEIP
Based on SourceIP, this field indicates the DNS query's source IP address.
SOURCEPORT
Based on Category, this field indicates the DNS query's source Port.
SOURCESYSTEM
Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.
SUBSCRIPTIONID
Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.
TENANTID
Based on TenantId, this field indicates the Log Analytics workspace ID.
TIMEGENERATED
Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.
TYPE
Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.
WORKSPACEID
A value that was derived from TenantId.
SNAREDATAMAP
All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.
Â
Threat Intel log: AzureAZFWThreatIntel
Contains all Threat Intelligence events.
Â
Log Structure
Â
Table Fields
Field
Description
Field
Description
TABLE
AzureAZFWThreatIntel is a value derived from Azure + CATEGORY’s value.
SYSTEM
Will base its value on DESTINATIONIP if not empty; otherwise, it will use the domain value defined in the configuration.
DATE
Based on the extracted date value from CreatedDateTime.
TIME
Based on the extracted time value from CreatedDateTime.
DATETIME
Based on the extracted datetime value from CreatedDateTime and formatted usingRFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
COLLECTIONDATETIME
Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.
CATEGORY
Based on Category, this field indicates the log category of the event, AZFWThreatIntel is the fix value for this log type.
INGESTIONTIME
Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.
LOGID
Based on LogId, this field indicates a unique identifier for the record or log.
ACTION
Based on Action_s, this field indicates the action taken by the firewall following the Threat Intelligence hit.
DESTINATIONIP
Based on DestinationIp_s, this field indicates the packet's destination IP address.
DESTINATIONPORT
Based on DestinationPort_d, this field indicates the packet's destination port.
FQDN
Based on Fqdn_s, this field indicates the request's target address in FQDN (Fully qualified Domain Name).
ISTLSINSPECTED
Based on IsTlsInspected_b, this field indicates whether the connection is TLS inspected or not.
PROTOCOL
Based on Protocol_s, this field indicates the packet's network protocol. For example: UDP, TCP.
RESOURCE
Based on Resource, this field indicates the name of the Firewall resource.
RESOURCEGROUP
Based on ResourceGroup, this field indicates the resource group name of the impacted resource.
RESOURCEID
Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.
RESOURCEPROVIDER
Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.
RESOURCETYPE
Based on ResourceType, this field indicates the type of the impacted resource, AZUREFIREWALLS is the fix value for all Azure Firewall logs.
SOURCEIP
Based on SourceIP, this field indicates the packet's source IP address.
SOURCEPORT
Based on SourcePort_d, this field indicates the packet's source port.
SOURCESYSTEM
Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.
SUBSCRIPTIONID
Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.
TARGETURL
Based on TargetUrl_s, this field indicates the request's target address URL. Available only for HTTP or TLS-inspected HTTPS requests.
TENANTID
Based on TenantId, this field indicates the Log Analytics workspace ID.
THREATDESCRIPTION
Based on ThreatDescription_s, this field indicates the description of the Threat that was identified by the firewall.
TIMEGENERATED
Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.
TYPE
Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.
WORKSPACEID
A value that was derived from TenantId.
SNAREDATAMAP
All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.