You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/network-watcher/traffic-analytics-schema.md
+9-6Lines changed: 9 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ author: halkazwini
6
6
ms.author: halkazwini
7
7
ms.service: azure-network-watcher
8
8
ms.topic: concept-article
9
-
ms.date: 07/11/2024
9
+
ms.date: 12/22/2024
10
10
11
11
#CustomerIntent: As a administrator, I want learn about traffic analytics schema so I can easily use the queries and understand their output.
12
12
---
@@ -272,8 +272,8 @@ The following table details public IP schema:
272
272
|**ThreatType**| Threat posed by malicious IP |**For Malicious IPs only**: One of the threats from the list of currently allowed values (described in the next table). |
273
273
|**ThreatDescription**| Description of the threat |*For Malicious IPs only*. Description of the threat posed by the malicious IP. |
274
274
|**DNSDomain**| DNS domain |*For Malicious IPs only*. Domain name associated with the malicious IP. |
275
-
|**Url**| URL corresponding to the malicious IP |*For Malicious IPs only*|
276
-
|**Port**| Port corresponding to the malicious IP |*For Malicious IPs only*|
275
+
|**Url**| URL corresponding to the malicious IP |*For Malicious IPs only*.|
276
+
|**Port**| Port corresponding to the malicious IP |*For Malicious IPs only*.|
277
277
278
278
# [**Virtual network flow logs**](#tab/vnet)
279
279
@@ -291,14 +291,17 @@ The following table details public IP schema:
291
291
|**DNSDomain**| DNS domain |*For Malicious IPs only*. Domain name associated with this IP. |
292
292
|**ThreatDescription**| Description of the threat |*For Malicious IPs only*. Description of the threat posed by the malicious IP. |
293
293
|**Location**| Location of the IP |**For Azure Public IP**: Azure region of virtual network / network interface / virtual machine to which the IP belongs or Global for IP 168.63.129.16. <br> **For External Public IP and Malicious IP**: two-letter country code (ISO 3166-1 alpha-2) where IP is located. |
294
-
|**Url**| URL corresponding to the malicious IP |*For Malicious IPs only*. |
294
+
|**Url**| URL corresponding to the malicious IP |*For Malicious IPs only*. |
295
295
|**Port**| Port corresponding to the malicious IP |*For Malicious IPs only*. |
296
296
297
297
> [!NOTE]
298
-
> *NTAIPDetails* in virtual network flow logs replaces *AzureNetworkAnalyticsIPDetails_CL* used in network security group flow logs.
298
+
> -*NTAIPDetails* in virtual network flow logs replaces *AzureNetworkAnalyticsIPDetails_CL* used in network security group flow logs.
299
+
>
300
+
> - Traffic analytics can log any malicious FQDN associated to the IP for malicious flows. To filter out, use the port, URL and domain fields as needed.
299
301
300
302
---
301
303
304
+
<br>
302
305
List of threat types:
303
306
304
307
| Value | Description |
@@ -307,7 +310,7 @@ List of threat types:
307
310
| C2 | Indicator detailing a Command & Control node of a botnet. |
308
311
| CryptoMining | Traffic involving this network address / URL is an indication of CyrptoMining / Resource abuse. |
309
312
| DarkNet | Indicator of a Darknet node/network. |
310
-
|DDos| Indicators relating to an active or upcoming DDoS campaign. |
313
+
|DDoS| Indicators relating to an active or upcoming DDoS campaign. |
311
314
| MaliciousUrl | URL that is serving malware. |
312
315
| Malware | Indicator describing a malicious file or files. |
313
316
| Phishing | Indicators relating to a phishing campaign. |
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments