You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Traffic analytics is built on top of Azure Monitor logs, so you can run custom queries on data decorated by traffic analytics and set alerts.
94
95
95
-
The following table lists the fields in the schema and what they signify.
96
+
### NSG flow logs
96
97
97
-
# [**NSG flow logs**](#tab/nsg)
98
+
The following table lists the fields in the schema and what they signify for NSG flow logs.
98
99
99
100
| Field | Format | Comments |
100
101
| ----- | ------ | -------- |
@@ -115,7 +116,7 @@ The following table lists the fields in the schema and what they signify.
115
116
|**L7Protocol_s**| Protocol Name | Derived from destination port. |
116
117
|**FlowDirection_s**| - I = Inbound <br> - O = Outbound | Direction of the flow: in or out of network security group per flow log. |
117
118
|**FlowStatus_s**| - A = Allowed <br> - D = Denied | Status of flow whether allowed or denied by the network security group per flow log. |
118
-
|**NSGList_s**|\<SUBSCRIPTIONID>\/<RESOURCEGROUP_NAME>\/<NSG_NAME> | Network security group associated with the flow. |
119
+
|**NSGList_s**|\<SUBSCRIPTIONID\>/\<RESOURCEGROUP_NAME\>/\<NSG_NAME\>| Network security group associated with the flow. |
119
120
|**NSGRules_s**|\<Index value 0>\|\<NSG_RULENAME>\|\<Flow Direction>\|\<Flow Status>\|\<FlowCount ProcessedByRule> | Network security group rule that allowed or denied this flow. |
120
121
|**NSGRule_s**| NSG_RULENAME | Network security group rule that allowed or denied this flow. |
121
122
|**NSGRuleType_s**| - User Defined <br> - Default | The type of network security group rule used by the flow. |
@@ -126,23 +127,26 @@ The following table lists the fields in the schema and what they signify.
126
127
|**Region_s**| Azure region of virtual network / network interface / virtual machine that the IP in the flow belongs to. | Applicable only for FlowType = S2S, P2S, AzurePublic, ExternalPublic, MaliciousFlow, and UnknownPrivate flow types (flow types where only one side is Azure). |
127
128
|**Region1_s**| Azure Region | Azure region of virtual network / network interface / virtual machine that the source IP in the flow belongs to. |
128
129
|**Region2_s**| Azure Region | Azure region of virtual network that the destination IP in the flow belongs to. |
129
-
|**NIC_s**|\<resourcegroup_Name>\/\<NetworkInterfaceName> | NIC associated with the VM sending or receiving the traffic. |
130
-
|**NIC1_s**| <resourcegroup_Name>/\<NetworkInterfaceName> | NIC associated with the source IP in the flow. |
131
-
|**NIC2_s**| <resourcegroup_Name>/\<NetworkInterfaceName> | NIC associated with the destination IP in the flow. |
132
-
|**VM_s**| <resourcegroup_Name>\/\<NetworkInterfaceName> | Virtual Machine associated with the Network interface NIC_s. |
133
-
|**VM1_s**| <resourcegroup_Name>/\<VirtualMachineName> | Virtual Machine associated with the source IP in the flow. |
134
-
|**VM2_s**| <resourcegroup_Name>/\<VirtualMachineName> | Virtual Machine associated with the destination IP in the flow. |
135
-
|**Subnet_s**| <ResourceGroup_Name>/<VirtualNetwork_Name>/\<SubnetName> | Subnet associated with the NIC_s. |
136
-
|**Subnet1_s**| <ResourceGroup_Name>/<VirtualNetwork_Name>/\<SubnetName> | Subnet associated with the Source IP in the flow. |
137
-
|**Subnet2_s**| <ResourceGroup_Name>/<VirtualNetwork_Name>/\<SubnetName> | Subnet associated with the Destination IP in the flow. |
138
-
|**ApplicationGateway1_s**|\<SubscriptionID>/\<ResourceGroupName>/\<ApplicationGatewayName> | Application gateway associated with the Source IP in the flow. |
139
-
|**ApplicationGateway2_s**|\<SubscriptionID>/\<ResourceGroupName>/\<ApplicationGatewayName> | Application gateway associated with the Destination IP in the flow. |
140
-
|**LoadBalancer1_s**|\<SubscriptionID>/\<ResourceGroupName>/\<LoadBalancerName> | Load balancer associated with the Source IP in the flow. |
141
-
|**LoadBalancer2_s**|\<SubscriptionID>/\<ResourceGroupName>/\<LoadBalancerName> | Load balancer associated with the Destination IP in the flow. |
