Azure Resource logs: Firewall logs

Overview

2 types of logs can be collected from Azure Firewall:

  • Diagnostic logs (legacy) - Diagnostic logs are the original Azure Firewall log queries that output log data in an unstructured or free-form text format.

  • Structured logs - Structured logs are a type of log data that are organized in a specific format. They use a predefined schema to structure log data in a way that makes it easy to search, filter, and analyze.

 

Diagnostic logs (legacy)

Diagnostic logs are the original Azure Firewall log queries that output log data in an unstructured or free-form text format.

These log categories use Azure diagnostics mode and, in this mode, all data from any diagnostic setting is collected in the AzureDiagnostics table.

Snare Central supports collection of the ff. Azure Firewall diagnostics logs:

 

Application rule log: AzureFirewallApplicationRule

Contains all Network Rule log data and each match between data plane and network rule creates a log entry with the data plane packet and the matched rule's attributes.

Each new connection that matches one of your configured application rules results in a log for the accepted/denied connection.

Note: The Application rule log is saved to an Azure Monitor logs only if you've enabled it for each Azure Firewall.

 

Log Structure

{
"tables": [
{
"name": "PrimaryResult",
"columns": [
{
"name": "TenantId",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "ResourceId",
"type": "string"
},
{
"name": "Category",
"type": "string"
},
{
"name": "ResourceGroup",
"type": "string"
},
{
"name": "SubscriptionId",
"type": "string"
},
{
"name": "ResourceProvider",
"type": "string"
},
{
"name": "Resource",
"type": "string"
},
{
"name": "ResourceType",
"type": "string"
},
{
"name": "OperationName",
"type": "string"
},
{
"name": "ResultType",
"type": "string"
},
{
"name": "CorrelationId",
"type": "string"
},
{
"name": "ResultDescription",
"type": "string"
},
{
"name": "Tenant_g",
"type": "string"
},
{
"name": "JobId_g",
"type": "string"
},
{
"name": "RunbookName_s",
"type": "string"
},
{
"name": "StreamType_s",
"type": "string"
},
{
"name": "Caller_s",
"type": "string"
},
{
"name": "requestUri_s",
"type": "string"
},
{
"name": "Level",
"type": "string"
},
{
"name": "DurationMs",
"type": "long"
},
{
"name": "CallerIPAddress",
"type": "string"
},
{
"name": "OperationVersion",
"type": "string"
},
{
"name": "ResultSignature",
"type": "string"
},
{
"name": "id_s",
"type": "string"
},
{
"name": "status_s",
"type": "string"
},
{
"name": "LogicalServerName_s",
"type": "string"
},
{
"name": "Message",
"type": "string"
},
{
"name": "clientInfo_s",
"type": "string"
},
{
"name": "httpStatusCode_d",
"type": "real"
},
{
"name": "identity_claim_appid_g",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g",
"type": "string"
},
{
"name": "userAgent_s",
"type": "string"
},
{
"name": "ruleName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s",
"type": "string"
},
{
"name": "systemId_g",
"type": "string"
},
{
"name": "isAccessPolicyMatch_b",
"type": "bool"
},
{
"name": "EventName_s",
"type": "string"
},
{
"name": "httpMethod_s",
"type": "string"
},
{
"name": "subnetId_s",
"type": "string"
},
{
"name": "type_s",
"type": "string"
},
{
"name": "instanceId_s",
"type": "string"
},
{
"name": "macAddress_s",
"type": "string"
},
{
"name": "vnetResourceGuid_g",
"type": "string"
},
{
"name": "direction_s",
"type": "string"
},
{
"name": "subnetPrefix_s",
"type": "string"
},
{
"name": "primaryIPv4Address_s",
"type": "string"
},
{
"name": "conditions_sourcePortRange_s",
"type": "string"
},
{
"name": "priority_d",
"type": "real"
},
{
"name": "conditions_destinationPortRange_s",
"type": "string"
},
{
"name": "conditions_destinationIP_s",
"type": "string"
},
{
"name": "conditions_None_s",
"type": "string"
},
{
"name": "conditions_sourceIP_s",
"type": "string"
},
{
"name": "httpVersion_s",
"type": "string"
},
{
"name": "matchedConnections_d",
"type": "real"
},
{
"name": "startTime_t",
"type": "datetime"
},
{
"name": "endTime_t",
"type": "datetime"
},
{
"name": "DatabaseName_s",
"type": "string"
},
{
"name": "clientIP_s",
"type": "string"
},
{
"name": "host_s",
"type": "string"
},
{
"name": "requestQuery_s",
"type": "string"
},
{
"name": "sslEnabled_s",
"type": "string"
},
{
"name": "clientPort_d",
"type": "real"
},
{
"name": "httpStatus_d",
"type": "real"
},
{
"name": "receivedBytes_d",
"type": "real"
},
{
"name": "sentBytes_d",
"type": "real"
},
{
"name": "timeTaken_d",
"type": "real"
},
{
"name": "resultDescription_ErrorJobs_s",
"type": "string"
},
{
"name": "resultDescription_ChildJobs_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_scope_s",
"type": "string"
},
{
"name": "workflowId_s",
"type": "string"
},
{
"name": "resource_location_s",
"type": "string"
},
{
"name": "resource_workflowId_g",
"type": "string"
},
{
"name": "resource_resourceGroupName_s",
"type": "string"
},
{
"name": "resource_subscriptionId_g",
"type": "string"
},
{
"name": "resource_runId_s",
"type": "string"
},
{
"name": "resource_workflowName_s",
"type": "string"
},
{
"name": "_schema_s",
"type": "string"
},
{
"name": "correlation_clientTrackingId_s",
"type": "string"
},
{
"name": "properties_sku_Family_s",
"type": "string"
},
{
"name": "properties_sku_Name_s",
"type": "string"
},
{
"name": "properties_tenantId_g",
"type": "string"
},
{
"name": "properties_enabledForDeployment_b",
"type": "bool"
},
{
"name": "code_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineId_s",
"type": "string"
},
{
"name": "resultDescription_Summary_ScheduleName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_Status_s",
"type": "string"
},
{
"name": "resultDescription_Summary_StatusDescription_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_TotalUpdatesInstalled_d",
"type": "real"
},
{
"name": "resultDescription_Summary_RebootRequired_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_TotalUpdatesFailed_d",
"type": "real"
},
{
"name": "resultDescription_Summary_InstallPercentage_d",
"type": "real"
},
{
"name": "resultDescription_Summary_StartDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resource_triggerName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_InitialRequiredUpdatesCount_d",
"type": "real"
},
{
"name": "properties_enabledForTemplateDeployment_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_s",
"type": "string"
},
{
"name": "resultDescription_Summary_DurationInMinutes_s",
"type": "string"
},
{
"name": "resource_originRunId_s",
"type": "string"
},
{
"name": "properties_enabledForDiskEncryption_b",
"type": "bool"
},
{
"name": "resource_actionName_s",
"type": "string"
},
{
"name": "correlation_actionTrackingId_g",
"type": "string"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resultDescription_Summary_DurationInMinutes_d",
"type": "real"
},
{
"name": "conditions_protocols_s",
"type": "string"
},
{
"name": "identity_claim_ipaddr_s",
"type": "string"
},
{
"name": "ElasticPoolName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_claims_authnmethodsreferences_s",
"type": "string"
},
{
"name": "RunOn_s",
"type": "string"
},
{
"name": "query_hash_s",
"type": "string"
},
{
"name": "SourceSystem",
"type": "string"
},
{
"name": "MG",
"type": "string"
},
{
"name": "ManagementGroupName",
"type": "string"
},
{
"name": "Computer",
"type": "string"
},
{
"name": "RawData",
"type": "string"
},
{
"name": "QueryId_d",
"type": "real"
},
{
"name": "QueryType_s",
"type": "string"
},
{
"name": "QueryClass_s",
"type": "string"
},
{
"name": "QueryName_s",
"type": "string"
},
{
"name": "RequestSize_d",
"type": "real"
},
{
"name": "DnssecOkBit_b",
"type": "bool"
},
{
"name": "EDNS0BufferSize_d",
"type": "real"
},
{
"name": "ResponseCode_s",
"type": "string"
},
{
"name": "ResponseFlags_s",
"type": "string"
},
{
"name": "ResponseSize_d",
"type": "real"
},
{
"name": "RequestDurationSecs_d",
"type": "real"
},
{
"name": "ErrorNumber_d",
"type": "real"
},
{
"name": "ErrorMessage_s",
"type": "string"
},
{
"name": "Fqdn_s",
"type": "string"
},
{
"name": "TargetUrl_s",
"type": "string"
},
{
"name": "IsTlsInspected_b",
"type": "bool"
},
{
"name": "WebCategory_s",
"type": "string"
},
{
"name": "IsExplicitProxyRequest_b",
"type": "bool"
},
{
"name": "clientIp_s",
"type": "string"
},
{
"name": "ruleSetType_s",
"type": "string"
},
{
"name": "ruleSetVersion_s",
"type": "string"
},
{
"name": "ruleId_s",
"type": "string"
},
{
"name": "ruleGroup_s",
"type": "string"
},
{
"name": "action_s",
"type": "string"
},
{
"name": "details_message_s",
"type": "string"
},
{
"name": "details_data_s",
"type": "string"
},
{
"name": "details_file_s",
"type": "string"
},
{
"name": "details_line_s",
"type": "string"
},
{
"name": "hostname_s",
"type": "string"
},
{
"name": "policyId_s",
"type": "string"
},
{
"name": "policyScope_s",
"type": "string"
},
{
"name": "policyScopeName_s",
"type": "string"
},
{
"name": "engine_s",
"type": "string"
},
{
"name": "WAFEvaluationTime_s",
"type": "string"
},
{
"name": "WAFMode_s",
"type": "string"
},
{
"name": "WAFPolicyID_s",
"type": "string"
},
{
"name": "Action_s",
"type": "string"
},
{
"name": "ActionReason_s",
"type": "string"
},
{
"name": "msg_s",
"type": "string"
},
{
"name": "Protocol_s",
"type": "string"
},
{
"name": "SourceIP",
"type": "string"
},
{
"name": "SourcePort_d",
"type": "real"
},
{
"name": "DestinationIp_s",
"type": "string"
},
{
"name": "DestinationPort_d",
"type": "real"
},
{
"name": "TranslatedIp_s",
"type": "string"
},
{
"name": "TranslatedPort_d",
"type": "real"
},
{
"name": "Policy_s",
"type": "string"
},
{
"name": "RuleCollectionGroup_s",
"type": "string"
},
{
"name": "RuleCollection_s",
"type": "string"
},
{
"name": "Rule_s",
"type": "string"
},
{
"name": "healthyHostCount_d",
"type": "real"
},
{
"name": "unHealthyHostCount_d",
"type": "real"
},
{
"name": "requestCount_d",
"type": "real"
},
{
"name": "latency_d",
"type": "real"
},
{
"name": "failedRequestCount_d",
"type": "real"
},
{
"name": "throughput_d",
"type": "real"
},
{
"name": "timeStamp_t",
"type": "datetime"
},
{
"name": "listenerName_s",
"type": "string"
},
{
"name": "backendPoolName_s",
"type": "string"
},
{
"name": "backendSettingName_s",
"type": "string"
},
{
"name": "originalRequestUriWithArgs_s",
"type": "string"
},
{
"name": "clientResponseTime_d",
"type": "real"
},
{
"name": "transactionId_g",
"type": "string"
},
{
"name": "sslCipher_s",
"type": "string"
},
{
"name": "sslProtocol_s",
"type": "string"
},
{
"name": "sslClientVerify_s",
"type": "string"
},
{
"name": "sslClientCertificateFingerprint_s",
"type": "string"
},
{
"name": "sslClientCertificateIssuerName_s",
"type": "string"
},
{
"name": "serverRouted_s",
"type": "string"
},
{
"name": "serverStatus_s",
"type": "string"
},
{
"name": "serverResponseLatency_s",
"type": "string"
},
{
"name": "upstreamSourcePort_s",
"type": "string"
},
{
"name": "originalHost_s",
"type": "string"
},
{
"name": "AdditionalFields",
"type": "dynamic"
},
{
"name": "Type",
"type": "string"
},
{
"name": "_ItemId",
"type": "string"
},
{
"name": "_ResourceId",
"type": "string"
},
{
"name": "LogType",
"type": "string"
},
{
"name": "Now",
"type": "datetime"
},
{
"name": "IngestionTime",
"type": "datetime"
},
{
"name": "LogId",
"type": "string"
}
],
"rows": [
[
"7457114a-457e-42fe-8901-427f414ddad5",
"2023-09-23T21:12:28.323492Z",
"/SUBSCRIPTIONS/708DEF1D-655D-42EE-BB93-A82FF1584A98/RESOURCEGROUPS/TEST/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/TEST-FW-1",
"AzureFirewallApplicationRule",
"TEST",
"708def1d-655d-42ee-bb93-a82ff1584a98",
"MICROSOFT.NETWORK",
"TEST-FW-1",
"AZUREFIREWALLS",
"AzureFirewallApplicationRuleLog",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
null,
null,
null,
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
null,
null,
"",
"",
"",
null,
"",
"",
null,
null,
"",
"",
"",
"",
"",
"",
"Azure",
"",
"",
"",
"",
null,
"",
"",
"",
null,
null,
null,
"",
"",
null,
null,
null,
"",
"",
"",
null,
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"HTTPS request from 192.1.1.1:47142 to youtube.com:443. Action: Deny. Policy: test-fw-1-FW-Pol. Rule Collection Group: AppRuleCollectionGrpTest1. Rule Collection: AppRuleDenyCol-1. Rule: deny youtube",
"",
"",
null,
"",
null,
"",
null,
"",
"",
"",
"",
null,
null,
null,
null,
null,
null,
null,
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"AzureDiagnostics",
"fe59232c-2400-415d-8302-8eec4ded140a",
"/subscriptions/708def1d-655d-42ee-bb93-a82ff1584a98/resourcegroups/test/providers/microsoft.network/azurefirewalls/test-fw-1",
"AzureFirewallApplicationRuleLog",
"2023-09-25T06:09:04.0267411Z",
"2023-09-23T21:13:17.4567279Z",
"fe59232c-2400-415d-8302-8eec4ded140a"
]
]
}
]
}

