Merge pull request #106753 from damendo/master

PMEds28 · web-flow · commit 44f00147a8bc · 2020-03-10T10:13:48.000Z
Inital TA schema
diff --git a/articles/network-watcher/toc.yml b/articles/network-watcher/toc.yml
@@ -118,6 +118,8 @@
           href: traffic-analytics-faq.md
         - name: Schema and Data Aggregation
           href: traffic-analytics-schema.md
+        - name: Schema update (August 2019)
+          href: traffic-analytics-schema-update.md
       - name: Use Power BI
         href: network-watcher-visualize-nsg-flow-logs-power-bi.md
       - name: Use Elastic Stack
diff --git a/articles/network-watcher/traffic-analytics-schema-update.md b/articles/network-watcher/traffic-analytics-schema-update.md
@@ -0,0 +1,113 @@
+﻿---
+title: Azure traffic analytics schema update - March 2020 | Microsoft Docs
+description: Sample queries with new fields in the Traffic Analytics schema.
+services: network-watcher
+documentationcenter: na
+author: vinigam
+manager: agummadi
+editor:
+
+ms.service: network-watcher
+ms.devlang: na
+ms.topic: article
+ms.tgt_pltfrm: na
+ms.workload:  infrastructure-services
+ms.date: 03/06/2020
+ms.author: vinigam
+
+---
+# Sample queries with new fields in Traffic Analytics schema (August 2019 schema update)
+
+The [Traffic Analytics Log schema](https://docs.microsoft.com/azure/network-watcher/traffic-analytics-schema) has been updated to include the following new fields: **SrcPublicIPs_s** , **DestPublicIPs_s**, **NSGRule_s**. In the next few months, the following older fields will be deprecated: **VMIP_s**, **Subscription_g**, **Region_s**, **NSGRules_s**, **Subnet_s**, **VM_s**, **NIC_s**, **PublicIPs_s**, **FlowCount_d**.
+The new fields provide information about source and destination IPs and simplify queries.
+
+Below are three examples showing how to replace the old fields with new ones.
+
+## Example 1 - VMIP_s, Subscription_g, Region_s, Subnet_s, VM_s, NIC_s, PublicIPs_s
+
+We don’t have to infer Source and destination cases for Azure and External public flows from FlowDirection_s field for AzurePublic and ExternalPublic flows specifically. In case of an NVA (Network Virtual Appliance), the FlowDirection_s field can be inappropriate to be used as well.
+
+```Old Kusto query
+AzureNetworkAnalytics_CL
+| where SubType_s == "FlowLog" and FASchemaVersion_s == "1"
+| extend isAzureOrExternalPublicFlows = FlowType_s in ("AzurePublic", "ExternalPublic")
+| extend SourceAzureVM = iif(isAzureOrExternalPublicFlows, iif(FlowDirection_s == 'O', VM_s, "N/A"), VM1_s),
+SourceAzureVMIP = iif(isAzureOrExternalPublicFlows, iif(FlowDirection_s == 'O', VM_s, "N/A"), SrcIP_s),
+SourceAzureVMSubscription = iif(isAzureOrExternalPublicFlows, iif(FlowDirection_s == 'O', Subscription_g, "N/A"), Subscription1_g),
+SourceAzureRegion = iif(isAzureOrExternalPublicFlows, iif(FlowDirection_s == 'O', Region_s, "N/A"), Region1_s),
+SourceAzureSubnet = iif(isAzureOrExternalPublicFlows, iif(FlowDirection_s == 'O', Subnet_s, "N/A"), Subnet1_s),
+SourceAzureNIC = iif(isAzureOrExternalPublicFlows, iif(FlowDirection_s == 'O', NIC_s, "N/A"), NIC1_s),
+DestAzureVM = iif(isAzureOrExternalPublicFlows, iif(FlowDirection_s == 'I', VM_s, "N/A"), VM2_s),
+DestAzureVMIP = iif(isAzureOrExternalPublicFlows, iif(FlowDirection_s == 'I', VM_s, "N/A"), DestIP_s),
+DestAzureVMSubscription = iif(isAzureOrExternalPublicFlows, iif(FlowDirection_s == 'I', Subscription_g, "N/A"), Subscription2_g),
+DestAzureRegion = iif(isAzureOrExternalPublicFlows, iif(FlowDirection_s == 'I', Region_s, "N/A"), Region2_s),
+DestAzureSubnet = iif(isAzureOrExternalPublicFlows, iif(FlowDirection_s == 'I', Subnet_s, "N/A"), Subnet2_s),