142
-
|**LocalNetworkGateway1_s**|\<SubscriptionID>/\<ResourceGroupName>/\<LocalNetworkGatewayName> | Local network gateway associated with the Source IP in the flow. |
143
-
|**LocalNetworkGateway2_s**|\<SubscriptionID>/\<ResourceGroupName>/\<LocalNetworkGatewayName> | Local network gateway associated with the Destination IP in the flow. |
144
-
|**ConnectionType_s**| Possible values are VNetPeering, VpnGateway, and ExpressRoute | Connection Type. |
145
-
|**ConnectionName_s**|\<SubscriptionID>/\<ResourceGroupName>/\<ConnectionName> | Connection Name. For flow type P2S, it is formatted as \<gateway name\>_\<VPN Client IP\>. |
130
+
|**NIC_s**|\<resourcegroup_Name\>/\<NetworkInterfaceName\>| NIC associated with the VM sending or receiving the traffic. |
131
+
|**NIC1_s**|\<resourcegroup_Name\>/\<NetworkInterfaceName\>| NIC associated with the source IP in the flow. |
132
+
|**NIC2_s**|\<resourcegroup_Name\>/\<NetworkInterfaceName> | NIC associated with the destination IP in the flow. |
133
+
|**VM_s**|\<resourcegroup_Name\>/\<NetworkInterfaceName\>| Virtual Machine associated with the Network interface NIC_s. |
134
+
|**VM1_s**|\<resourcegroup_Name\>/\<VirtualMachineName\>| Virtual Machine associated with the source IP in the flow. |
135
+
|**VM2_s**|\<resourcegroup_Name\>/\<VirtualMachineName\>| Virtual Machine associated with the destination IP in the flow. |
136
+
|**Subnet_s**|\<ResourceGroup_Name\>/\<VirtualNetwork_Name\>/\<SubnetName\>| Subnet associated with the NIC_s. |
137
+
|**Subnet1_s**|\<ResourceGroup_Name\>/\<VirtualNetwork_Name\>/\<SubnetName\>| Subnet associated with the Source IP in the flow. |
138
+
|**Subnet2_s**|\<ResourceGroup_Name\>/<VirtualNetwork_Name\>/\<SubnetName\>| Subnet associated with the Destination IP in the flow. |
139
+
|**ApplicationGateway1_s**|\<SubscriptionID\>/\<ResourceGroupName\>/\<ApplicationGatewayName\>| Application gateway associated with the Source IP in the flow. |
140
+
|**ApplicationGateway2_s**|\<SubscriptionID\>/\<ResourceGroupName\>/\<ApplicationGatewayName\>| Application gateway associated with the Destination IP in the flow. |
141
+
|**ExpressRouteCircuit1**|\<SubscriptionID\>/\<ResourceGroupName\>/\<ExpressRouteCircuitName\>| ExpressRoute circuit ID - when flow is sent from site via ExpressRoute. |
142
+
|**ExpressRouteCircuit2**|\<SubscriptionID\>/\<ResourceGroupName\>/\<ExpressRouteCircuitName\>| ExpressRoute circuit ID - when flow is received from cloud by ExpressRoute. |
143
+
|**ExpressRouteCircuitPeeringType**| - AzurePrivatePeering <br> - AzurePublicPeering <br> - MicrosoftPeering | ExpressRoute peering type involved in the flow. |
144
+
|**LoadBalancer1_s**|\<SubscriptionID\>/\<ResourceGroupName\>/\<LoadBalancerName\>| Load balancer associated with the Source IP in the flow. |
145
+
|**LoadBalancer2_s**|\<SubscriptionID\>/\<ResourceGroupName\>/\<LoadBalancerName\>| Load balancer associated with the Destination IP in the flow. |
146
+
|**LocalNetworkGateway1_s**|\<SubscriptionID\>/\<ResourceGroupName\>/\<LocalNetworkGatewayName\>| Local network gateway associated with the Source IP in the flow. |
147
+
|**LocalNetworkGateway2_s**|\<SubscriptionID\>/\<ResourceGroupName\>/\<LocalNetworkGatewayName\>| Local network gateway associated with the Destination IP in the flow. |
|**ConnectionName_s**|\<SubscriptionID\>/\<ResourceGroupName\>/\<ConnectionName\>| The connection Name. For flow type P2S, it is formatted as \<gateway name\>_\<VPN Client IP\>. |
146
150
|**ConnectingVNets_s**| Space separated list of virtual network names | In case of hub and spoke topology, hub virtual networks are populated here. |
147
151
|**Country_s**| Two letter country code (ISO 3166-1 alpha-2) | Populated for flow type ExternalPublic. All IP addresses in PublicIPs_s field share the same country code. |
148
152
|**AzureRegion_s**| Azure region locations | Populated for flow type AzurePublic. All IP addresses in PublicIPs_s field share the Azure region. |
@@ -159,6 +163,7 @@ The following table lists the fields in the schema and what they signify.