 

Table Fields

Field

Description

Field

Description

TABLE

AzureFirewallApplicationRule is a value derived from CATEGORY’s value.

SYSTEM

Will base its value on SOURCEIP if not empty; otherwise, it will use the domain value defined in the configuration.

DATE

Based on the extracted date value from CreatedDateTime.

TIME

Based on the extracted time value from CreatedDateTime.

DATETIME

Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

COLLECTIONDATETIME

Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

ACTION

Data was extracted from msg_s field, it indicates the action taken by the firewall following the Application rule hit.

ACTIONREASON

Data was extracted from msg_s field, it indicates that there’s no rule that is triggered for a request, this field contains the reason for the action performed by the firewall.

CATEGORY

Based on Category, this field indicates the log category of the event, AzureFirewallApplicationRule is the fix value for this log type.

DESTINATIONPORT

Data was extracted from msg_s field, it indicates the request's destination port.

FQDN

Data was extracted from msg_s field, it indicates the request's target address in FQDN (Fully qualified Domain Name).

INGESTIONTIME

Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.

LOGID

Based on LogId, this field indicates a unique identifier for the record or log.

MSG

Based on msg_s, this field contains the information about the request processed by the Firewall.

OPERATIONNAME

Based on OperationName, this field indicates the name of the operation that this event represents, AzureFirewallApplicationRuleLog is the fix value for this log type.

POLICY

Data was extracted from msg_s field, it indicates the name of the policy in which the triggered rule resides.

PROTOCOL

Data was extracted from msg_s field, it indicates the request's network protocol. For example: HTTP, HTTPS.

RESOURCE

Based on Resource, this field indicates the name of the Firewall resource.

RESOURCEGROUP

Based on ResourceGroup, this field indicates the resource group name of the impacted resource.

RESOURCEID

Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.

RESOURCEPROVIDER

Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.

RESOURCETYPE

Based on ResourceType, this field indicates the type of the impacted resource, AZUREFIREWALLS is the fix value for all Azure Firewall logs.

RULE

Data was extracted from msg_s field, it indicates the name of the triggered rule.

RULECOLLECTION

Data was extracted from msg_s field, it indicates the name of the rule collection in which the triggered rule resides.

RULECOLLECTIONGROUP

Data was extracted from msg_s field, it indicates the name of the rule collection group in which the triggered rule resides.

SOURCEIP

Data was extracted from msg_s field, it indicates the request's source IP address.

SOURCEPORT

Data was extracted from msg_s field, it indicates the request's source port.

SOURCESYSTEM

Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.

SUBSCRIPTIONID

Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.

TENANTID

Based on TenantId, this field indicates the Log Analytics workspace ID.

TIMEGENERATED

Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.

TYPE

Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.

URL

Data was extracted from msg_s field, and this detail will be available only for HTTP or TLS-inspected HTTPS requests.

WORKSPACEID

A value that was derived from TenantId.

SNAREDATAMAP

All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.

 

Network rule log: AzureFirewallNetworkRule

Each new connection that matches one of your configured network rules results in a log for the accepted/denied connection.

Note: The Network rule log is sent to an Azure Monitor logs only if you've enabled it for each Azure Firewall.

 

