Azure NSG Flow Logs

  • Updated on Mar 6, 2025
  • Published on Oct 3, 2023

Overview

Table name: azure_nsg_flow_logs

Azure NSG Flow Logs are logs that provide information about network traffic to and from resources in an Azure virtual network and can be used for security, troubleshooting, and compliance purposes.

Send data to Hunters

STEP 1: Route logs to Azure Blob Storage

Before setting up the connection on the Hunters platform, you'll need to make sure
your Azure logs are being routed to your Azure Storage.

Create a flow log for NSG logs using this guide. Follow the instructions under the Create a Flow Log section.

STEP 2: Set up the connection on Hunters

📘 Before you begin

Before initiating the connection process on the Hunters platform, you should gather the following information:

  • Azure connection string/key
  • Container names
  • Blob prefix

To connect Microsoft Azure to Hunters:

  1. Open the Hunters platform and navigate to Data > Data Sources.
    Data sources1

  2. Click ADD DATA SOURCES.
    Add data source4

  3. Locate the Microsoft Azure panel and click Connect.
    The Add Data Flows window opens.

  4. Under the Source section, enter your Azure connection string.
    Learn more about this string here.
    For example:

DefaultEndpointsProtocol=https;AccountName=defenderlogs;AccountKey=g6DbhGsQ4u890mngU7szCxq/jUioeWTd/gFHyhgde46gvDs3EuKNfSfVcUPQWazMlopLl6if5e7JKdGYtrvdfj==;EndpointSuffix=core.windows.net
📘Learn more

You can also use a Shared Access Signature (SAS) as a connection string.

  1. Under the Data types section, click the + sign to open a separate box for each data type you want to connect and fill in the fields:
    a. From the Data Type field, select the type of logs you want to connect.
    b. In the Label field, provide a name for this connection. This will help you avoid clutter later when managing the connections.
    c. Leave the Blob prefix field empty.
    d. In the Container name field, enter the name of the container containing the type of logs specified in the Data Types field.
    e. From the File format field, select Azure NSG Json. This is the only format for the data types currently supported.
    f. From the Start Date field, select how far back you want logs to be transferred.
    g. Click Test Connection to make sure everything was set up correctly.
  2. Click Test Connection to make sure everything was set up correctly.
  3. Once the connection is established, click Submit.

Expected format

Logs are expected to arrive in Azure NSG-JSON format.

{"records": [{"time": "2020-04-22T09:00:02.7822187Z", "systemId": "400f249e-a8fc-4903-8d90-5f61c7cd006a", "macAddress": "000D3A0F3A64", "category": "NetworkSecurityGroupFlowEvent", "resourceId": "/SUBSCRIPTIONS/728F502E-AF9E-4EB4-A4B6-8F2B7ECE4D81/RESOURCEGROUPS/HQ-COMMON-RG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/HQ-ALLOW-ALL-SECURITY-GROUP", "operationName": "NetworkSecurityGroupFlowEvents", "properties": {"Version": 2, "flows": [{"rule": "UserRule_allow-all-outbound", "flows": [{"mac": "000D3A0F3A64", "flowTuples": ["1587545941,10.0.1.1,2.3.4.19,37038,443,T,O,A,E,8,1445,13,13951", "1587545941,10.0.1.12,1.2.3.4,32850,443,T,O,A,E,8,1528,10,10057"]}]}]}}]}