159
163
|**PublicIPs_s**| <PUBLIC_IP>\|\<FLOW_STARTED_COUNT>\|\<FLOW_ENDED_COUNT>\|\<OUTBOUND_PACKETS>\|\<INBOUND_PACKETS>\|\<OUTBOUND_BYTES>\|\<INBOUND_BYTES> | Entries separated by bars. |
160
164
|**SrcPublicIPs_s**| <SOURCE_PUBLIC_IP>\|\<FLOW_STARTED_COUNT>\|\<FLOW_ENDED_COUNT>\|\<OUTBOUND_PACKETS>\|\<INBOUND_PACKETS>\|\<OUTBOUND_BYTES>\|\<INBOUND_BYTES> | Entries separated by bars. |
161
165
|**DestPublicIPs_s**| <DESTINATION_PUBLIC_IP>\|\<FLOW_STARTED_COUNT>\|\<FLOW_ENDED_COUNT>\|\<OUTBOUND_PACKETS>\|\<INBOUND_PACKETS>\|\<OUTBOUND_BYTES>\|\<INBOUND_BYTES> | Entries separated by bars. |
166
+
|**IsFlowCapturedAtUDRHop**| - True <br> - False | If the flow was captured at a UDR hop, the value is True. |
162
167
163
168
> [!IMPORTANT]
164
169
> The traffic analytics schema was updated on August 22, 2019. The new schema provides source and destination IPs separately, removing the need to parse the `FlowDirection` field so that queries are simpler. The updated schema had the following changes:
@@ -167,7 +172,9 @@ The following table lists the fields in the schema and what they signify.
> - New fields: `SrcPublicIPs_s`, `DestPublicIPs_s`, `NSGRule_s`
169
174
170
-
# [**VNet flow logs (preview)**](#tab/vnet)
175
+
### VNet flow logs (preview)
176
+
177
+
The following table lists the fields in the schema and what they signify for VNet flow logs.
171
178
172
179
| Field | Format | Comments |
173
180
| ----- | ------ | -------- |
@@ -190,28 +197,31 @@ The following table lists the fields in the schema and what they signify.
190
197
|**L7Protocol**| Protocol Name | Derived from destination port. |
191
198
|**FlowDirection**| - **I** = Inbound <br> - **O** = Outbound | Direction of the flow: in or out of the network security group per flow log. |
192
199
|**FlowStatus**| - **A** = Allowed <br> - **D** = Denied | Status of flow: allowed or denied by network security group per flow log. |
193
-
|**NSGList**|\<SUBSCRIPTIONID>/<RESOURCEGROUP_NAME>/<NSG_NAME> | Network security group associated with the flow. |
200
+
|**NSGList**|\<SUBSCRIPTIONID\>/\<RESOURCEGROUP_NAME\>/\<NSG_NAME\>| Network security group associated with the flow. |
194
201
|**NSGRule**| NSG_RULENAME | Network security group rule that allowed or denied the flow. |
195
202
|**NSGRuleType**| - User Defined <br> - Default | The type of network security group rule used by the flow. |
196
203
|**MACAddress**| MAC Address | MAC address of the NIC at which the flow was captured. |
197
204
|**SrcSubscription**| Subscription ID | Subscription ID of virtual network / network interface / virtual machine that the source IP in the flow belongs to. |
198
205
|**DestSubscription**| Subscription ID | Subscription ID of virtual network / network interface / virtual machine that the destination IP in the flow belongs to. |
199
206
|**SrcRegion**| Azure Region | Azure region of virtual network / network interface / virtual machine to which the source IP in the flow belongs to. |
200
207
|**DestRegion**| Azure Region | Azure region of virtual network to which the destination IP in the flow belongs to. |
201
-
|**SecNIC**| <resourcegroup_Name>/\<NetworkInterfaceName> | NIC associated with the source IP in the flow. |
202
-
|**DestNIC**| <resourcegroup_Name>/\<NetworkInterfaceName> | NIC associated with the destination IP in the flow. |
203
-
|**SrcVM**| <resourcegroup_Name>/\<VirtualMachineName> | Virtual machine associated with the source IP in the flow. |