Log Structure

{
"tables": [
{
"name": "PrimaryResult",
"columns": [
{
"name": "TenantId",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "ResourceId",
"type": "string"
},
{
"name": "Category",
"type": "string"
},
{
"name": "ResourceGroup",
"type": "string"
},
{
"name": "SubscriptionId",
"type": "string"
},
{
"name": "ResourceProvider",
"type": "string"
},
{
"name": "Resource",
"type": "string"
},
{
"name": "ResourceType",
"type": "string"
},
{
"name": "OperationName",
"type": "string"
},
{
"name": "ResultType",
"type": "string"
},
{
"name": "CorrelationId",
"type": "string"
},
{
"name": "ResultDescription",
"type": "string"
},
{
"name": "Tenant_g",
"type": "string"
},
{
"name": "JobId_g",
"type": "string"
},
{
"name": "RunbookName_s",
"type": "string"
},
{
"name": "StreamType_s",
"type": "string"
},
{
"name": "Caller_s",
"type": "string"
},
{
"name": "requestUri_s",
"type": "string"
},
{
"name": "Level",
"type": "string"
},
{
"name": "DurationMs",
"type": "long"
},
{
"name": "CallerIPAddress",
"type": "string"
},
{
"name": "OperationVersion",
"type": "string"
},
{
"name": "ResultSignature",
"type": "string"
},
{
"name": "id_s",
"type": "string"
},
{
"name": "status_s",
"type": "string"
},
{
"name": "LogicalServerName_s",
"type": "string"
},
{
"name": "Message",
"type": "string"
},
{
"name": "clientInfo_s",
"type": "string"
},
{
"name": "httpStatusCode_d",
"type": "real"
},
{
"name": "identity_claim_appid_g",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g",
"type": "string"
},
{
"name": "userAgent_s",
"type": "string"
},
{
"name": "ruleName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s",
"type": "string"
},
{
"name": "systemId_g",
"type": "string"
},
{
"name": "isAccessPolicyMatch_b",
"type": "bool"
},
{
"name": "EventName_s",
"type": "string"
},
{
"name": "httpMethod_s",
"type": "string"
},
{
"name": "subnetId_s",
"type": "string"
},
{
"name": "type_s",
"type": "string"
},
{
"name": "instanceId_s",
"type": "string"
},
{
"name": "macAddress_s",
"type": "string"
},
{
"name": "vnetResourceGuid_g",
"type": "string"
},
{
"name": "direction_s",
"type": "string"
},
{
"name": "subnetPrefix_s",
"type": "string"
},
{
"name": "primaryIPv4Address_s",
"type": "string"
},
{
"name": "conditions_sourcePortRange_s",
"type": "string"
},
{
"name": "priority_d",
"type": "real"
},
{
"name": "conditions_destinationPortRange_s",
"type": "string"
},
{
"name": "conditions_destinationIP_s",
"type": "string"
},
{
"name": "conditions_None_s",
"type": "string"
},
{
"name": "conditions_sourceIP_s",
"type": "string"
},
{
"name": "httpVersion_s",
"type": "string"
},
{
"name": "matchedConnections_d",
"type": "real"
},
{
"name": "startTime_t",
"type": "datetime"
},
{
"name": "endTime_t",
"type": "datetime"
},
{
"name": "DatabaseName_s",
"type": "string"
},
{
"name": "clientIP_s",
"type": "string"
},
{
"name": "host_s",
"type": "string"
},
{
"name": "requestQuery_s",
"type": "string"
},
{
"name": "sslEnabled_s",
"type": "string"
},
{
"name": "clientPort_d",
"type": "real"
},
{
"name": "httpStatus_d",
"type": "real"
},
{
"name": "receivedBytes_d",
"type": "real"
},
{
"name": "sentBytes_d",
"type": "real"
},
{
"name": "timeTaken_d",
"type": "real"
},
{
"name": "resultDescription_ErrorJobs_s",
"type": "string"
},
{
"name": "resultDescription_ChildJobs_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_scope_s",
"type": "string"
},
{
"name": "workflowId_s",
"type": "string"
},
{
"name": "resource_location_s",
"type": "string"
},
{
"name": "resource_workflowId_g",
"type": "string"
},
{
"name": "resource_resourceGroupName_s",
"type": "string"
},
{
"name": "resource_subscriptionId_g",
"type": "string"
},
{
"name": "resource_runId_s",
"type": "string"
},
{
"name": "resource_workflowName_s",
"type": "string"
},
{
"name": "_schema_s",
"type": "string"
},
{
"name": "correlation_clientTrackingId_s",
"type": "string"
},
{
"name": "properties_sku_Family_s",
"type": "string"
},
{
"name": "properties_sku_Name_s",
"type": "string"
},
{
"name": "properties_tenantId_g",
"type": "string"
},
{
"name": "properties_enabledForDeployment_b",
"type": "bool"
},
{
"name": "code_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineId_s",
"type": "string"
},
{
"name": "resultDescription_Summary_ScheduleName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_Status_s",
"type": "string"
},
{
"name": "resultDescription_Summary_StatusDescription_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_TotalUpdatesInstalled_d",
"type": "real"
},
{
"name": "resultDescription_Summary_RebootRequired_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_TotalUpdatesFailed_d",
"type": "real"
},
{
"name": "resultDescription_Summary_InstallPercentage_d",
"type": "real"
},
{
"name": "resultDescription_Summary_StartDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resource_triggerName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_InitialRequiredUpdatesCount_d",
"type": "real"
},
{
"name": "properties_enabledForTemplateDeployment_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_s",
"type": "string"
},
{
"name": "resultDescription_Summary_DurationInMinutes_s",
"type": "string"
},
{
"name": "resource_originRunId_s",
"type": "string"
},
{
"name": "properties_enabledForDiskEncryption_b",
"type": "bool"
},
{
"name": "resource_actionName_s",
"type": "string"
},
{
"name": "correlation_actionTrackingId_g",
"type": "string"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resultDescription_Summary_DurationInMinutes_d",
"type": "real"
},
{
"name": "conditions_protocols_s",
"type": "string"
},
{
"name": "identity_claim_ipaddr_s",
"type": "string"
},
{
"name": "ElasticPoolName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_claims_authnmethodsreferences_s",
"type": "string"
},
{
"name": "RunOn_s",
"type": "string"
},
{
"name": "query_hash_s",
"type": "string"
},
{
"name": "SourceSystem",
"type": "string"
},
{
"name": "MG",
"type": "string"
},
{
"name": "ManagementGroupName",
"type": "string"
},
{
"name": "Computer",
"type": "string"
},
{
"name": "RawData",
"type": "string"
},
{
"name": "QueryId_d",
"type": "real"
},
{
"name": "QueryType_s",
"type": "string"
},
{
"name": "QueryClass_s",
"type": "string"
},
{
"name": "QueryName_s",
"type": "string"
},
{
"name": "RequestSize_d",
"type": "real"
},
{
"name": "DnssecOkBit_b",
"type": "bool"
},
{
"name": "EDNS0BufferSize_d",
"type": "real"
},
{
"name": "ResponseCode_s",
"type": "string"
},
{
"name": "ResponseFlags_s",
"type": "string"
},
{
"name": "ResponseSize_d",
"type": "real"
},
{
"name": "RequestDurationSecs_d",
"type": "real"
},
{
"name": "ErrorNumber_d",
"type": "real"
},
{
"name": "ErrorMessage_s",
"type": "string"
},
{
"name": "Fqdn_s",
"type": "string"
},
{
"name": "TargetUrl_s",
"type": "string"
},
{
"name": "IsTlsInspected_b",
"type": "bool"
},
{
"name": "WebCategory_s",
"type": "string"
},
{
"name": "IsExplicitProxyRequest_b",
"type": "bool"
},
{
"name": "clientIp_s",
"type": "string"
},
{
"name": "ruleSetType_s",
"type": "string"
},
{
"name": "ruleSetVersion_s",
"type": "string"
},
{
"name": "ruleId_s",
"type": "string"
},
{
"name": "ruleGroup_s",
"type": "string"
},
{
"name": "action_s",
"type": "string"
},
{
"name": "details_message_s",
"type": "string"
},
{
"name": "details_data_s",
"type": "string"
},
{
"name": "details_file_s",
"type": "string"
},
{
"name": "details_line_s",
"type": "string"
},
{
"name": "hostname_s",
"type": "string"
},
{
"name": "policyId_s",
"type": "string"
},
{
"name": "policyScope_s",
"type": "string"
},
{
"name": "policyScopeName_s",
"type": "string"
},
{
"name": "engine_s",
"type": "string"
},
{
"name": "WAFEvaluationTime_s",
"type": "string"
},
{
"name": "WAFMode_s",
"type": "string"
},
{
"name": "WAFPolicyID_s",
"type": "string"
},
{
"name": "Action_s",
"type": "string"
},
{
"name": "ActionReason_s",
"type": "string"
},
{
"name": "msg_s",
"type": "string"
},
{
"name": "Protocol_s",
"type": "string"
},
{
"name": "SourceIP",
"type": "string"
},
{
"name": "SourcePort_d",
"type": "real"
},
{
"name": "DestinationIp_s",
"type": "string"
},
{
"name": "DestinationPort_d",
"type": "real"
},
{
"name": "TranslatedIp_s",
"type": "string"
},
{
"name": "TranslatedPort_d",
"type": "real"
},
{
"name": "Policy_s",
"type": "string"
},
{
"name": "RuleCollectionGroup_s",
"type": "string"
},
{
"name": "RuleCollection_s",
"type": "string"
},
{
"name": "Rule_s",
"type": "string"
},
{
"name": "healthyHostCount_d",
"type": "real"
},
{
"name": "unHealthyHostCount_d",
"type": "real"
},
{
"name": "requestCount_d",
"type": "real"
},
{
"name": "latency_d",
"type": "real"
},
{
"name": "failedRequestCount_d",
"type": "real"
},
{
"name": "throughput_d",
"type": "real"
},
{
"name": "timeStamp_t",
"type": "datetime"
},
{
"name": "listenerName_s",
"type": "string"
},
{
"name": "backendPoolName_s",
"type": "string"
},
{
"name": "backendSettingName_s",
"type": "string"
},
{
"name": "originalRequestUriWithArgs_s",
"type": "string"
},
{
"name": "clientResponseTime_d",
"type": "real"
},
{
"name": "transactionId_g",
"type": "string"
},
{
"name": "sslCipher_s",
"type": "string"
},
{
"name": "sslProtocol_s",
"type": "string"
},
{
"name": "sslClientVerify_s",
"type": "string"
},
{
"name": "sslClientCertificateFingerprint_s",
"type": "string"
},
{
"name": "sslClientCertificateIssuerName_s",
"type": "string"
},
{
"name": "serverRouted_s",
"type": "string"
},
{
"name": "serverStatus_s",
"type": "string"
},
{
"name": "serverResponseLatency_s",
"type": "string"
},
{
"name": "upstreamSourcePort_s",
"type": "string"
},
{
"name": "originalHost_s",
"type": "string"
},
{
"name": "AdditionalFields",
"type": "dynamic"
},
{
"name": "Type",
"type": "string"
},
{
"name": "_ItemId",
"type": "string"
},
{
"name": "_ResourceId",
"type": "string"
},
{
"name": "LogType",
"type": "string"
},
{
"name": "Now",
"type": "datetime"
},
{
"name": "IngestionTime",
"type": "datetime"
},
{
"name": "LogId",
"type": "string"
}
],
"rows": [
[
"632eee3a-1451-4d38-a588-4ae460067887",
"2023-09-21T10:26:52.102767Z",
"/SUBSCRIPTIONS/708DEF1D-655D-42EE-BB93-A82FF1584A98/RESOURCEGROUPS/TEST/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/TEST-FW-1",
"AzureFirewallNetworkRule",
"TEST",
"708def1d-655d-42ee-bb93-a82ff1584a98",
"MICROSOFT.NETWORK",
"TEST-FW-1",
"AZUREFIREWALLS",
"AzureFirewallNetworkRuleLog",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
null,
null,
null,
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
null,
null,
"",
"",
"",
null,
"",
"",
null,
null,
"",
"",
"",
"",
"",
"",
"Azure",
"",
"",
"",
"",
null,
"",
"",
"",
null,
null,
null,
"",
"",
null,
null,
null,
"",
"",
"",
null,
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"TCP request from 192.1.1.1:7843 to 1.2.3.4:22. Action: Allow.. Policy: test-fw-1-FW-Pol. Rule Collection Group: DefaultNetworkRuleCollectionGroup. Rule Collection: test-fw-1-net-rule. Rule: Net-ssh",
"",
"",
null,
"",
null,
"",
null,
"",
"",
"",
"",
null,
null,
null,
null,
null,
null,
null,
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"AzureDiagnostics",
"06b31c73-fdb4-4212-891c-716f7d550df2",
"/subscriptions/708def1d-655d-42ee-bb93-a82ff1584a98/resourcegroups/test/providers/microsoft.network/azurefirewalls/test-fw-1",
"AzureFirewallNetworkRuleLog",
"2023-09-28T06:43:00.5289165Z",
"2023-09-21T10:27:19.201126Z",
"06b31c73-fdb4-4212-891c-716f7d550df2"
]
]
}
]
}

 

Table Fields

Field

Description

Field

Description

TABLE

AzureFirewallNetworkRule is a value derived from CATEGORY’s value.

SYSTEM

Will base its value on DESTINATIONIP if not empty; otherwise, it will use the domain value defined in the configuration.

DATE

Based on the extracted date value from CreatedDateTime.

TIME

Based on the extracted time value from CreatedDateTime.

DATETIME

Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

COLLECTIONDATETIME

Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

ACTION

Data was extracted from msg_s field, it indicates the action taken by the firewall following the match with the Network Rule.
This field is empty if OperationName is AzureFirewallNatRuleLo

CATEGORY

Based on Category, this field indicates the log category of the event, AzureFirewallNetworkRule is the fix value for this log type.

DESTINATIONIP

Data was extracted from msg_s field, it indicates the packet's destination IP address.

DESTINATIONPORT

Data was extracted from msg_s field, it indicates the packet's destination port.

INGESTIONTIME

Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.

LOGID

Based on LogId, this field indicates a unique identifier for the record or log.

MSG

Based on msg_s, this field contains the information about the packet processed by the Firewall.

OPERATIONNAME

Based on OperationName, this field indicates the name of the operation that this event represents. Possible values are AzureFirewallNatRuleLog, AzureFirewallNetworkRuleLog or AzureFirewallThreatIntelLog.

POLICY

Data was extracted from msg_s field, it indicates the name of the policy in which the triggered rule resides.

PROTOCOL

Data was extracted from msg_s field, it indicates the packet's network protocol.

RESOURCE

Based on Resource, this field indicates the name of the Firewall resource.

RESOURCEGROUP

Based on ResourceGroup, this field indicates the resource group name of the impacted resource.

RESOURCEID

Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.

RESOURCEPROVIDER

Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.

RESOURCETYPE

Based on ResourceType, this field indicates the type of the impacted resource, AZUREFIREWALLS is the fix value for all Azure Firewall logs.

RULE

Data was extracted from msg_s field, it indicates the name of the triggered rule.

RULECOLLECTION

Data was extracted from msg_s field, it indicates the name of the rule collection in which the triggered rule resides.

RULECOLLECTIONGROUP

Data was extracted from msg_s field, it indicates the name of the rule collection group in which the triggered rule resides.

SOURCEIP

Data was extracted from msg_s field, it indicates the packet's source IP address.

SOURCEPORT

Data was extracted from msg_s field, it indicates the packet's source port.

SOURCESYSTEM

Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.

SUBSCRIPTIONID

Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.

TENANTID

Based on TenantId, this field indicates the Log Analytics workspace ID.

TIMEGENERATED

Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.

TRANSLATEDIP

Data was extracted from msg_s field, it indicates the original destination IP address of the packet that was replaced by TranslatedIp.

TRANSLATEDPORT

Data was extracted from msg_s field, it indicates the original destination port of the packet that was replaced by TranslatedPort.

TYPE

Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.

WORKSPACEID

A value that was derived from TenantId.

SNAREDATAMAP

All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.

 

Network rule log: AzureFirewallThreatIntelLog

Contains all Threat Intelligence events.

Note: The Threat Intelligence events is sent to Azure Monitor logs only if you’ve enabled it for each Azure Firewall.

