Overview
A network security group (NSG) includes rules that allow or deny traffic to a virtual network subnet, network interface, or both.
When you enable logging for an NSG, you can gather the following types of resource log:
Event log: Entries are logged for which NSG rules are applied to virtual machines, based on MAC address.
Rule counter log: Contains entries for how many times each NSG rule is applied to allow or deny traffic.
Azure NSG Group Event: AzureNetworkSecurityGroupEvent
The event log contains information about which NSG rules are applied to virtual machines, based on MAC address and the following information is logged for each event.
Log Structure
Sample of NetworkSecurityGroupEvents from API (in JSON format)
{
"tables": [
{
"name": "PrimaryResult",
"columns": [
{
"name": "TenantId",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "ResourceId",
"type": "string"
},
{
"name": "Category",
"type": "string"
},
{
"name": "ResourceGroup",
"type": "string"
},
{
"name": "SubscriptionId",
"type": "string"
},
{
"name": "ResourceProvider",
"type": "string"
},
{
"name": "Resource",
"type": "string"
},
{
"name": "ResourceType",
"type": "string"
},
{
"name": "OperationName",
"type": "string"
},
{
"name": "ResultType",
"type": "string"
},
{
"name": "CorrelationId",
"type": "string"
},
{
"name": "ResultDescription",
"type": "string"
},
{
"name": "Tenant_g",
"type": "string"
},
{
"name": "JobId_g",
"type": "string"
},
{
"name": "RunbookName_s",
"type": "string"
},
{
"name": "StreamType_s",
"type": "string"
},
{
"name": "Caller_s",
"type": "string"
},
{
"name": "requestUri_s",
"type": "string"
},
{
"name": "Level",
"type": "string"
},
{
"name": "DurationMs",
"type": "long"
},
{
"name": "CallerIPAddress",
"type": "string"
},
{
"name": "OperationVersion",
"type": "string"
},
{
"name": "ResultSignature",
"type": "string"
},
{
"name": "id_s",
"type": "string"
},
{
"name": "status_s",
"type": "string"
},
{
"name": "LogicalServerName_s",
"type": "string"
},
{
"name": "Message",
"type": "string"
},
{
"name": "clientInfo_s",
"type": "string"
},
{
"name": "httpStatusCode_d",
"type": "real"
},
{
"name": "identity_claim_appid_g",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g",
"type": "string"
},
{
"name": "userAgent_s",
"type": "string"
},
{
"name": "ruleName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s",
"type": "string"
},
{
"name": "systemId_g",
"type": "string"
},
{
"name": "isAccessPolicyMatch_b",
"type": "bool"
},
{
"name": "EventName_s",
"type": "string"
},
{
"name": "httpMethod_s",
"type": "string"
},
{
"name": "subnetId_s",
"type": "string"
},
{
"name": "type_s",
"type": "string"
},
{
"name": "instanceId_s",
"type": "string"
},
{
"name": "macAddress_s",
"type": "string"
},
{
"name": "vnetResourceGuid_g",
"type": "string"
},
{
"name": "direction_s",
"type": "string"
},
{
"name": "subnetPrefix_s",
"type": "string"
},
{
"name": "primaryIPv4Address_s",
"type": "string"
},
{
"name": "conditions_sourcePortRange_s",
"type": "string"
},
{
"name": "priority_d",
"type": "real"
},
{
"name": "conditions_destinationPortRange_s",
"type": "string"
},
{
"name": "conditions_destinationIP_s",
"type": "string"
},
{
"name": "conditions_None_s",
"type": "string"
},
{
"name": "conditions_sourceIP_s",
"type": "string"
},
{
"name": "httpVersion_s",
"type": "string"
},
{
"name": "matchedConnections_d",
"type": "real"
},
{
"name": "startTime_t",
"type": "datetime"
},
{
"name": "endTime_t",
"type": "datetime"
},
{
"name": "DatabaseName_s",
"type": "string"
},
{
"name": "clientIP_s",
"type": "string"
},
{
"name": "host_s",
"type": "string"
},
{
"name": "requestQuery_s",
"type": "string"
},
{
"name": "sslEnabled_s",
"type": "string"
},
{
"name": "clientPort_d",
"type": "real"
},
{
"name": "httpStatus_d",
"type": "real"
},
{
"name": "receivedBytes_d",
"type": "real"
},
{
"name": "sentBytes_d",
"type": "real"
},
{
"name": "timeTaken_d",
"type": "real"
},
{
"name": "resultDescription_ErrorJobs_s",
"type": "string"
},
{
"name": "resultDescription_ChildJobs_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_scope_s",
"type": "string"
},
{
"name": "workflowId_s",
"type": "string"
},
{
"name": "resource_location_s",
"type": "string"
},
{
"name": "resource_workflowId_g",
"type": "string"
},
{
"name": "resource_resourceGroupName_s",
"type": "string"
},
{
