Merge pull request #302428 from ChaithanyaRai/patch-99

[Azure Doc-a-thon] Update network-security-perimeter-diagnostic-logs.md

Author: AnnaMHuff

articles/private-link/network-security-perimeter-diagnostic-logs.md

@@ -39,9 +39,142 @@ Access logs categories for a network security perimeter are based on the results
 > [!NOTE]
 > The available access modes for a network security perimeter are **Transition** and **Enforced**. The **Transition** mode was previously named **Learning** mode. You may continue to see references to **Learning** mode in some instances. 
 
+## Access log schema
+
+Every PaaS resource associated with the network security perimeter, generates access log(s) with unified log schema when enabled.
+> [!NOTE]
+> Network security perimeter access logs may have been aggregated. If the fields 'count' and 'timeGeneratedEndTime' are missing, consider the aggregation count as 1.
+
+| **Value** | **Description** |
+| --- | --- |
+| **time** | The timestamp (UTC) of the first event in log aggregation window. |
+| **timeGeneratedEndTime** | The timestamp (UTC) of the last event in the log aggregation window. |
+| **count** | Number of logs aggregated. |
+| **resourceId** | The resource Id of the network security perimeter.|
+| **location** | The region of network security perimeter.|
+| **operationName** | The name of the PaaS resource operation represented by this event. |
+| **operationVersion** | The api-version associated with the operation. |
+| **category** | Log categories defined for Access logs. |
+| **properties** | Network security perimeter specific extended properties related to this category of events.|
+| **resultDescription** | The static text description of this operation on the PaaS resource, e.g. “Get storage file.” |
+
+## Network security perimeter specific properties
+
+This section describes the network security perimeter specific properties in the log schema. 
+> [!NOTE]
+> Application of the properties is subjected to log category type. Do refer respective log category schemas for applicability.
+
+| **Value** | **Description** |
+| --- | --- |
+| **serviceResourceId** | Resource ID of PaaS resource emitting network security perimeter access logs. |
+| **serviceFqdn** | Fully Qualified Domain Name of PaaS resource emitting network security perimeter access logs. |
+| **profile** | Name of the network security perimeter profile associated to the resource. |
+| **parameters** | List of optional PaaS resource properties in JSON string format. E.g., { {Param1}: {value1}, {Param2}: {value2}, ...}. |
+| **appId** | Unique GUID representing the app ID of resource in the Azure Active Directory. |
+| **matchedRule** | JSON property bag containing matched accessRule name, {"accessRule" : "{ruleName}"}. It can be either network security perimeter access rule Name or resource rule name (not the ArmId). |
+| **source** | JSON property bag describing source of the inbound connection. |
+| **destination** | JSON property bag describing destination of the outbound connection. |
+| **accessRulesVersion** | JSON property bag containing access rule version of the resource. |
+	
+## Source properties
+
+Properties describing source of inbound connection.
+
+| **Value** | **Description** |
+| --- | --- |
+| **resourceId** | Resource ID of source PaaS resource for an inbound connection. Will exist if applicable. |
+| **ipAddress** | IP address of source making inbound connection. Will exist if applicable. |
+| **port** | Port number of inbound connection. May not exist for all resource types. |
+| **protocol** | Application & transport layer protocols for inbound connection in format {AppProtocol}:{TptProtocol}. E.g., HTTPS:TCP. May not exist for all resource types. |
+| **perimeterGuids** | List of perimeter GUIDs of source resource. It should be specified only if allowed based on perimeter GUID. |
+| **appId** | Unique GUID representing the app ID of source in the Azure Active Directory. |
+| **parameters** | List of optional source properties in JSON string format. E.g., { {Param1}: {value1}, {Param2}: {value2}, ...}. |
+
+## Destination properties
+Properties describing destination of outbound connection.
+
+| **Value** | **Description** |
+| --- | --- |
+| **resourceId** | Resource ID of destination PaaS resource for an outbound connection. Will exist if applicable. |
+| **fullyQualifiedDomainName** | Fully Qualified Domain (FQDN) name of the destination. |