 

Log Structure

{
"tables": [
{
"name": "PrimaryResult",
"columns": [
{
"name": "TenantId",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "ResourceId",
"type": "string"
},
{
"name": "Category",
"type": "string"
},
{
"name": "ResourceGroup",
"type": "string"
},
{
"name": "SubscriptionId",
"type": "string"
},
{
"name": "ResourceProvider",
"type": "string"
},
{
"name": "Resource",
"type": "string"
},
{
"name": "ResourceType",
"type": "string"
},
{
"name": "OperationName",
"type": "string"
},
{
"name": "ResultType",
"type": "string"
},
{
"name": "CorrelationId",
"type": "string"
},
{
"name": "ResultDescription",
"type": "string"
},
{
"name": "Tenant_g",
"type": "string"
},
{
"name": "JobId_g",
"type": "string"
},
{
"name": "RunbookName_s",
"type": "string"
},
{
"name": "StreamType_s",
"type": "string"
},
{
"name": "Caller_s",
"type": "string"
},
{
"name": "requestUri_s",
"type": "string"
},
{
"name": "Level",
"type": "string"
},
{
"name": "DurationMs",
"type": "long"
},
{
"name": "CallerIPAddress",
"type": "string"
},
{
"name": "OperationVersion",
"type": "string"
},
{
"name": "ResultSignature",
"type": "string"
},
{
"name": "id_s",
"type": "string"
},
{
"name": "status_s",
"type": "string"
},
{
"name": "LogicalServerName_s",
"type": "string"
},
{
"name": "Message",
"type": "string"
},
{
"name": "clientInfo_s",
"type": "string"
},
{
"name": "httpStatusCode_d",
"type": "real"
},
{
"name": "identity_claim_appid_g",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g",
"type": "string"
},
{
"name": "userAgent_s",
"type": "string"
},
{
"name": "ruleName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s",
"type": "string"
},
{
"name": "systemId_g",
"type": "string"
},
{
"name": "isAccessPolicyMatch_b",
"type": "bool"
},
{
"name": "EventName_s",
"type": "string"
},
{
"name": "httpMethod_s",
"type": "string"
},
{
"name": "subnetId_s",
"type": "string"
},
{
"name": "type_s",
"type": "string"
},
{
"name": "instanceId_s",
"type": "string"
},
{
"name": "macAddress_s",
"type": "string"
},
{
"name": "vnetResourceGuid_g",
"type": "string"
},
{
"name": "direction_s",
"type": "string"
},
{
"name": "subnetPrefix_s",
"type": "string"
},
{
"name": "primaryIPv4Address_s",
"type": "string"
},
{
"name": "conditions_sourcePortRange_s",
"type": "string"
},
{
"name": "priority_d",
"type": "real"
},
{
"name": "conditions_destinationPortRange_s",
"type": "string"
},
{
"name": "conditions_destinationIP_s",
"type": "string"
},
{
"name": "conditions_None_s",
"type": "string"
},
{
"name": "conditions_sourceIP_s",
"type": "string"
},
{
"name": "httpVersion_s",
"type": "string"
},
{
"name": "matchedConnections_d",
"type": "real"
},
{
"name": "startTime_t",
"type": "datetime"
},
{
"name": "endTime_t",
"type": "datetime"
},
{
"name": "DatabaseName_s",
"type": "string"
},
{
"name": "clientIP_s",
"type": "string"
},
{
"name": "host_s",
"type": "string"
},
{
"name": "requestQuery_s",
"type": "string"
},
{
"name": "sslEnabled_s",
"type": "string"
},
{
"name": "clientPort_d",
"type": "real"
},
{
"name": "httpStatus_d",
"type": "real"
},
{
"name": "receivedBytes_d",
"type": "real"
},
{
"name": "sentBytes_d",
"type": "real"
},
{
"name": "timeTaken_d",
"type": "real"
},
{
"name": "resultDescription_ErrorJobs_s",
"type": "string"
},
{
"name": "resultDescription_ChildJobs_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_scope_s",
"type": "string"
},
{
"name": "workflowId_s",
"type": "string"
},
{
"name": "resource_location_s",
"type": "string"
},
{
"name": "resource_workflowId_g",
"type": "string"
},
{
"name": "resource_resourceGroupName_s",
"type": "string"
},
{
"name": "resource_subscriptionId_g",
"type": "string"
},
{
"name": "resource_runId_s",
"type": "string"
},
{
"name": "resource_workflowName_s",
"type": "string"
},
{
"name": "_schema_s",
"type": "string"
},
{
"name": "correlation_clientTrackingId_s",
"type": "string"
},
{
"name": "properties_sku_Family_s",
"type": "string"
},
{
"name": "properties_sku_Name_s",
"type": "string"
},
{
"name": "properties_tenantId_g",
"type": "string"
},
{
"name": "properties_enabledForDeployment_b",
"type": "bool"
},
{
"name": "code_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineId_s",
"type": "string"
},
{
"name": "resultDescription_Summary_ScheduleName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_Status_s",
"type": "string"
},
{
"name": "resultDescription_Summary_StatusDescription_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_TotalUpdatesInstalled_d",
"type": "real"
},
{
"name": "resultDescription_Summary_RebootRequired_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_TotalUpdatesFailed_d",
"type": "real"
},
{
"name": "resultDescription_Summary_InstallPercentage_d",
"type": "real"
},
{
"name": "resultDescription_Summary_StartDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resource_triggerName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_InitialRequiredUpdatesCount_d",
"type": "real"
},
{
"name": "properties_enabledForTemplateDeployment_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_s",
"type": "string"
},
{
"name": "resultDescription_Summary_DurationInMinutes_s",
"type": "string"
},
{
"name": "resource_originRunId_s",
"type": "string"
},
{
"name": "properties_enabledForDiskEncryption_b",
"type": "bool"
},
{
"name": "resource_actionName_s",
"type": "string"
},
{
"name": "correlation_actionTrackingId_g",
"type": "string"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resultDescription_Summary_DurationInMinutes_d",
"type": "real"
},
{
"name": "conditions_protocols_s",
"type": "string"
},
{
"name": "identity_claim_ipaddr_s",
"type": "string"
},
{
"name": "ElasticPoolName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_claims_authnmethodsreferences_s",
"type": "string"
},
{
"name": "RunOn_s",
"type": "string"
},
{
"name": "query_hash_s",
"type": "string"
},
{
"name": "SourceSystem",
"type": "string"
},
{
"name": "MG",
"type": "string"
},
{
"name": "ManagementGroupName",
"type": "string"
},
{
"name": "Computer",
"type": "string"
},
{
"name": "RawData",
"type": "string"
},
{
"name": "contentType_s",
"type": "string"
},
{
"name": "error_info_s",
"type": "string"
},
{
"name": "Url_s",
"type": "string"
},
{
"name": "ThreatDescription_s",
"type": "string"
},
{
"name": "connectionSerialNumber_d",
"type": "real"
},
{
"name": "noOfConnectionRequests_d",
"type": "real"
},
{
"name": "QueryId_d",
"type": "real"
},
{
"name": "QueryType_s",
"type": "string"
},
{
"name": "QueryClass_s",
"type": "string"
},
{
"name": "QueryName_s",
"type": "string"
},
{
"name": "RequestSize_d",
"type": "real"
},
{
"name": "DnssecOkBit_b",
"type": "bool"
},
{
"name": "EDNS0BufferSize_d",
"type": "real"
},
{
"name": "ResponseCode_s",
"type": "string"
},
{
"name": "ResponseFlags_s",
"type": "string"
},
{
"name": "ResponseSize_d",
"type": "real"
},
{
"name": "RequestDurationSecs_d",
"type": "real"
},
{
"name": "ErrorNumber_d",
"type": "real"
},
{
"name": "ErrorMessage_s",
"type": "string"
},
{
"name": "Fqdn_s",
"type": "string"
},
{
"name": "TargetUrl_s",
"type": "string"
},
{
"name": "IsTlsInspected_b",
"type": "bool"
},
{
"name": "WebCategory_s",
"type": "string"
},
{
"name": "IsExplicitProxyRequest_b",
"type": "bool"
},
{
"name": "clientIp_s",
"type": "string"
},
{
"name": "ruleSetType_s",
"type": "string"
},
{
"name": "ruleSetVersion_s",
"type": "string"
},
{
"name": "ruleId_s",
"type": "string"
},
{
"name": "ruleGroup_s",
"type": "string"
},
{
"name": "action_s",
"type": "string"
},
{
"name": "details_message_s",
"type": "string"
},
{
"name": "details_data_s",
"type": "string"
},
{
"name": "details_file_s",
"type": "string"
},
{
"name": "details_line_s",
"type": "string"
},
{
"name": "hostname_s",
"type": "string"
},
{
"name": "policyId_s",
"type": "string"
},
{
"name": "policyScope_s",
"type": "string"
},
{
"name": "policyScopeName_s",
"type": "string"
},
{
"name": "engine_s",
"type": "string"
},
{
"name": "WAFEvaluationTime_s",
"type": "string"
},
{
"name": "WAFMode_s",
"type": "string"
},
{
"name": "WAFPolicyID_s",
"type": "string"
},
{
"name": "Action_s",
"type": "string"
},
{
"name": "ActionReason_s",
"type": "string"
},
{
"name": "msg_s",
"type": "string"
},
{
"name": "Protocol_s",
"type": "string"
},
{
"name": "SourceIP",
"type": "string"
},
{
"name": "SourcePort_d",
"type": "real"
},
{
"name": "DestinationIp_s",
"type": "string"
},
{
"name": "DestinationPort_d",
"type": "real"
},
{
"name": "TranslatedIp_s",
"type": "string"
},
{
"name": "TranslatedPort_d",
"type": "real"
},
{
"name": "Policy_s",
"type": "string"
},
{
"name": "RuleCollectionGroup_s",
"type": "string"
},
{
"name": "RuleCollection_s",
"type": "string"
},
{
"name": "Rule_s",
"type": "string"
},
{
"name": "healthyHostCount_d",
"type": "real"
},
{
"name": "unHealthyHostCount_d",
"type": "real"
},
{
"name": "requestCount_d",
"type": "real"
},
{
"name": "latency_d",
"type": "real"
},
{
"name": "failedRequestCount_d",
"type": "real"
},
{
"name": "throughput_d",
"type": "real"
},
{
"name": "timeStamp_t",
"type": "datetime"
},
{
"name": "listenerName_s",
"type": "string"
},
{
"name": "backendPoolName_s",
"type": "string"
},
{
"name": "backendSettingName_s",
"type": "string"
},
{
"name": "originalRequestUriWithArgs_s",
"type": "string"
},
{
"name": "clientResponseTime_d",
"type": "real"
},
{
"name": "transactionId_g",
"type": "string"
},
{
"name": "sslCipher_s",
"type": "string"
},
{
"name": "sslProtocol_s",
"type": "string"
},
{
"name": "sslClientVerify_s",
"type": "string"
},
{
"name": "sslClientCertificateFingerprint_s",
"type": "string"
},
{
"name": "sslClientCertificateIssuerName_s",
"type": "string"
},
{
"name": "serverRouted_s",
"type": "string"
},
{
"name": "serverStatus_s",
"type": "string"
},
{
"name": "serverResponseLatency_s",
"type": "string"
},
{
"name": "upstreamSourcePort_s",
"type": "string"
},
{
"name": "originalHost_s",
"type": "string"
},
{
"name": "AdditionalFields",
"type": "dynamic"
},
{
"name": "Type",
"type": "string"
},
{
"name": "_ItemId",
"type": "string"
},
{
"name": "_ResourceId",
"type": "string"
},
{
"name": "Now",
"type": "datetime"
},
{
"name": "IngestionTime",
"type": "datetime"
},
{
"name": "LogId",
"type": "string"
}
],
"rows": [
[
"46bbecfb-5195-4842-8e59-3c7e22f17f50",
"2024-03-06T07:29:26.383192Z",
"/SUBSCRIPTIONS/8F943978-0029-42F7-8374-D5EDFD109DEB/RESOURCEGROUPS/TEST/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/DEMO-FW-1",
"AzureFirewallNetworkRule",
"TEST",
"8f943978-0029-42f7-8374-d5edfd109deb",
"MICROSOFT.NETWORK",
"DEMO-FW-1",
"AZUREFIREWALLS",
"AzureFirewallThreatIntelLog",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
null,
null,
null,
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
null,
null,
"",
"",
"",
null,
"",
"",
null,
null,
"",
"",
"",
"",
"",
"",
"Azure",
"",
"",
"",
"",
"",
"",
"",
"",
null,
null,
null,
"",
"",
"",
null,
null,
null,
"",
"",
null,
null,
null,
"",
"",
"",
null,
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"TCP request from 127.0.0.1:8080 to 192.168.1.1:80. Action: Alert. TargetUrl: https://www.microsoft.com/en-us/about. Fqdn: www.microsoft.com. ThreatIntel: Destination reported by Threat Intelligence",
"",
"",
null,
"",
null,
"",
null,
"",
"",
"",
"",
null,
null,
null,
null,
null,
null,
null,
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"AzureDiagnostics",
"27894c96-855a-489a-90ca-46ece09bec3e",
"/subscriptions/8f943978-0029-42f7-8374-d5edfd109deb/resourcegroups/test/providers/microsoft.network/azurefirewalls/demo-fw-1",
"2024-03-06T07:44:16.2523115Z",
"2024-03-06T07:30:23.1758251Z",
"27894c96-855a-489a-90ca-46ece09bec3e"
]
]
}
]
}

 

Table Fields

Field

Description

Field

Description

TABLE

AzureFirewallThreatIntelLog is a value derived from OPERATIONNAME’s value.