+DestAzureNIC = iif(isAzureOrExternalPublicFlows, iif(FlowDirection_s == 'I', NIC_s, "N/A"), NIC2_s),
+SourcePublicIPsAggregated = iif(isAzureOrExternalPublicFlows and FlowDirection_s == 'I', PublicIPs_s, "N/A"),
+DestPublicIPsAggregated = iif(isAzureOrExternalPublicFlows and FlowDirection_s == 'O', PublicIPs_s, "N/A")
+```
+
+
+```New Kusto query
+AzureNetworkAnalytics_CL
+| where SubType_s == "FlowLog" and FASchemaVersion_s == "2"
+| extend SourceAzureVM = iif(isnotempty(VM1_s), VM1_s, "N/A"),
+SourceAzureVMIP = iif(isnotempty(SrcIP_s), SrcIP_s, "N/A"),
+SourceAzureVMSubscription = iif(isnotempty(Subscription1_g), Subscription1_g, "N/A"),
+SourceAzureRegion = iif(isnotempty(Region1_s), Region1_s, "N/A"),
+SourceAzureSubnet = iif(isnotempty(Subnet1_s), Subnet1_s, "N/A"),
+SourceAzureNIC = iif(isnotempty(NIC1_s), NIC1_s, "N/A"),
+DestAzureVM = iif(isnotempty(VM2_s), VM2_s, "N/A"),
+DestAzureVMIP = iif(isnotempty(DestIP_s), DestIP_s, "N/A"),
+DestAzureVMSubscription = iif(isnotempty(Subscription2_g), Subscription2_g, "N/A"),
+DestAzureRegion = iif(isnotempty(Region2_s), Region2_s, "N/A"),
+DestAzureSubnet = iif(isnotempty(Subnet2_s), Subnet2_s, "N/A"),
+DestAzureNIC = iif(isnotempty(NIC2_s), NIC2_s, "N/A"),
+SourcePublicIPsAggregated = iif(isnotempty(SrcPublicIPs_s), SrcPublicIPs_s, "N/A"),
+DestPublicIPsAggregated = iif(isnotempty(DestPublicIPs_s), DestPublicIPs_s, "N/A")
+```
+
+
+## Example 2 - NSGRules_s
+
+Earlier field was of format: <Index value 0)>|<NSG_RULENAME>|<Flow Direction>|<Flow Status>|<FlowCount ProcessedByRule>
+
+Earlier we used to aggregate data across NSG and NSGRules. Now we do not aggregate. So NSGList_s contains only one NSG and NSGRules_s also used to contain only one rule. So we have removed the complicated formatting here and the same can be found in other fields as mentioned below:
+
+```Old Kusto query
+AzureNetworkAnalytics_CL
+| where SubType_s == "FlowLog" and FASchemaVersion_s == "1"
+| extend NSGRuleComponents = split(NSGRules_s, "|")
+| extend NSGName = NSGList_s // remains same
+| extend NSGRuleName = NSGRuleComponents[1],
+         FlowDirection = NSGRuleComponents[2],
+         FlowStatus = NSGRuleComponents[3],
+         FlowCountProcessedByRule = NSGRuleComponents[4]
+| project NSGName, NSGRuleName, FlowDirection, FlowStatus, FlowCountProcessedByRule
+```
+
+```New Kusto query
+AzureNetworkAnalytics_CL
+| where SubType_s == "FlowLog" and FASchemaVersion_s == "2"
+| extend NSGRuleComponents = split(NSGRules_s, "|")
+| project NSGName = NSGList_s,
+NSGRuleName = NSGRule_s ,
+FlowDirection = FlowDirection_s,
+FlowStatus = FlowStatus_s,
+FlowCountProcessedByRule = AllowedInFlows_d + DeniedInFlows_d + AllowedOutFlows_d + DeniedOutFlows_d
+```
+
+## Example 3 - FlowCount_d
+
+Since we do not club data across NSG, the FlowCount_d is simply AllowedInFlows_d + DeniedInFlows_d + AllowedOutFlows_d + DeniedOutFlows_d.
+Only 1 of the above 4 will be non-zero and rest three will be 0. And it would indicate the status and count in the NIC where the flow was captured.
+
+If the flow was allowed, one of the fields prefixed with “Allowed” will be populated. Else one fields prefixed with “Denied” will be populated.
+If the flow was inbound, one of the fields suffixed with "\_d" like “InFlows_d” suffixed field will be populated. Else “OutFlows_d” will be populated.
+
+Depending on above 2 conditions, we know which one out of the 4 will be populated.
+
+
+## Next Steps
+To get answers to frequently asked questions, see [Traffic analytics FAQ](traffic-analytics-faq.md)
+To see details about functionality, see [Traffic analytics documentation](traffic-analytics.md)