"name": "resource_subscriptionId_g",
"type": "string"
},
{
"name": "resource_runId_s",
"type": "string"
},
{
"name": "resource_workflowName_s",
"type": "string"
},
{
"name": "_schema_s",
"type": "string"
},
{
"name": "correlation_clientTrackingId_s",
"type": "string"
},
{
"name": "properties_sku_Family_s",
"type": "string"
},
{
"name": "properties_sku_Name_s",
"type": "string"
},
{
"name": "properties_tenantId_g",
"type": "string"
},
{
"name": "properties_enabledForDeployment_b",
"type": "bool"
},
{
"name": "code_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineId_s",
"type": "string"
},
{
"name": "resultDescription_Summary_ScheduleName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_Status_s",
"type": "string"
},
{
"name": "resultDescription_Summary_StatusDescription_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_TotalUpdatesInstalled_d",
"type": "real"
},
{
"name": "resultDescription_Summary_RebootRequired_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_TotalUpdatesFailed_d",
"type": "real"
},
{
"name": "resultDescription_Summary_InstallPercentage_d",
"type": "real"
},
{
"name": "resultDescription_Summary_StartDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resource_triggerName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_InitialRequiredUpdatesCount_d",
"type": "real"
},
{
"name": "properties_enabledForTemplateDeployment_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_s",
"type": "string"
},
{
"name": "resultDescription_Summary_DurationInMinutes_s",
"type": "string"
},
{
"name": "resource_originRunId_s",
"type": "string"
},
{
"name": "properties_enabledForDiskEncryption_b",
"type": "bool"
},
{
"name": "resource_actionName_s",
"type": "string"
},
{
"name": "correlation_actionTrackingId_g",
"type": "string"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resultDescription_Summary_DurationInMinutes_d",
"type": "real"
},
{
"name": "conditions_protocols_s",
"type": "string"
},
{
"name": "identity_claim_ipaddr_s",
"type": "string"
},
{
"name": "ElasticPoolName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_claims_authnmethodsreferences_s",
"type": "string"
},
{
"name": "RunOn_s",
"type": "string"
},
{
"name": "query_hash_s",
"type": "string"
},
{
"name": "SourceSystem",
"type": "string"
},
{
"name": "MG",
"type": "string"
},
{
"name": "ManagementGroupName",
"type": "string"
},
{
"name": "Computer",
"type": "string"
},
{
"name": "RawData",
"type": "string"
},
{
"name": "AdditionalFields",
"type": "dynamic"
},
{
"name": "Type",
"type": "string"
},
{
"name": "_ItemId",
"type": "string"
},
{
"name": "_ResourceId",
"type": "string"
},
{
"name": "IngestionTime",
"type": "datetime"
},
{
"name": "LogId",
"type": "string"
}
],
"rows": [
[
"3c17ed1c-6996-4e21-9d0f-8785b9245551",
"2023-06-20T00:47:14.399Z",
"/SUBSCRIPTIONS/EFAF3341-8916-416E-8D3C-37AB9DC5D4F7/RESOURCEGROUPS/TEST/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/NSG-1",
"NetworkSecurityGroupEvent",
"TEST",
"efaf3341-8916-416e-8d3c-37ab9dc5d4f7",
"MICROSOFT.NETWORK",
"NSG-1",
"NETWORKSECURITYGROUPS",
"NetworkSecurityGroupEvents",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"DefaultRule_AllowVnetOutBound",
"",
"6de438b4-8f8f-4541-9417-49580902a016",
null,
"",
"",
"",
"allow",
"",
"60-45-BD-40-53-2E",
"e30d725c-10d8-4b65-862f-11fb5a93f148",
"Out",
"1.2.3.0/24",
"1.2.3.4",
"0-65535",
65000,
"0-65535",
"",
"",
"",
"",
null,
null,
null,
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
null,
null,
"",
"",
"",
null,
"",
"",
null,
null,
"",
"",
"",
"",
"",
"",
"Azure",
"",
"",
"",
"",
null,
"AzureDiagnostics",
"768e99d0-9862-4c29-acce-5db965680101",
"/subscriptions/efaf3341-8916-416e-8d3c-37ab9dc5d4f7/resourcegroups/test/providers/microsoft.network/networksecuritygroups/NSG-1",
"2023-06-20T00:52:37.530055Z",
"768e99d0-9862-4c29-acce-5db965680101"
]
]
}
]
}
Table Fields
Field | Description |
---|
TABLE | AzureNetworkSecurityGroupEvent was a value derived from Azure + CATEGORY’s value. |
SYSTEM | Will base its value on PRIMARYIPV4ADDRESS is not empty; otherwise, it will use the domain value defined in the configuration. |
DATE | Based on the extracted date value from CreatedDateTime. |
TIME | Based on the extracted time value from CreatedDateTime. |
DATETIME | Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format. |