SYSTEM

Will base its value on DESTINATIONIP is not empty; otherwise, it will use the domain value defined in the configuration.

DATE

Based on the extracted date value from CreatedDateTime.

TIME

Based on the extracted time value from CreatedDateTime.

DATETIME

Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

COLLECTIONDATETIME

Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

CATEGORY

Based on Category, this field indicates the log category of the event, AzureFirewallNetworkRule is the fix value for this log type.

INGESTIONTIME

Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.

LOGID

Based on LogId, this field indicates a unique identifier for the record or log.

MSG

Based on msg_s, this field contains the information about the DNS query processed by the Firewall.

OPERATIONNAME

Based on OperationName, this field indicates the name of the operation that this event represents, AzureFirewallThreatIntelLog is the fix value for this log type.

ACTION

Data was extracted from msg_s field, it indicates the action taken by the firewall following the Threat Intelligence hit.

DESTINATIONIP

Data was extracted from msg_s field, it indicates the packet's destination IP address.

DESTINATIONPORT

Data was extracted from msg_s field, it indicates the packet's destination port.

FQDN

Data was extracted from msg_s field, it indicates the request's target address in FQDN (Fully qualified Domain Name).

PROTOCOL

Data was extracted from msg_s field, it indicates the packet's network protocol. For example: UDP, TCP.

RESOURCE

Based on Resource, this field indicates the name of the Firewall resource.

RESOURCEGROUP

Based on ResourceGroup, this field indicates the resource group name of the impacted resource.

RESOURCEID

Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.

RESOURCEPROVIDER

Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.

RESOURCETYPE

Based on ResourceType, this field indicates the type of the impacted resource, AZUREFIREWALLS is the fix value for all Azure Firewall logs.

SOURCEIP

Data was extracted from msg_s field, it indicates the packet's source IP address.

SOURCEPORT

Data was extracted from msg_s field, it indicates the packet's source port.

SOURCESYSTEM

Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.

SUBSCRIPTIONID

Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.

TARGETURL

Data was extracted from msg_s field, it indicates the request's target address URL. Available only for HTTP or TLS-inspected HTTPS requests.

TENANTID

Based on TenantId, this field indicates the Log Analytics workspace ID.

THREATINTEL

Data was extracted from msg_s field, it indicates the description of the Threat that was identified by the firewall.

TIMEGENERATED

Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.

TYPE

Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.

WORKSPACEID

A value that was derived from TenantId.

SNAREDATAMAP

All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.

 

DNS proxy log: AzureFirewallDnsProxy

Contains all DNS Proxy events log data and this log tracks DNS messages to a DNS server configured using DNS proxy.

 

Log Structure

{
"tables": [
{
"name": "PrimaryResult",
"columns": [
{
"name": "TenantId",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "ResourceId",
"type": "string"
},
{
"name": "Category",
"type": "string"
},
{
"name": "ResourceGroup",
"type": "string"
},
{
"name": "SubscriptionId",
"type": "string"
},
{
"name": "ResourceProvider",
"type": "string"
},
{
"name": "Resource",
"type": "string"
},
{
"name": "ResourceType",
"type": "string"
},
{
"name": "OperationName",
"type": "string"
},
{
"name": "ResultType",
"type": "string"
},
{
"name": "CorrelationId",
"type": "string"
},
{
"name": "ResultDescription",
"type": "string"
},
{
"name": "Tenant_g",
"type": "string"
},
{
"name": "JobId_g",
"type": "string"
},
{
"name": "RunbookName_s",
"type": "string"
},
{
"name": "StreamType_s",
"type": "string"
},
{
"name": "Caller_s",
"type": "string"
},
{
"name": "requestUri_s",
"type": "string"
},
{
"name": "Level",
"type": "string"
},
{
"name": "DurationMs",
"type": "long"
},
{
"name": "CallerIPAddress",
"type": "string"
},
{
"name": "OperationVersion",
"type": "string"
},
{
"name": "ResultSignature",
"type": "string"
},
{
"name": "id_s",
"type": "string"
},
{
"name": "status_s",
"type": "string"
},
{
"name": "LogicalServerName_s",
"type": "string"
},
{
"name": "Message",
"type": "string"
},
{
"name": "clientInfo_s",
"type": "string"
},
{
"name": "httpStatusCode_d",
"type": "real"
},
{
"name": "identity_claim_appid_g",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g",
"type": "string"
},
{
"name": "userAgent_s",
"type": "string"
},
{
"name": "ruleName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s",
"type": "string"
},
{
"name": "systemId_g",
"type": "string"
},
{
"name": "isAccessPolicyMatch_b",
"type": "bool"
},
{
"name": "EventName_s",
"type": "string"
},
{
"name": "httpMethod_s",
"type": "string"
},
{
"name": "subnetId_s",
"type": "string"
},
{
"name": "type_s",
"type": "string"
},
{
"name": "instanceId_s",
"type": "string"
},
{
"name": "macAddress_s",
"type": "string"
},
{
"name": "vnetResourceGuid_g",
"type": "string"
},
{
"name": "direction_s",
"type": "string"
},
{
"name": "subnetPrefix_s",
"type": "string"
},
{
"name": "primaryIPv4Address_s",
"type": "string"
},
{
"name": "conditions_sourcePortRange_s",
"type": "string"
},
{
"name": "priority_d",
"type": "real"
},
{
"name": "conditions_destinationPortRange_s",
"type": "string"
},
{
"name": "conditions_destinationIP_s",
"type": "string"
},
{
"name": "conditions_None_s",
"type": "string"
},
{
"name": "conditions_sourceIP_s",
"type": "string"
},
{
"name": "httpVersion_s",
"type": "string"
},
{
"name": "matchedConnections_d",
"type": "real"
},
{
"name": "startTime_t",
"type": "datetime"
},
{
"name": "endTime_t",
"type": "datetime"
},
{
"name": "DatabaseName_s",
"type": "string"
},
{
"name": "clientIP_s",
"type": "string"
},
{
"name": "host_s",
"type": "string"
},
{
"name": "requestQuery_s",
"type": "string"
},
{
"name": "sslEnabled_s",
"type": "string"
},
{
"name": "clientPort_d",
"type": "real"
},
{
"name": "httpStatus_d",
"type": "real"
},
{
"name": "receivedBytes_d",
"type": "real"
},
{
"name": "sentBytes_d",
"type": "real"
},
{
"name": "timeTaken_d",
"type": "real"
},
{
"name": "resultDescription_ErrorJobs_s",
"type": "string"
},
{
"name": "resultDescription_ChildJobs_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_scope_s",
"type": "string"
},
{
"name": "workflowId_s",
"type": "string"
},
{
"name": "resource_location_s",
"type": "string"
},
{
"name": "resource_workflowId_g",
"type": "string"
},
{
"name": "resource_resourceGroupName_s",
"type": "string"
},
{
"name": "resource_subscriptionId_g",
"type": "string"
},
{
"name": "resource_runId_s",
"type": "string"
},
{
"name": "resource_workflowName_s",
"type": "string"
},
{
"name": "_schema_s",
"type": "string"
},
{
"name": "correlation_clientTrackingId_s",
"type": "string"
},
{
"name": "properties_sku_Family_s",
"type": "string"
},
{
"name": "properties_sku_Name_s",
"type": "string"
},
{
"name": "properties_tenantId_g",
"type": "string"
},
{
"name": "properties_enabledForDeployment_b",
"type": "bool"
},
{
"name": "code_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineId_s",
"type": "string"
},
{
"name": "resultDescription_Summary_ScheduleName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_Status_s",
"type": "string"
},
{
"name": "resultDescription_Summary_StatusDescription_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_TotalUpdatesInstalled_d",
"type": "real"
},
{
"name": "resultDescription_Summary_RebootRequired_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_TotalUpdatesFailed_d",
"type": "real"
},
{
"name": "resultDescription_Summary_InstallPercentage_d",
"type": "real"
},
{
"name": "resultDescription_Summary_StartDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resource_triggerName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_InitialRequiredUpdatesCount_d",
"type": "real"
},
{
"name": "properties_enabledForTemplateDeployment_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_s",
"type": "string"
},
{
"name": "resultDescription_Summary_DurationInMinutes_s",
"type": "string"
},
{
"name": "resource_originRunId_s",
"type": "string"
},
{
"name": "properties_enabledForDiskEncryption_b",
"type": "bool"
},
{
"name": "resource_actionName_s",
"type": "string"
},
{
"name": "correlation_actionTrackingId_g",
"type": "string"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resultDescription_Summary_DurationInMinutes_d",
"type": "real"
},
{
"name": "conditions_protocols_s",
"type": "string"
},
{
"name": "identity_claim_ipaddr_s",
"type": "string"
},
{
"name": "ElasticPoolName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_claims_authnmethodsreferences_s",
"type": "string"
},
{
"name": "RunOn_s",
"type": "string"
},
{
"name": "query_hash_s",
"type": "string"
},
{
"name": "SourceSystem",
"type": "string"
},
{
"name": "MG",
"type": "string"
},
{
"name": "ManagementGroupName",
"type": "string"
},
{
"name": "Computer",
"type": "string"
},
{
"name": "RawData",
"type": "string"
},
{
"name": "QueryId_d",
"type": "real"
},
{
"name": "QueryType_s",
"type": "string"
},
{
"name": "QueryClass_s",
"type": "string"
},
{
"name": "QueryName_s",
"type": "string"
},
{
"name": "RequestSize_d",
"type": "real"
},
{
"name": "DnssecOkBit_b",
"type": "bool"
},
{
"name": "EDNS0BufferSize_d",
"type": "real"
},
{
"name": "ResponseCode_s",
"type": "string"
},
{
"name": "ResponseFlags_s",
"type": "string"
},
{
"name": "ResponseSize_d",
"type": "real"
},
{
"name": "RequestDurationSecs_d",
"type": "real"
},
{
"name": "ErrorNumber_d",
"type": "real"
},
{
"name": "ErrorMessage_s",
"type": "string"
},
{
"name": "Fqdn_s",
"type": "string"
},
{
"name": "TargetUrl_s",
"type": "string"
},
{
"name": "IsTlsInspected_b",
"type": "bool"
},
{
"name": "WebCategory_s",
"type": "string"
},
{
"name": "IsExplicitProxyRequest_b",
"type": "bool"
},
{
"name": "clientIp_s",
"type": "string"
},
{
"name": "ruleSetType_s",
"type": "string"
},
{
"name": "ruleSetVersion_s",
"type": "string"
},
{
"name": "ruleId_s",
"type": "string"
},
{
"name": "ruleGroup_s",
"type": "string"
},
{
"name": "action_s",
"type": "string"
},
{
"name": "details_message_s",
"type": "string"
},
{
"name": "details_data_s",
"type": "string"
},
{
"name": "details_file_s",
"type": "string"
},
{
"name": "details_line_s",
"type": "string"
},
{
"name": "hostname_s",
"type": "string"
},
{
"name": "policyId_s",
"type": "string"
},
{
"name": "policyScope_s",
"type": "string"
},
{
"name": "policyScopeName_s",
"type": "string"
},
{
"name": "engine_s",
"type": "string"
},
{
"name": "WAFEvaluationTime_s",
"type": "string"
},
{
"name": "WAFMode_s",
"type": "string"
},
{
"name": "WAFPolicyID_s",
"type": "string"
},
{
"name": "Action_s",
"type": "string"
},
{
"name": "ActionReason_s",
"type": "string"
},
{
"name": "msg_s",
"type": "string"
},
{
"name": "Protocol_s",
"type": "string"
},
{
"name": "SourceIP",
"type": "string"
},
{
"name": "SourcePort_d",
"type": "real"
},
{
"name": "DestinationIp_s",
"type": "string"
},
{
"name": "DestinationPort_d",
"type": "real"
},
{
"name": "TranslatedIp_s",
"type": "string"
},
{
"name": "TranslatedPort_d",
"type": "real"
},
{
"name": "Policy_s",
"type": "string"
},
{
"name": "RuleCollectionGroup_s",
"type": "string"
},
{
"name": "RuleCollection_s",
"type": "string"
},
{
"name": "Rule_s",
"type": "string"
},
{
"name": "healthyHostCount_d",
"type": "real"
},
{
"name": "unHealthyHostCount_d",
"type": "real"
},
{
"name": "requestCount_d",
"type": "real"
},
{
"name": "latency_d",
"type": "real"
},
{
"name": "failedRequestCount_d",
"type": "real"
},
{
"name": "throughput_d",
"type": "real"
},
{
"name": "timeStamp_t",
"type": "datetime"
},
{
"name": "listenerName_s",
"type": "string"
},
{
"name": "backendPoolName_s",
"type": "string"
},
{
"name": "backendSettingName_s",
"type": "string"
},
{
"name": "originalRequestUriWithArgs_s",
"type": "string"
},
{
"name": "clientResponseTime_d",
"type": "real"
},
{
"name": "transactionId_g",
"type": "string"
},
{
"name": "sslCipher_s",
"type": "string"
},
{
"name": "sslProtocol_s",
"type": "string"
},
{
"name": "sslClientVerify_s",
"type": "string"
},
{
"name": "sslClientCertificateFingerprint_s",
"type": "string"
},
{
"name": "sslClientCertificateIssuerName_s",
"type": "string"
},
{
"name": "serverRouted_s",
"type": "string"
},
{
"name": "serverStatus_s",
"type": "string"
},
{
"name": "serverResponseLatency_s",
"type": "string"
},
{
"name": "upstreamSourcePort_s",
"type": "string"
},
{
"name": "originalHost_s",
"type": "string"
},
{
"name": "AdditionalFields",
"type": "dynamic"
},
{
"name": "Type",
"type": "string"
},
{
"name": "_ItemId",
"type": "string"
},
{
"name": "_ResourceId",
"type": "string"
},
{
"name": "LogType",
"type": "string"
},
{
"name": "Now",
"type": "datetime"
},
{
"name": "IngestionTime",
"type": "datetime"
},
{
"name": "LogId",
"type": "string"
}
],
"rows": [
[
"9def7ef1-3da3-4471-9f5f-854c0b245d13",
"2023-09-22T07:11:12.664872Z",
"/SUBSCRIPTIONS/708DEF1D-655D-42EE-BB93-A82FF1584A98/RESOURCEGROUPS/TEST/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/TEST-FW-1",
"AzureFirewallDnsProxy",
"TEST",
"708def1d-655d-42ee-bb93-a82ff1584a98",
"MICROSOFT.NETWORK",
"TEST-FW-1",
"AZUREFIREWALLS",
"AzureFirewallDnsProxyLog",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
null,
null,
null,
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
null,
null,
"",
"",
"",
null,
"",
"",
null,
null,
"",
"",
"",
"",
"",
"",
"Azure",
"",
"",
"",
"",
null,
"",
"",
"",
null,
null,
null,
"",
"",
null,
null,
null,
"",
"",
"",
null,
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"DNS Request: 192.1.1.1:5528 - 14180 A IN adservice.google.com. udp 38 false 512 NOERROR qr,rd,ra 74 0.008398524s",
"",
"",
null,
"",
null,
"",
null,
"",
"",
"",
"",
null,
null,
null,
null,
null,
null,
null,
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"AzureDiagnostics",
"dd7d2ccd-2b65-4567-b172-647351099737",
"/subscriptions/708def1d-655d-42ee-bb93-a82ff1584a98/resourcegroups/test/providers/microsoft.network/azurefirewalls/test-fw-1",
"AzureFirewallDnsProxyLog",
"2023-09-25T08:12:03.1839571Z",
"2023-09-22T07:12:20.9428256Z",
"dd7d2ccd-2b65-4567-b172-647351099737"
]
]
}
]
}