+| **parameters** | List of optional destination properties in JSON string format. E.g., { {Param1}: {value1}, {Param2}: {value2}, ...}. |
+| **port** | Port number of outbound connection. May not exist for all resource types. |
+| **protocol** | Application & transport layer protocols for outbound connection in the format {AppProtocol}:{TptProtocol}. E.g., HTTPS:TCP. May not exist for all resource types. |
+
+## Sample log entry For inbound categories
+
+``` json
+{
+  "time" : "{timestamp}",
+  "timeGeneratedEndTime" : "{timestamp}",
+  "count" : "{countOfAggregatedLogs}",
+  "resourceId" : "/SUBSCRIPTIONS/{subsId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYPERIMETERS/{perimeterName}",
+  "operationName" : "{PaaSOperationName}" ,
+  "operationVersion" : "{api-version}",
+  "category" : "{inboundCategory}",
+  "location" : "{networksecurityperimeterRegion}",
+  "properties" : {
+    "serviceResourceId" : "/subscriptions/{paasSubsId}/resourceGroups/{paasResourceGroupName}/providers/{provider}/{resourceType}/{resourceName}",
+    "serviceFqdn": "{PaaSResourceFQDN}",
+    "accessRulesVersion" : "{accessRulesVersion}",
+    "profile" : "{networksecurityperimeterProfileName}",
+    "appId" : "{resourceAppId}",
+    "parameters" : "{ {ParameterType1}: {value1}, {ParameterType2}: {value2}, ...}", // Parsable JSON 
+    "matchedRule" : {
+      "accessRule" : "{matchedRuleName}",
+      },
+    "source" : {
+      "resourceId" : "/subscriptions/{sourceSubscriptionId}/resourceGroups/{sourceResourceGroupName}/providers/{sourceProvider}/{sourceResourceType}/{sourceResourceName}",
+      "ipAddress": "{sourceIPAddress}",
+      "perimeterGuids" : ["{sourcePerimeterGuid}"], // Only included if request comes from perimeter
+      "appId" : "{sourceAppId}",
+      "port" : "{Port}",
+      "protocol" : "{Protocol}",
+      "parameters" : "{ {ParameterType1}: {value1}, {ParameterType2}: {value2}, ...}", // Parsable JSON 
+    },
+  },
+  "resultDescription" : "The static text description of this operation on the PaaS resource. For example, \"Get storage file.\""
+}
+```
+
+## Sample log entry for outbound categories
+
+``` json
+{
+  "time" : "{timestamp}",
+  "timeGeneratedEndTime" : "{timestamp}",
+  "count" : "{countOfAggregatedLogs}",
+  "resourceId" : "/SUBSCRIPTIONS/{subsId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYPERIMETERS/{perimeterName}",
+  "operationName" : "{PaaSOperationName}" ,
+  "operationVersion" : "{api-version}",
+  "category" : "{outboundCategory}",
+  "location" : "{networksecurityperimeterRegion}",
+  "properties" : {
+    "serviceResourceId" : "/subscriptions/{paasSubsId}/resourceGroups/{paasResourceGroupName}/providers/{provider}/{resourceType}/{resourceName}",
+    "serviceFqdn": "{PaaSResourceFQDN}",
+    "accessRulesVersion" : "{accessRulesVersion}",
+    "profile" : "{networksecurityperimeterProfileName}",
+    "appId" : "{resourceAppId}",
+    "parameters" : "{{ParameterType1}: {value1}, {ParameterType2}: {value2}, ...}", // Parsable JSON 
+    "matchedRule" : {
+      "accessRule" : "{matchedRuleName}",
+      },
+    "destination" : {
+      "resourceId" : "/subscriptions/{destSubsId}/resourceGroups/{destResourceGroupName}/providers/{destProvider}/{destResourceType}/{destResourceName}",
+      "fullyQualifiedDomainName" : "{destFQDN}",
+      "appId" : "{destAppId}",
+      "port" : "{Port}",
+      "protocol" : "{Protocol}",
+      "parameters" : "{ {ParameterType1}: {value1}, {ParameterType2}: {value2}, ...}", // Parsable JSON 
+    },
+  },
+  "resultDescription" : "The static text description of this operation on the PaaS resource. For example, \"Get storage file.\""
+}
+```
+
 ## Logging destination options for access logs  
 
-The destinations for storing diagnostic logs for a network security perimeter include services like Log Analytic workspace, Azure Storage account, and Azure Event Hubs. For the full list and details of supported destinations, see [Supported destinations for diagnostic logs](/azure/azure-monitor/essentials/diagnostic-settings).
+The destinations for storing diagnostic logs for a network security perimeter include services like Log Analytic workspace (**Table name: NSPAccessLogs**), Azure Storage account, and Azure Event Hubs. For the full list and details of supported destinations, see [Supported destinations for diagnostic logs](/azure/azure-monitor/essentials/diagnostic-settings).
 
 ## Enable logging through the Azure portal