COLLECTIONDATETIME | The datetime value when the log was collected from the API and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format. |
ADDITIONALFIELDS | Based on AdditionalFields, where this field contains the data is added to a dynamic property bag column. |
ACTIONTYPE | Based on type_s, where this field indicates the action done, either allow or deny, as specified in the rule. |
CATEGORY | Based on Category, where this field indicates the log category of the event, NetworkSecurityGroupEvent is the fix value for this log type. |
CONDITIONSDESTINATIONIP | Based on conditions_destinationIP_s, where this field indicates the value of destination IP addresses ranges, as specified in the rule. |
CONDITIONSDESTINATIONPORTRANGE | Based on conditions_destinationPortRange_s, where this field indicates the value of destination port ranges, as specified in the rule. |
CONDITIONSSOURCEIP | Based on conditions_sourceIP_s, where this field indicates the value of source IP addresses/CIDR ranges, as specified in the rule. |
CONDITIONSSOURCEPORTRANGE | Based on conditions_sourcePortRange_s, where this field indicates the value of source port ranges, as specified in the rule. |
CONDITIONSPROTOCOLS | Based on conditions_protocols_s, where this field indicates the value of protocol, as specified in the rule. |
DIRECTION | Based on direction_s, where this field indicates the request direction either In or Out, as specified in the rule. |
INGESTIONTIME | Based on IngestionTime, where this field indicates the datetime value specifying the approximate time of ingestion into an Azure table. |
LOGID | Based on LogId, where this field indicates a unique identifier for the record or log. |
MACADDRESS | Based on macAddress_s, where this field indicates the MAC address of the VM associated with the NSG resource. |
OPERATIONNAME | Based on OperationName, where this field indicates the name of the operation that this event represents, NetworkSecurityGroupEvents is the fix value for this log type. |
PRIMARYIPV4ADDRESS | Based on primaryIPv4Address_s, where this field indicates the private IP address of the VM associated with the NSG resource. |
PRIORITY | Based on priority_d, where this field indicates the priority of the rule set and configured on the NSG resource. |
RESOURCE | Based on Resource, where this field indicates the name of the impacted resource. If Resource is empty, will use the value from Properties.resource as its value. |
RESOURCEGROUP | Based on ResourceGroup, where this field indicates the resource group name of the impacted resource. |
RESOURCEID | Based on ResourceId, where this field indicates a unique identifier for the resource that the record or log is associated with. |
RESOURCEPROVIDER | Based on ResourceProvider, where this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type. |
RESOURCETYPE | Based on ResourceType, where this field indicates the type of the impacted resource, NETWORKSECURITYGROUPS is the fix value for all Azure NSG logs. |
RULENAME | Based on ruleName_s, where this field indicates the rule name set and configured on the NSG resource. |
SOURCESYSTEM | Based on SourceSystem, where this field contains Azure as fix value for all log types under AzureDiagnostics table. |
SUBNETPREFIX | Based on subnetPrefix_s, where this field indicates the subnet of the VM associated with the NSG resource. |
SUBSCRIPTIONID | Based on SubscriptionId, where this field indicates the subscription ID of the impacted resource. |
SYSTEMID | Based on systemId_g, where this field indicates the system ID of the network security group. |
TENANTID | Based on TenantId, where this field indicates the Log Analytics workspace ID. |
TIMEGENERATED | Based on TimeGenerated, where this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event. |
TYPE | Based on Type, where this field indicates the name of the table, AzureDiagnostics is the fix value for this log type. |
VNETRESOURCEGUID | Based on vnetResourceGuid_g, where this field indicates the virtual network ID of the VM associated with the NSG resource. |
WORKSPACEID | A value that was derived from TenantId. |
SNAREDATAMAP | All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline. |
Azure NSG Group Rule Counter: AzureNetworkSecurityGroupRuleCounter
The rule counter log contains information about each rule applied to resources.