 

Table Fields

Field

Description

Field

Description

TABLE

AzureFirewallDnsProxy is a value derived from CATEGORY’s value.

SYSTEM

Will base its value on SOURCEIP if not empty; otherwise, it will use the domain value defined in the configuration.

DATE

Based on the extracted date value from CreatedDateTime.

TIME

Based on the extracted time value from CreatedDateTime.

DATETIME

Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

COLLECTIONDATETIME

Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

CATEGORY

Based on Category, this field indicates the log category of the event, AzureFirewallDnsProxy is the fix value for this log type.

INGESTIONTIME

Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.

LOGID

Based on LogId, this field indicates a unique identifier for the record or log.

MSG

Based on msg_s, this field contains the information about the DNS query processed by the Firewall.

OPERATIONNAME

Based on OperationName, this field indicates the name of the operation that this event represents, AzureFirewallDnsProxyLog is the fix value for this log type.

PROTOCOL

Data was extracted from msg_s field, it indicates the protocol used to send the DNS query, for example: TCP, UDP

QUERYCLASS

Data was extracted from msg_s field, it indicates the DNS query's query class.

QUERYID

Data was extracted from msg_s field, it indicates the DNS query's query ID.

QUERYNAME

Data was extracted from msg_s field, it indicates the DNS query's name to resolve.

QUERYTYPE

Data was extracted from msg_s field, it indicates the DNS query's query type.

RESOURCE

Based on Resource, this field indicates the name of the Firewall resource.

RESOURCEGROUP

Based on ResourceGroup, this field indicates the resource group name of the impacted resource.

RESOURCEID

Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.

RESOURCEPROVIDER

Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.

RESOURCETYPE

Based on ResourceType, this field indicates the type of the impacted resource, AZUREFIREWALLS is the fix value for all Azure Firewall logs.

RESPONSECODE

Data was extracted from msg_s field, it indicates the DNS response code.

RESPONSEFLAGS

Data was extracted from msg_s field, it indicates the DNS response flags.

SOURCEIP

Data was extracted from msg_s field, it indicates the DNS query's source IP address.

SOURCEPORT

Data was extracted from msg_s field, it indicates the DNS query's source port.

SOURCESYSTEM

Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.

SUBSCRIPTIONID

Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.

TENANTID

Based on TenantId, this field indicates the Log Analytics workspace ID.

TIMEGENERATED

Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.

TYPE

Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.

WORKSPACEID

A value that was derived from TenantId.

SNAREDATAMAP

All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.

 

Structured logs

Structured logs are a type of log data that are organized in a specific format. They use a predefined schema to structure log data in a way that makes it easy to search, filter, and analyze.

Unlike unstructured logs, which consist of free-form text, structured logs have a consistent format that machines can parse and analyze.

Azure Firewall's structured logs provide a more detailed view of firewall events. They include information such as source and destination IP addresses, protocols, port numbers, and action taken by the firewall.

Snare Central supports collection of these structured firewall logs:

 

Application rule log: AzureAZFWApplicationRule

Contains all Network Rule log data. Each match between data plane and network rule creates a log entry with the data plane packet and the matched rule's attributes.

 