204
-
|**DestVM**| <resourcegroup_Name>/\<VirtualMachineName> | Virtual machine associated with the destination IP in the flow. |
205
-
|**SrcSubnet**| <ResourceGroup_Name>/<VirtualNetwork_Name>/\<SubnetName> | Subnet associated with the source IP in the flow. |
206
-
|**DestSubnet**| <ResourceGroup_Name>/<VirtualNetwork_Name>/\<SubnetName> | Subnet associated with the destination IP in the flow. |
207
-
|**SrcApplicationGateway**|\<SubscriptionID>/\<ResourceGroupName>/\<ApplicationGatewayName> | Application gateway associated with the source IP in the flow. |
208
-
|**DestApplicationGateway**|\<SubscriptionID>/\<ResourceGroupName>/\<ApplicationGatewayName> | Application gateway associated with the destination IP in the flow. |
209
-
|**SrcLoadBalancer**|\<SubscriptionID>/\<ResourceGroupName>/\<LoadBalancerName> | Load balancer associated with the source IP in the flow. |
210
-
|**DestLoadBalancer**|\<SubscriptionID>/\<ResourceGroupName>/\<LoadBalancerName> | Load balancer associated with the destination IP in the flow. |
211
-
|**SrcLocalNetworkGateway**|\<SubscriptionID>/\<ResourceGroupName>/\<LocalNetworkGatewayName> | Local network gateway associated with the source IP in the flow. |
212
-
|**DestLocalNetworkGateway**|\<SubscriptionID>/\<ResourceGroupName>/\<LocalNetworkGatewayName> | Local network gateway associated with the destination IP in the flow. |
213
-
|**ConnectionType**| Possible values are VNetPeering, VpnGateway, and ExpressRoute | The connection type. |
214
-
|**ConnectionName**|\<SubscriptionID>/\<ResourceGroupName>/\<ConnectionName> | The connection name. For flow type P2S, it's formatted as \<GatewayName>_\<VPNClientIP> |
208
+
|**SecNIC**|\<resourcegroup_Name\>/\<NetworkInterfaceName\>| NIC associated with the source IP in the flow. |
209
+
|**DestNIC**|\<resourcegroup_Name\>/\<NetworkInterfaceName\>| NIC associated with the destination IP in the flow. |
210
+
|**SrcVM**|\<resourcegroup_Name\>/\<VirtualMachineName\>| Virtual machine associated with the source IP in the flow. |
211
+
|**DestVM**|\<resourcegroup_Name\>/\<VirtualMachineName\>| Virtual machine associated with the destination IP in the flow. |
212
+
|**SrcSubnet**|\<ResourceGroup_Name\>/\<VirtualNetwork_Name\>/\<SubnetName\>| Subnet associated with the source IP in the flow. |
213
+
|**DestSubnet**|\<ResourceGroup_Name\>/\<VirtualNetwork_Name\>/\<SubnetName\>| Subnet associated with the destination IP in the flow. |
214
+
|**SrcApplicationGateway**|\<SubscriptionID\>/\<ResourceGroupName\>/\<ApplicationGatewayName\>| Application gateway associated with the source IP in the flow. |
215
+
|**DestApplicationGateway**|\<SubscriptionID\>/\<ResourceGroupName\>/\<ApplicationGatewayName\>| Application gateway associated with the destination IP in the flow. |
216
+
|**SrcExpressRouteCircuit**|\<SubscriptionID\>/\<ResourceGroupName\>/\<ExpressRouteCircuitName\>| ExpressRoute circuit ID - when flow is sent from site via ExpressRoute. |
217
+
|**DestExpressRouteCircuit**|\<SubscriptionID\>/\<ResourceGroupName\>/\<ExpressRouteCircuitName\>| ExpressRoute circuit ID - when flow is received from cloud by ExpressRoute. |
218
+
|**ExpressRouteCircuitPeeringType**| - AzurePrivatePeering <br> - AzurePublicPeering <br> - MicrosoftPeering | ExpressRoute peering type involved in the flow. |
219
+