The status for these rules is collected every 300 seconds.
Log Structure
Sample of NetworkSecurityGroupRuleCounter from API (in JSON format)
{
"tables": [
{
"name": "PrimaryResult",
"columns": [
{
"name": "TenantId",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "ResourceId",
"type": "string"
},
{
"name": "Category",
"type": "string"
},
{
"name": "ResourceGroup",
"type": "string"
},
{
"name": "SubscriptionId",
"type": "string"
},
{
"name": "ResourceProvider",
"type": "string"
},
{
"name": "Resource",
"type": "string"
},
{
"name": "ResourceType",
"type": "string"
},
{
"name": "OperationName",
"type": "string"
},
{
"name": "ResultType",
"type": "string"
},
{
"name": "CorrelationId",
"type": "string"
},
{
"name": "ResultDescription",
"type": "string"
},
{
"name": "Tenant_g",
"type": "string"
},
{
"name": "JobId_g",
"type": "string"
},
{
"name": "RunbookName_s",
"type": "string"
},
{
"name": "StreamType_s",
"type": "string"
},
{
"name": "Caller_s",
"type": "string"
},
{
"name": "requestUri_s",
"type": "string"
},
{
"name": "Level",
"type": "string"
},
{
"name": "DurationMs",
"type": "long"
},
{
"name": "CallerIPAddress",
"type": "string"
},
{
"name": "OperationVersion",
"type": "string"
},
{
"name": "ResultSignature",
"type": "string"
},
{
"name": "id_s",
"type": "string"
},
{
"name": "status_s",
"type": "string"
},
{
"name": "LogicalServerName_s",
"type": "string"
},
{
"name": "Message",
"type": "string"
},
{
"name": "clientInfo_s",
"type": "string"
},
{
"name": "httpStatusCode_d",
"type": "real"
},
{
"name": "identity_claim_appid_g",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g",
"type": "string"
},
{
"name": "userAgent_s",
"type": "string"
},
{
"name": "ruleName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s",
"type": "string"
},
{
"name": "systemId_g",
"type": "string"
},
{
"name": "isAccessPolicyMatch_b",
"type": "bool"
},
{
"name": "EventName_s",
"type": "string"
},
{
"name": "httpMethod_s",
"type": "string"
},
{
"name": "subnetId_s",
"type": "string"
},
{
"name": "type_s",
"type": "string"
},
{
"name": "instanceId_s",
"type": "string"
},
{
"name": "macAddress_s",
"type": "string"
},
{
"name": "vnetResourceGuid_g",
"type": "string"
},
{
"name": "direction_s",
"type": "string"
},
{
"name": "subnetPrefix_s",
"type": "string"
},
{
"name": "primaryIPv4Address_s",
"type": "string"
},
{
"name": "conditions_sourcePortRange_s",
"type": "string"
},
{
"name": "priority_d",
"type": "real"
},
{
"name": "conditions_destinationPortRange_s",
"type": "string"
},
{
"name": "conditions_destinationIP_s",
"type": "string"
},
{
"name": "conditions_None_s",
"type": "string"
},
{
"name": "conditions_sourceIP_s",
"type": "string"
},
{
"name": "httpVersion_s",
"type": "string"
},
{
"name": "matchedConnections_d",
"type": "real"
},
{
"name": "startTime_t",
"type": "datetime"
},
{
"name": "endTime_t",
"type": "datetime"
},
{
"name": "DatabaseName_s",
"type": "string"
},
{
"name": "clientIP_s",
"type": "string"
},
{
"name": "host_s",
"type": "string"
},
{
"name": "requestQuery_s",
"type": "string"
},
{
"name": "sslEnabled_s",
"type": "string"
},
{
"name": "clientPort_d",
"type": "real"
},
{
"name": "httpStatus_d",
"type": "real"
},
{
"name": "receivedBytes_d",
"type": "real"
},
{
"name": "sentBytes_d",
"type": "real"
},
{
"name": "timeTaken_d",
"type": "real"
},
{
"name": "resultDescription_ErrorJobs_s",
"type": "string"
},
{
"name": "resultDescription_ChildJobs_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_scope_s",
"type": "string"
},
{
"name": "workflowId_s",
"type": "string"
},
{
"name": "resource_location_s",
"type": "string"
},
{
"name": "resource_workflowId_g",
"type": "string"
},
{
"name": "resource_resourceGroupName_s",
"type": "string"
},
{
"name": "resource_subscriptionId_g",
"type": "string"
},
{
"name": "resource_runId_s",
"type": "string"
},
{
"name": "resource_workflowName_s",