Log Structure

{
"tables": [
{
"name": "PrimaryResult",
"columns": [
{
"name": "TenantId",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "ResourceId",
"type": "string"
},
{
"name": "Category",
"type": "string"
},
{
"name": "ResourceGroup",
"type": "string"
},
{
"name": "SubscriptionId",
"type": "string"
},
{
"name": "ResourceProvider",
"type": "string"
},
{
"name": "Resource",
"type": "string"
},
{
"name": "ResourceType",
"type": "string"
},
{
"name": "OperationName",
"type": "string"
},
{
"name": "ResultType",
"type": "string"
},
{
"name": "CorrelationId",
"type": "string"
},
{
"name": "ResultDescription",
"type": "string"
},
{
"name": "Tenant_g",
"type": "string"
},
{
"name": "JobId_g",
"type": "string"
},
{
"name": "RunbookName_s",
"type": "string"
},
{
"name": "StreamType_s",
"type": "string"
},
{
"name": "Caller_s",
"type": "string"
},
{
"name": "requestUri_s",
"type": "string"
},
{
"name": "Level",
"type": "string"
},
{
"name": "DurationMs",
"type": "long"
},
{
"name": "CallerIPAddress",
"type": "string"
},
{
"name": "OperationVersion",
"type": "string"
},
{
"name": "ResultSignature",
"type": "string"
},
{
"name": "id_s",
"type": "string"
},
{
"name": "status_s",
"type": "string"
},
{
"name": "LogicalServerName_s",
"type": "string"
},
{
"name": "Message",
"type": "string"
},
{
"name": "clientInfo_s",
"type": "string"
},
{
"name": "httpStatusCode_d",
"type": "real"
},
{
"name": "identity_claim_appid_g",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g",
"type": "string"
},
{
"name": "userAgent_s",
"type": "string"
},
{
"name": "ruleName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s",
"type": "string"
},
{
"name": "systemId_g",
"type": "string"
},
{
"name": "isAccessPolicyMatch_b",
"type": "bool"
},
{
"name": "EventName_s",
"type": "string"
},
{
"name": "httpMethod_s",
"type": "string"
},
{
"name": "subnetId_s",
"type": "string"
},
{
"name": "type_s",
"type": "string"
},
{
"name": "instanceId_s",
"type": "string"
},
{
"name": "macAddress_s",
"type": "string"
},
{
"name": "vnetResourceGuid_g",
"type": "string"
},
{
"name": "direction_s",
"type": "string"
},
{
"name": "subnetPrefix_s",
"type": "string"
},
{
"name": "primaryIPv4Address_s",
"type": "string"
},
{
"name": "conditions_sourcePortRange_s",
"type": "string"
},
{
"name": "priority_d",
"type": "real"
},
{
"name": "conditions_destinationPortRange_s",
"type": "string"
},
{
"name": "conditions_destinationIP_s",
"type": "string"
},
{
"name": "conditions_None_s",
"type": "string"
},
{
"name": "conditions_sourceIP_s",
"type": "string"
},
{
"name": "httpVersion_s",
"type": "string"
},
{
"name": "matchedConnections_d",
"type": "real"
},
{
"name": "startTime_t",
"type": "datetime"
},
{
"name": "endTime_t",
"type": "datetime"
},
{
"name": "DatabaseName_s",
"type": "string"
},
{
"name": "clientIP_s",
"type": "string"
},
{
"name": "host_s",
"type": "string"
},
{
"name": "requestQuery_s",
"type": "string"
},
{
"name": "sslEnabled_s",
"type": "string"
},
{
"name": "clientPort_d",
"type": "real"
},
{
"name": "httpStatus_d",
"type": "real"
},
{
"name": "receivedBytes_d",
"type": "real"
},
{
"name": "sentBytes_d",
"type": "real"
},
{
"name": "timeTaken_d",
"type": "real"
},
{
"name": "resultDescription_ErrorJobs_s",
"type": "string"
},
{
"name": "resultDescription_ChildJobs_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_scope_s",
"type": "string"
},
{
"name": "workflowId_s",
"type": "string"
},
{
"name": "resource_location_s",
"type": "string"
},
{
"name": "resource_workflowId_g",
"type": "string"
},
{
"name": "resource_resourceGroupName_s",
"type": "string"
},
{
"name": "resource_subscriptionId_g",
"type": "string"
},
{
"name": "resource_runId_s",
"type": "string"
},
{
"name": "resource_workflowName_s",
"type": "string"
},
{
"name": "_schema_s",
"type": "string"
},
{
"name": "correlation_clientTrackingId_s",
"type": "string"
},
{
"name": "properties_sku_Family_s",
"type": "string"
},
{
"name": "properties_sku_Name_s",
"type": "string"
},
{
"name": "properties_tenantId_g",
"type": "string"
},
{
"name": "properties_enabledForDeployment_b",
"type": "bool"
},
{
"name": "code_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineId_s",
"type": "string"
},
{
"name": "resultDescription_Summary_ScheduleName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_Status_s",
"type": "string"
},
{
"name": "resultDescription_Summary_StatusDescription_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_TotalUpdatesInstalled_d",
"type": "real"
},
{
"name": "resultDescription_Summary_RebootRequired_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_TotalUpdatesFailed_d",
"type": "real"
},
{
"name": "resultDescription_Summary_InstallPercentage_d",
"type": "real"
},
{
"name": "resultDescription_Summary_StartDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resource_triggerName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_InitialRequiredUpdatesCount_d",
"type": "real"
},
{
"name": "properties_enabledForTemplateDeployment_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_s",
"type": "string"
},
{
"name": "resultDescription_Summary_DurationInMinutes_s",
"type": "string"
},
{
"name": "resource_originRunId_s",
"type": "string"
},
{
"name": "properties_enabledForDiskEncryption_b",
"type": "bool"
},
{
"name": "resource_actionName_s",
"type": "string"
},
{
"name": "correlation_actionTrackingId_g",
"type": "string"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resultDescription_Summary_DurationInMinutes_d",
"type": "real"
},
{
"name": "conditions_protocols_s",
"type": "string"
},
{
"name": "identity_claim_ipaddr_s",
"type": "string"
},
{
"name": "ElasticPoolName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_claims_authnmethodsreferences_s",
"type": "string"
},
{
"name": "RunOn_s",
"type": "string"
},
{
"name": "query_hash_s",
"type": "string"
},
{
"name": "SourceSystem",
"type": "string"
},
{
"name": "MG",
"type": "string"
},
{
"name": "ManagementGroupName",
"type": "string"
},
{
"name": "Computer",
"type": "string"
},
{
"name": "RawData",
"type": "string"
},
{
"name": "QueryId_d",
"type": "real"
},
{
"name": "QueryType_s",
"type": "string"
},
{
"name": "QueryClass_s",
"type": "string"
},
{
"name": "QueryName_s",
"type": "string"
},
{
"name": "RequestSize_d",
"type": "real"
},
{
"name": "DnssecOkBit_b",
"type": "bool"
},
{
"name": "EDNS0BufferSize_d",
"type": "real"
},
{
"name": "ResponseCode_s",
"type": "string"
},
{
"name": "ResponseFlags_s",
"type": "string"
},
{
"name": "ResponseSize_d",
"type": "real"
},
{
"name": "RequestDurationSecs_d",
"type": "real"
},
{
"name": "ErrorNumber_d",
"type": "real"
},
{
"name": "ErrorMessage_s",
"type": "string"
},
{
"name": "Fqdn_s",
"type": "string"
},
{
"name": "TargetUrl_s",
"type": "string"
},
{
"name": "IsTlsInspected_b",
"type": "bool"
},
{
"name": "WebCategory_s",
"type": "string"
},
{
"name": "IsExplicitProxyRequest_b",
"type": "bool"
},
{
"name": "clientIp_s",
"type": "string"
},
{
"name": "ruleSetType_s",
"type": "string"
},
{
"name": "ruleSetVersion_s",
"type": "string"
},
{
"name": "ruleId_s",
"type": "string"
},
{
"name": "ruleGroup_s",
"type": "string"
},
{
"name": "action_s",
"type": "string"
},
{
"name": "details_message_s",
"type": "string"
},
{
"name": "details_data_s",
"type": "string"
},
{
"name": "details_file_s",
"type": "string"
},
{
"name": "details_line_s",
"type": "string"
},
{
"name": "hostname_s",
"type": "string"
},
{
"name": "policyId_s",
"type": "string"
},
{
"name": "policyScope_s",
"type": "string"
},
{
"name": "policyScopeName_s",
"type": "string"
},
{
"name": "engine_s",
"type": "string"
},
{
"name": "WAFEvaluationTime_s",
"type": "string"
},
{
"name": "WAFMode_s",
"type": "string"
},
{
"name": "WAFPolicyID_s",
"type": "string"
},
{
"name": "Action_s",
"type": "string"
},
{
"name": "ActionReason_s",
"type": "string"
},
{
"name": "msg_s",
"type": "string"
},
{
"name": "Protocol_s",
"type": "string"
},
{
"name": "SourceIP",
"type": "string"
},
{
"name": "SourcePort_d",
"type": "real"
},
{
"name": "DestinationIp_s",
"type": "string"
},
{
"name": "DestinationPort_d",
"type": "real"
},
{
"name": "TranslatedIp_s",
"type": "string"
},
{
"name": "TranslatedPort_d",
"type": "real"
},
{
"name": "Policy_s",
"type": "string"
},
{
"name": "RuleCollectionGroup_s",
"type": "string"
},
{
"name": "RuleCollection_s",
"type": "string"
},
{
"name": "Rule_s",
"type": "string"
},
{
"name": "healthyHostCount_d",
"type": "real"
},
{
"name": "unHealthyHostCount_d",
"type": "real"
},
{
"name": "requestCount_d",
"type": "real"
},
{
"name": "latency_d",
"type": "real"
},
{
"name": "failedRequestCount_d",
"type": "real"
},
{
"name": "throughput_d",
"type": "real"
},
{
"name": "timeStamp_t",
"type": "datetime"
},
{
"name": "listenerName_s",
"type": "string"
},
{
"name": "backendPoolName_s",
"type": "string"
},
{
"name": "backendSettingName_s",
"type": "string"
},
{
"name": "originalRequestUriWithArgs_s",
"type": "string"
},
{
"name": "clientResponseTime_d",
"type": "real"
},
{
"name": "transactionId_g",
"type": "string"
},
{
"name": "sslCipher_s",
"type": "string"
},
{
"name": "sslProtocol_s",
"type": "string"
},
{
"name": "sslClientVerify_s",
"type": "string"
},
{
"name": "sslClientCertificateFingerprint_s",
"type": "string"
},
{
"name": "sslClientCertificateIssuerName_s",
"type": "string"
},
{
"name": "serverRouted_s",
"type": "string"
},
{
"name": "serverStatus_s",
"type": "string"
},
{
"name": "serverResponseLatency_s",
"type": "string"
},
{
"name": "upstreamSourcePort_s",
"type": "string"
},
{
"name": "originalHost_s",
"type": "string"
},
{
"name": "AdditionalFields",
"type": "dynamic"
},
{
"name": "Type",
"type": "string"
},
{
"name": "_ItemId",
"type": "string"
},
{
"name": "_ResourceId",
"type": "string"
},
{
"name": "LogType",
"type": "string"
},
{
"name": "Now",
"type": "datetime"
},
{
"name": "IngestionTime",
"type": "datetime"
},
{
"name": "LogId",
"type": "string"
}
],
"rows": [
[
"766904ce-39ee-403f-a25d-6f1a0a42ab4f",
"2023-09-22T07:30:24.116032Z",
"/SUBSCRIPTIONS/708DEF1D-655D-42EE-BB93-A82FF1584A98/RESOURCEGROUPS/TEST/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/TEST-FW-1",
"AZFWApplicationRule",
"TEST",
"708def1d-655d-42ee-bb93-a82ff1584a98",
"MICROSOFT.NETWORK",
"TEST-FW-1",
"AZUREFIREWALLS",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
null,
null,
null,
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
null,
null,
"",
"",
"",
null,
"",
"",
null,
null,
"",
"",
"",
"",
"",
"",
"Azure",
"",
"",
"",
"",
null,
"",
"",
"",
null,
null,
null,
"",
"",
null,
null,
null,
"",
"www.google.com",
"",
false,
"",
false,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"Allow",
"",
"",
"HTTPS",
"1.2.3.4",
56148,
"",
443,
"",
null,
"test-fw-1-FW-Pol",
"DefaultApplicationRuleCollectionGroup",
"test-fw-1-app-rule",
"app-web",
null,
null,
null,
null,
null,
null,
null,
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"AzureDiagnostics",
"ba003f46-d508-4170-9be8-8603af3d233d",
"/subscriptions/708def1d-655d-42ee-bb93-a82ff1584a98/resourcegroups/test/providers/microsoft.network/azurefirewalls/test-fw-1",
"",
"2023-10-02T02:10:29.2656432Z",
"2023-09-22T07:31:15.6215941Z",
"ba003f46-d508-4170-9be8-8603af3d233d"
]
]
}
]
}

 

Table Fields

Field

Description

Field

Description

TABLE

AzureAZFWApplicationRule is a value derived from Azure + CATEGORY’s value.

SYSTEM

Will base its value on SOURCEIP if not empty; otherwise, it will use the domain value defined in the configuration.

DATE

Based on the extracted date value from CreatedDateTime.

TIME

Based on the extracted time value from CreatedDateTime.

DATETIME

Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

COLLECTIONDATETIME

Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

ACTION

Based on Action_s, this field indicates the action taken by the firewall following the Application rule hit.

ACTIONREASON

Based on ActionReason_s, this field indicates that there’s no rule that is triggered for a request, this field contains the reason for the action performed by the firewall.

CATEGORY

Based on Category, this field indicates the log category of the event, AZFWApplicationRule is the fix value for this log type.

DESTINATIONPORT

Based on DestinationPort_d, this field indicates the request's destination port.

FQDN

Based on Fqdn_s, this field indicates the request's target address in FQDN (Fully qualified Domain Name).

INGESTIONTIME

Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.

ISEXPLICITPROXYREQUEST

Based on IsExplicitProxyRequest_b, this field will be set to true if the request is received on an explicit proxy port, false otherwise.

ISTLSINSPECTED

Based on IsTlsInspected_b, this field will be set to true if the connection is TLS inspected, false otherwise.

LOGID

Based on LogId, this field indicates a unique identifier for the record or log.

POLICY

Based on Policy_s, this field indicates the name of the policy in which the triggered rule resides.

PROTOCOL

Based on Protocol_s, this field indicates the request's network protocol.

RESOURCE

Based on Resource, this field indicates the name of the Firewall resource.

RESOURCEGROUP

Based on ResourceGroup, this field indicates the resource group name of the impacted resource.

RESOURCEID

Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.

RESOURCEPROVIDER

Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.

