Azure Virtual Network Flow Logs

  • Updated on Dec 15, 2025
  • Published on Aug 20, 2025
Prev Next

NSG → VNF

Microsoft used to support NSG.

Since 2025 they asked all of the integrations to start ingesting Azure VNF (Azure Virtual Network Flow Logs) instead.

Hunters only supports the FlowLogEvent data (from the NetworkSecurityGroupFlowEvent category).

The NTAIpDetails, NTANetAnalytics, and NTATopologyDetails logs belong to Traffic Analytics in Azure and aren’t required not supported.

Hunters only processes the raw NSG Flow Logs, which looks like:

{"records":[{"time":"2022-09-14T09:00:52.5625085Z","flowLogVersion":4,"flowLogGUID":"GUID_1","macAddress":"MAC_1","category":"FlowLogFlowEvent","flowLogResourceID":"/SUBSCRIPTIONS/SUB_1/RESOURCEGROUPS/RG_1/PROVIDERS/MICROSOFT.NETWORK/NETWORKWATCHERS/NW_1/FLOWLOGS/FLOWLOG_1","targetResourceID":"/subscriptions/SUB_1/resourceGroups/RG_2/providers/Microsoft.Network/virtualNetworks/VNET_1","operationName":"FlowLogFlowEvent","flowRecords":{"flows":[{"aclID":"ACL_1","flowGroups":[{"rule":"DefaultRule_AllowInternetOutBound","flowTuples":["1663146003599,PRIV_IP_1,EXT_IP_1,23956,443,6,O,B,NX,0,0,0,0","1663146003606,PRIV_IP_1,EXT_IP_1,23956,443,6,O,E,NX,3,767,2,1580","1663146003637,PRIV_IP_1,EXT_IP_2,22730,443,6,O,B,NX,0,0,0,0","1663146003640,PRIV_IP_1,EXT_IP_2,22730,443,6,O,E,NX,3,705,4,4569","1663146004251,PRIV_IP_1,EXT_IP_2,22732,443,6,O,B,NX,0,0,0,0","1663146004251,PRIV_IP_1,EXT_IP_2,22732,443,6,O,E,NX,3,705,4,4569","1663146004622,PRIV_IP_1,EXT_IP_2,22734,443,6,O,B,NX,0,0,0,0","1663146004622,PRIV_IP_1,EXT_IP_2,22734,443,6,O,E,NX,2,134,1,108","1663146017343,PRIV_IP_1,EXT_IP_3,36776,443,6,O,B,NX,0,0,0,0","1663146022793,PRIV_IP_1,EXT_IP_3,36776,443,6,O,E,NX,22,2217,33,32466"]}]} ,{"aclID":"ACL_1","flowGroups":[{"rule":"BlockHighRiskTCPPortsFromInternet","flowTuples":["1663145998065,EXT_IP_4,PRIV_IP_1,55188,22,6,I,D,NX,0,0,0,0","1663146005503,EXT_IP_5,PRIV_IP_1,35276,119,6,I,D,NX,0,0,0,0"]},{"rule":"Internet","flowTuples":["1663145989563,EXT_IP_6,PRIV_IP_1,50557,44357,6,I,D,NX,0,0,0,0","1663145989679,EXT_IP_7,PRIV_IP_1,62797,35945,6,I,D,NX,0,0,0,0","1663145989709,EXT_IP_8,PRIV_IP_1,51961,65515,6,I,D,NX,0,0,0,0","1663145990049,EXT_IP_9,PRIV_IP_1,40497,40129,6,I,D,NX,0,0,0,0","1663145990145,EXT_IP_7,PRIV_IP_1,62797,30472,6,I,D,NX,0,0,0,0","1663145990175,EXT_IP_8,PRIV_IP_1,51961,28184,6,I,D,NX,0,0,0,0","1663146015545,EXT_IP_6,PRIV_IP_1,50557,31244,6,I,D,NX,0,0,0,0"]}]}]}}]}

Table name: azure_virtual_network_flow_logs

Azure Virtual Network Flow Logs capture information about network traffic flowing through network security groups in an Azure subscription, including details about allowed and denied connections, traffic volume, and flow patterns.

Send data to Hunters

Hunters supports the ingestion of these logs using Azure Event Hub. Follow the steps below to complete the connection.

Hunters supports the ingestion of these logs using Azure Event Hub. Follow the steps below to complete the connection.

STEP 1: Set up Azure Event Hub

Before setting up the connection on the Hunters platform, you'll need to set up and create an Azure Event Hub.

Follow this guide to complete the set up.

STEP 2: Route logs to the Event Hub

  1. 1. In the Azure portal home screen, search for and open Resource Groups.
    Azure resource groups

    The Resource Group list opens.

  2. 2. Select the relevant resource group.
    The Resource Group opens.