"type": "string"
},
{
"name": "_schema_s",
"type": "string"
},
{
"name": "correlation_clientTrackingId_s",
"type": "string"
},
{
"name": "properties_sku_Family_s",
"type": "string"
},
{
"name": "properties_sku_Name_s",
"type": "string"
},
{
"name": "properties_tenantId_g",
"type": "string"
},
{
"name": "properties_enabledForDeployment_b",
"type": "bool"
},
{
"name": "code_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineId_s",
"type": "string"
},
{
"name": "resultDescription_Summary_ScheduleName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_Status_s",
"type": "string"
},
{
"name": "resultDescription_Summary_StatusDescription_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_TotalUpdatesInstalled_d",
"type": "real"
},
{
"name": "resultDescription_Summary_RebootRequired_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_TotalUpdatesFailed_d",
"type": "real"
},
{
"name": "resultDescription_Summary_InstallPercentage_d",
"type": "real"
},
{
"name": "resultDescription_Summary_StartDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resource_triggerName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_InitialRequiredUpdatesCount_d",
"type": "real"
},
{
"name": "properties_enabledForTemplateDeployment_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_s",
"type": "string"
},
{
"name": "resultDescription_Summary_DurationInMinutes_s",
"type": "string"
},
{
"name": "resource_originRunId_s",
"type": "string"
},
{
"name": "properties_enabledForDiskEncryption_b",
"type": "bool"
},
{
"name": "resource_actionName_s",
"type": "string"
},
{
"name": "correlation_actionTrackingId_g",
"type": "string"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resultDescription_Summary_DurationInMinutes_d",
"type": "real"
},
{
"name": "conditions_protocols_s",
"type": "string"
},
{
"name": "identity_claim_ipaddr_s",
"type": "string"
},
{
"name": "ElasticPoolName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_claims_authnmethodsreferences_s",
"type": "string"
},
{
"name": "RunOn_s",
"type": "string"
},
{
"name": "query_hash_s",
"type": "string"
},
{
"name": "SourceSystem",
"type": "string"
},
{
"name": "MG",
"type": "string"
},
{
"name": "ManagementGroupName",
"type": "string"
},
{
"name": "Computer",
"type": "string"
},
{
"name": "RawData",
"type": "string"
},
{
"name": "AdditionalFields",
"type": "dynamic"
},
{
"name": "Type",
"type": "string"
},
{
"name": "_ItemId",
"type": "string"
},
{
"name": "_ResourceId",
"type": "string"
},
{
"name": "IngestionTime",
"type": "datetime"
},
{
"name": "LogId",
"type": "string"
}
],
"rows": [
[
"a4888c77-0dc5-4d98-863f-0f96c7ede660",
"2023-06-20T00:47:14.399Z",
"/SUBSCRIPTIONS/708DEF1D-655D-42EE-BB93-A82FF1584A98/RESOURCEGROUPS/TEST/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/NSG-1",
"NetworkSecurityGroupRuleCounter",
"TEST",
"708def1d-655d-42ee-bb93-a82ff1584a98",
"MICROSOFT.NETWORK",
"NSG-1",
"NETWORKSECURITYGROUPS",
"NetworkSecurityGroupCounters",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"DefaultRule_AllowVnetOutBound",
"",
"97d097c1-23a4-4c56-8a06-88f0178851fc",
null,
"",
"",
"",
"allow",
"",
"60-45-BD-40-53-2E",
"964f299a-1ed9-463c-bcc5-d6849b28cac5",
"Out",
"1.2.3.0/24",
"1.2.3.4",
"",
null,
"",
"",
"",
"",
"",
0,
null,
null,
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
null,
null,
"",
"",
"",
null,
"",
"",
null,
null,
"",
"",
"",
"",
"",
"",
"Azure",
"",
"",
"",
"",
null,
"AzureDiagnostics",
"a611ada7-9691-4920-b162-090aaa499d7b",
"/subscriptions/708def1d-655d-42ee-bb93-a82ff1584a98/resourcegroups/test/providers/microsoft.network/networksecuritygroups/snaretestvm1-nsg",
"2023-06-20T00:51:40.6057254Z",
"a611ada7-9691-4920-b162-090aaa499d7b"
]
]
}
]
}
Table Fields
Field | Description |
---|
TABLE | AzureNetworkSecurityGroupCounters was a value derived from Azure + CATEGORY’s value. |