|**SrcLoadBalancer**|\<SubscriptionID\>/\<ResourceGroupName\>/\<LoadBalancerName\>| Load balancer associated with the source IP in the flow. |
220
+
|**DestLoadBalancer**|\<SubscriptionID\>/\<ResourceGroupName\>/\<LoadBalancerName\>| Load balancer associated with the destination IP in the flow. |
221
+
|**SrcLocalNetworkGateway**|\<SubscriptionID\>/\<ResourceGroupName\>/\<LocalNetworkGatewayName\>| Local network gateway associated with the source IP in the flow. |
222
+
|**DestLocalNetworkGateway**|\<SubscriptionID\>/\<ResourceGroupName\>/\<LocalNetworkGatewayName\>| Local network gateway associated with the destination IP in the flow. |
|**ConnectionName**|\<SubscriptionID\>/\<ResourceGroupName\>/\<ConnectionName\>| The connection name. For flow type P2S, it's formatted as \<GatewayName>_\<VPNClientIP> |
215
225
|**ConnectingVNets**| Space separated list of virtual network names. | In hub and spoke topology, hub virtual networks are populated here. |
216
226
|**Country**| Two-letter country code (ISO 3166-1 alpha-2) | Populated for flow type ExternalPublic. All IP addresses in PublicIPs field share the same country code. |
217
227
|**AzureRegion**| Azure region locations | Populated for flow type AzurePublic. All IP addresses in PublicIPs field share the Azure region. |
@@ -225,15 +235,14 @@ The following table lists the fields in the schema and what they signify.
225
235
|**BytesDestToSrc**| Represents bytes sent from the destination to the source of the flow | Populated only for the Version 2 of NSG flow log schema. |
226
236
|**BytesSrcToDest**| Represents bytes sent from the source to the destination of the flow | Populated only for the Version 2 of NSG flow log schema. |
227
237
|**CompletedFlows**| - | Populated with nonzero value only for the Version 2 of NSG flow log schema. |
228
-
|**SrcPublicIPs**| <SOURCE_PUBLIC_IP>\|\<FLOW_STARTED_COUNT>\|\<FLOW_ENDED_COUNT>\|\<OUTBOUND_PACKETS>\|\<INBOUND_PACKETS>\|\<OUTBOUND_BYTES>\|\<INBOUND_BYTES> | Entries separated by bars. |
238
+
|**SrcPublicIPs**|\<SOURCE_PUBLIC_IP\>\|\<FLOW_STARTED_COUNT\>\|\<FLOW_ENDED_COUNT\>\|\<OUTBOUND_PACKETS\>\|\<INBOUND_PACKETS\>\|\<OUTBOUND_BYTES\>\|\<INBOUND_BYTES\>| Entries separated by bars. |
229
239
|**DestPublicIPs**| <DESTINATION_PUBLIC_IP>\|\<FLOW_STARTED_COUNT>\|\<FLOW_ENDED_COUNT>\|\<OUTBOUND_PACKETS>\|\<INBOUND_PACKETS>\|\<OUTBOUND_BYTES>\|\<INBOUND_BYTES> | Entries separated by bars. |
230
240
|**FlowEncryption**| - Encrypted <br>- Unencrypted <br>- Unsupported hardware <br>- Software not ready <br>- Drop due to no encryption <br>- Discovery not supported <br>- Destination on same host <br>- Fall back to no encryption. | Encryption level of flows. |
241
+
|**IsFlowCapturedAtUDRHop**| - True <br> - False | If the flow was captured at a UDR hop, the value is True. |
231
242
232
243
> [!NOTE]
233
244
> *NTANetAnalytics* in VNet flow logs replaces *AzureNetworkAnalytics_CL* used in NSG flow logs.
234
245
235
-
---
236
-
237
246
## Public IP details schema
238
247
239
248
Traffic analytics provides WHOIS data and geographic location for all public IPs in your environment. For a malicious IP, traffic analytics provides DNS domain, threat type and thread descriptions as identified by Microsoft security intelligence solutions. IP Details are published to your Log Analytics workspace so you can create custom queries and put alerts on them. You can also access prepopulated queries from the traffic analytics dashboard.
0 commit comments