RESOURCETYPE

Based on ResourceType, this field indicates the type of the impacted resource, AZUREFIREWALLS is the fix value for all Azure Firewall logs.

RULE

Based on Rule_s, this field indicates the name of the triggered rule.

RULECOLLECTION

Based on RuleCollection_s, this field indicates the name of the rule collection in which the triggered rule resides.

RULECOLLECTIONGROUP

Based on RuleCollectionGroup_s, this field indicates the name of the rule collection group in which the triggered rule resides.

SOURCEIP

Based on SourceIP, this field indicates the request's source IP address.

SOURCEPORT

Based on SourcePort_d, this field indicates the request's source port.

SOURCESYSTEM

Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.

SUBSCRIPTIONID

Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.

TENANTID

Based on TenantId, this field indicates the Log Analytics workspace ID.

TIMEGENERATED

Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.

TYPE

Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.

WORKSPACEID

A value that was derived from TenantId.

SNAREDATAMAP

All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.

 

Network rule log: AzureAZFWNetworkRule

Contains all Network Rule log data. Each match between data plane and network rule creates a log entry with the data plane packet and the matched rule's attributes.

 

Log Structure

 

Table Fields

Field

Description

Field

Description

TABLE

AzureAZFWNetworkRule is a value derived from Azure + CATEGORY’s value.

SYSTEM

Will base its value on DESTINATIONIP if not empty; otherwise, it will use the domain value defined in the configuration.

DATE

Based on the extracted date value from CreatedDateTime.

TIME

Based on the extracted time value from CreatedDateTime.

DATETIME

Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

COLLECTIONDATETIME

Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

ACTION

Based on Action_s, this field indicates the action taken by the firewall following the match with this Network Rule.

ACTIONREASON

Based on ActionReason_s, this field is set when no rule is triggered for a packet, this field contains the reason for the action performed by the firewall.

CATEGORY

Based on Category, this field indicates the log category of the event, AZFWNetworkRule is the fix value for this log type.

DESTINATIONIP

Based on DestinationIp_s, this field indicates the packet's destination IP address.

DESTINATIONPORT

Based on DestinationPort_d, this field indicates the packet's destination port.

INGESTIONTIME

Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.

LOGID

Based on LogId, this field indicates a unique identifier for the record or log.

POLICY

Based on Policy_s, this field indicates the name of the policy in which the triggered rule resides.

PROTOCOL

Based on Protocol_s, this field indicates the packet's network protocol.

RESOURCE

Based on Resource, this field indicates the name of the Firewall resource.

RESOURCEGROUP

Based on ResourceGroup, this field indicates the resource group name of the impacted resource.

RESOURCEID

Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.

RESOURCEPROVIDER

Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.

RESOURCETYPE

Based on ResourceType, this field indicates the type of the impacted resource, AZUREFIREWALLS is the fix value for all Azure Firewall logs.

RULE

Based on Rule_s, this field indicates the name of the triggered rule.

RULECOLLECTION

Based on RuleCollection_s, this field indicates the name of the rule collection in which the triggered rule resides.

RULECOLLECTIONGROUP

Based on RuleCollectionGroup_s, this field indicates the name of the rule collection group in which the triggered rule resides.

SOURCEIP

Based on SourceIP, this field indicates the packet's source IP address.

SOURCEPORT

Based on SourcePort_d, this field indicates the packet's source port.

SOURCESYSTEM

Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.

SUBSCRIPTIONID

Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.

TENANTID

Based on TenantId, this field indicates the Log Analytics workspace ID.

TIMEGENERATED

Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.

TYPE

Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.

WORKSPACEID

A value that was derived from TenantId.

SNAREDATAMAP

All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.

 

NAT rule log: AzureAZFWNetworkRule

Contains all DNAT (Destination Network Address Translation) events log data. Each match between data plane and DNAT rule creates a log entry with the data plane packet and the matched rule's attributes.

 

Log Structure

 

Table Fields

Field

Description

Field

Description

TABLE

AzureAZFWNatRule is a value derived from Azure + CATEGORY’s value.

SYSTEM

Will base its value on DESTINATIONIP if not empty; otherwise, it will use the domain value defined in the configuration.

DATE

Based on the extracted date value from CreatedDateTime.

TIME

Based on the extracted time value from CreatedDateTime.

DATETIME

Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

COLLECTIONDATETIME

Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

CATEGORY

Based on Category, this field indicates the log category of the event, AZFWNatRule is the fix value for this log type.

DESTINATIONIP

Based on DestinationIp_s, this field indicates the packet's destination IP address.

DESTINATIONPORT

Based on DestinationPort_d, this field indicates the packet's destination port.

INGESTIONTIME

Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.

LOGID

Based on LogId, this field indicates a unique identifier for the record or log.

POLICY

Based on Policy_s, this field indicates the name of the policy in which the triggered rule resides.

PROTOCOL

Based on Protocol_s, this field indicates the packet's network protocol, for example: UDP, TCP.

RESOURCE

Based on Resource, this field indicates the name of the Firewall resource.

RESOURCEGROUP

Based on ResourceGroup, this field indicates the resource group name of the impacted resource.

RESOURCEID

Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.

RESOURCEPROVIDER

Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.

RESOURCETYPE

Based on ResourceType, this field indicates the type of the impacted resource, AZUREFIREWALLS is the fix value for all Azure Firewall logs.

RULE

Based on Rule_s, this field indicates the name of the triggered rule.

RULECOLLECTION

Based on RuleCollection_s, this field indicates the name of the rule collection in which the triggered rule resides.

RULECOLLECTIONGROUP

Based on RuleCollectionGroup_s, this field indicates the name of the rule collection group in which the triggered rule resides.

SOURCEIP

Based on SourceIP, this field indicates the packet's source IP address.

SOURCEPORT

Based on SourcePort_d, this field indicates the packet's source port.

SOURCESYSTEM

Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.

SUBSCRIPTIONID

Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.

TENANTID

Based on TenantId, this field indicates the Log Analytics workspace ID.

TIMEGENERATED

Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.

TRANSLATEDIP

Based on TranslatedIp_s, this field indicates the original destination IP address of the packet that was replaced by TranslatedIp.

TRANSLATEDPORT

Based on TranslatedPort_d, this field indicates the original destination port of the packet that was replaced by TranslatedPort.

TYPE

Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.

WORKSPACEID

A value that was derived from TenantId.

SNAREDATAMAP

All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.

 

DNS proxy log: AzureAZFWDnsQuery

Contains all DNS Proxy events log data.

 

Log Structure

 

Table Fields

Field

Description

Field

Description

TABLE

AzureAZFWDnsQuery is a value derived from Azure + CATEGORY’s value.

SYSTEM

Will base its value on SOURCEIP if not empty; otherwise, it will use the domain value defined in the configuration.

DATE

Based on the extracted date value from CreatedDateTime.

TIME

Based on the extracted time value from CreatedDateTime.

DATETIME

Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

COLLECTIONDATETIME

Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

CATEGORY

Based on Category, this field indicates the log category of the event, AZFWDnsQuery is the fix value for this log type.

INGESTIONTIME

Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.

LOGID

Based on LogId, this field indicates a unique identifier for the record or log.

PROTOCOL

Based on Protocol_s, this field indicates the protocol used to send the DNS query, for example: TCP, UDP.

QUERYCLASS

Based on QueryClass_s, this field indicates the DNS query's query class.

QUERYID

Based on QueryId_d, this field indicates the DNS query's query ID.

QUERYNAME

Based on QueryName_s, this field indicates the DNS query's name to resolve.

QUERYTYPE

Based on QueryType_s, this field indicates the DNS query's query type.

RESOURCE

Based on Resource, this field indicates the name of the Firewall resource.

RESOURCEGROUP

Based on ResourceGroup, this field indicates the resource group name of the impacted resource.

RESOURCEID

Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.

RESOURCEPROVIDER

Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.

RESOURCETYPE

Based on ResourceType, this field indicates the type of the impacted resource, AZUREFIREWALLS is the fix value for all Azure Firewall logs.

RESPONSECODE

Based on ResponseCode_s, this field indicates the DNS response code.

RESPONSEFLAGS

Based on ResponseFlags_s, this field indicates the DNS response flags, comma separated.

SOURCEIP

Based on SourceIP, this field indicates the DNS query's source IP address.

SOURCEPORT

Based on Category, this field indicates the DNS query's source Port.

SOURCESYSTEM

Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.

SUBSCRIPTIONID

Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.

TENANTID

Based on TenantId, this field indicates the Log Analytics workspace ID.

TIMEGENERATED

Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.

TYPE

Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.

WORKSPACEID

A value that was derived from TenantId.

SNAREDATAMAP

All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.

 

Threat Intel log: AzureAZFWThreatIntel

Contains all Threat Intelligence events.

 

Log Structure

 

Table Fields

Field

Description

Field

Description

TABLE

AzureAZFWThreatIntel is a value derived from Azure + CATEGORY’s value.

SYSTEM

Will base its value on DESTINATIONIP if not empty; otherwise, it will use the domain value defined in the configuration.

DATE

Based on the extracted date value from CreatedDateTime.

TIME

Based on the extracted time value from CreatedDateTime.

DATETIME

Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

COLLECTIONDATETIME

Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

CATEGORY

Based on Category, this field indicates the log category of the event, AZFWThreatIntel is the fix value for this log type.

INGESTIONTIME

Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.

LOGID

Based on LogId, this field indicates a unique identifier for the record or log.

ACTION

Based on Action_s, this field indicates the action taken by the firewall following the Threat Intelligence hit.

DESTINATIONIP

Based on DestinationIp_s, this field indicates the packet's destination IP address.

DESTINATIONPORT

Based on DestinationPort_d, this field indicates the packet's destination port.

FQDN

Based on Fqdn_s, this field indicates the request's target address in FQDN (Fully qualified Domain Name).

ISTLSINSPECTED

Based on IsTlsInspected_b, this field indicates whether the connection is TLS inspected or not.

PROTOCOL

Based on Protocol_s, this field indicates the packet's network protocol. For example: UDP, TCP.

RESOURCE

Based on Resource, this field indicates the name of the Firewall resource.

RESOURCEGROUP

Based on ResourceGroup, this field indicates the resource group name of the impacted resource.

RESOURCEID

Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.

RESOURCEPROVIDER

Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.

RESOURCETYPE

Based on ResourceType, this field indicates the type of the impacted resource, AZUREFIREWALLS is the fix value for all Azure Firewall logs.

SOURCEIP

Based on SourceIP, this field indicates the packet's source IP address.

SOURCEPORT

Based on SourcePort_d, this field indicates the packet's source port.

SOURCESYSTEM

Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.

SUBSCRIPTIONID

Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.

TARGETURL

Based on TargetUrl_s, this field indicates the request's target address URL. Available only for HTTP or TLS-inspected HTTPS requests.

TENANTID

Based on TenantId, this field indicates the Log Analytics workspace ID.

THREATDESCRIPTION

Based on ThreatDescription_s, this field indicates the description of the Threat that was identified by the firewall.

TIMEGENERATED

Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.

TYPE

Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.

WORKSPACEID

A value that was derived from TenantId.

SNAREDATAMAP

All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.

 

Notes

https://learn.microsoft.com/en-us/azure/firewall/firewall-structured-logs

https://learn.microsoft.com/en-us/azure/firewall/firewall-diagnostics

https://learn.microsoft.com/en-us/azure/firewall/diagnostic-logs

https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azfwapplicationrule

https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azfwnetworkrule

Azure Monitor Logs reference - AZFWNatRule - Azure Monitor

Azure Monitor Logs reference - AZFWDnsQuery - Azure Monitor

Azure Monitor Logs reference - AZFWThreatIntel - Azure Monitor