SYSTEM | Will base its value on PRIMARYIPV4ADDRESS is not empty; otherwise, it will use the domain value defined in the configuration. |
DATE | Based on the extracted date value from CreatedDateTime. |
TIME | Based on the extracted time value from CreatedDateTime. |
DATETIME | Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format. |
COLLECTIONDATETIME | The datetime value when the log was collected from the API and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format. |
ADDITIONALFIELDS | Based on AdditionalFields, where this field contains the data is added to a dynamic property bag column. |
ACTIONTYPE | Based on type_s, where this field indicates the action done, either allow or deny, as specified in the rule. |
CATEGORY | Based on Category, where this field indicates the log category of the event, NetworkSecurityGroupRuleCounter is the fix value for this log type. |
DIRECTION | Based on direction_s, where this field indicates the request direction either In or Out, as specified in the rule. |
INGESTIONTIME | Based on IngestionTime, where this field indicates the datetime value specifying the approximate time of ingestion into an Azure table. |
LOGID | Based on LogId, where this field indicates a unique identifier for the record or log. |
MACADDRESS | Based on macAddress_s, where this field indicates the MAC address of the VM associated with the NSG resource. |
MATCHEDCONNECTIONS | Based on matchedConnections_d, there’s no available documentation for this field. |
OPERATIONNAME | Based on OperationName, where this field indicates the name of the operation that this event represents, NetworkSecurityGroupCounters is the fix value for this log type. |
PRIMARYIPV4ADDRESS | Based on primaryIPv4Address_s, where this field indicates the private IP address of the VM associated with the NSG resource. |
RESOURCE | Based on Resource, where this field indicates the name of the impacted resource. If Resource is empty, will use the value from Properties.resource as its value. |
RESOURCEGROUP | Based on ResourceGroup, where this field indicates the resource group name of the impacted resource. |
RESOURCEID | Based on ResourceId, where this field indicates a unique identifier for the resource that the record or log is associated with. |
RESOURCEPROVIDER | Based on ResourceProvider, where this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type. |
RESOURCETYPE | Based on ResourceType, where this field indicates the type of the impacted resource, NETWORKSECURITYGROUPS is the fix value for all Azure NSG logs. |
RULENAME | Based on ruleName_s, where this field indicates the rule name set and configured on the NSG resource. |
SOURCESYSTEM | Based on SourceSystem, where this field contains Azure as fix value for all log types under AzureDiagnostics table. |
SUBNETPREFIX | Based on subnetPrefix_s, where this field indicates the subnet of the VM associated with the NSG resource. |
SUBSCRIPTIONID | Based on SubscriptionId, where this field indicates the subscription ID of the impacted resource. |
SYSTEMID | Based on systemId_g, where this field indicates the system ID of the network security group. |
TENANTID | Based on TenantId, where this field indicates the Log Analytics workspace ID. |
TIMEGENERATED | Based on TimeGenerated, where this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event. |
TYPE | Based on Type, where this field indicates the name of the table, AzureDiagnostics is the fix value for this log type. |
VNETRESOURCEGUID | Based on vnetResourceGuid_g, where this field indicates the virtual network ID of the VM associated with the NSG resource. |
WORKSPACEID | A value that was derived from TenantId. |
SNAREDATAMAP | All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline. |
Notes
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log
https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azurediagnostics