  3. 3. Now, scroll down the side menu to the Monitoring section, and click Diagnostic Settings.
    Resource group diagnostic settings

    The Diagnostic Settings page opens.

  4. 4. Select a resource from the Resource list.

  5. Click Add Diagnostic setting.
    Resource group new diagnostic setting

  6. 5. Under Logs, check the Virtual Network Flow Log checkbox.

  7. 6. Under Destination details, check the Stream to an Event Hub option.

  8. 7. Fill in the requested details and give the diagnostic setting a name.

  9. 8. Click Save.


STEP 3: Set up the connection on Hunters

📘 Before you begin
To complete this process you will need the information gathered when following this guide.
To connect logs to Hunters:
  1. Open the Hunters platform and navigate to Data > Data Sources.
    Data sources1
  2. Click ADD DATA SOURCES.
    Add data source4
  3. Locate the Microsoft Azure panel and click Connect.
    The Add Data Flows window opens.
  4. Fill in the required Azure application details, as gathered here under STEP 2.
    Connect Azure logs on Hunters
  5. Under the Data Types section, activate the data types you want to connect.
  6. For each activated data type, fill in the required information, as gathered here:
    1. Under STEP 1 - Subscription ID
    2. Under STEP 3 - Resource group name and Event Hub namespace and
    3. Under STEP 4 - Event Hub name.
  7. OPTIONAL: Under the Consumer group field you can specify a specific Azure Event Hub consumer group, or leave this field empty to use the default consumer group.
  8. Click Test Connection to make sure everything was set up correctly.
  9. Once the connection is established, click Submit.

Expected format

{
    "records": [
        {
            "time": "2022-09-14T09:00:52.5625085Z",
            "flowLogVersion": 4,
            "flowLogGUID": "66aa66aa-bb77-cc88-dd99-00ee00ee00ee",
            "macAddress": "112233445566",
            "category": "FlowLogFlowEvent",
            "flowLogResourceID": "/SUBSCRIPTIONS/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/RESOURCEGROUPS/NETWORKWATCHERRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKWATCHERS/NETWORKWATCHER_EASTUS2EUAP/FLOWLOGS/VNETFLOWLOG",
            "targetResourceID": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVNet",
            "operationName": "FlowLogFlowEvent",
            "flowRecords": {
                "flows": [
                    {
                        "aclID": "00aa00aa-bb11-cc22-dd33-44ee44ee44ee",
                        "flowGroups": [
                            {
                                "rule": "DefaultRule_AllowInternetOutBound",
                                "flowTuples": [
                                    "1663146003599,10.0.0.6,192.0.2.180,23956,443,6,O,B,NX,0,0,0,0",
                                    "1663146003606,10.0.0.6,192.0.2.180,23956,443,6,O,E,NX,3,767,2,1580",
                                    "1663146003637,10.0.0.6,203.0.113.17,22730,443,6,O,B,NX,0,0,0,0",
                                    "1663146003640,10.0.0.6,203.0.113.17,22730,443,6,O,E,NX,3,705,4,4569",
                                    "1663146004251,10.0.0.6,203.0.113.17,22732,443,6,O,B,NX,0,0,0,0",
                                    "1663146004251,10.0.0.6,203.0.113.17,22732,443,6,O,E,NX,3,705,4,4569",
                                    "1663146004622,10.0.0.6,203.0.113.17,22734,443,6,O,B,NX,0,0,0,0",
                                    "1663146004622,10.0.0.6,203.0.113.17,22734,443,6,O,E,NX,2,134,1,108",
                                    "1663146017343,10.0.0.6,198.51.100.84,36776,443,6,O,B,NX,0,0,0,0",
                                    "1663146022793,10.0.0.6,198.51.100.84,36776,443,6,O,E,NX,22,2217,33,32466"
                                ]
                            }
                        ]
                    },
                    {
                        "aclID": "00aa00aa-bb11-cc22-dd33-44ee44ee44ee",
                        "flowGroups": [
                            {
                                "rule": "BlockHighRiskTCPPortsFromInternet",
                                "flowTuples": [
                                    "1663145998065,101.33.218.153,10.0.0.6,55188,22,6,I,D,NX,0,0,0,0",
                                    "1663146005503,192.241.200.164,10.0.0.6,35276,119,6,I,D,NX,0,0,0,0"
                                ]
                            },
                            {
                                "rule": "Internet",
                                "flowTuples": [
                                    "1663145989563,192.0.2.10,10.0.0.6,50557,44357,6,I,D,NX,0,0,0,0",
                                    "1663145989679,203.0.113.81,10.0.0.6,62797,35945,6,I,D,NX,0,0,0,0",
                                    "1663145989709,203.0.113.5,10.0.0.6,51961,65515,6,I,D,NX,0,0,0,0",
                                    "1663145990049,198.51.100.51,10.0.0.6,40497,40129,6,I,D,NX,0,0,0,0",
                                    "1663145990145,203.0.113.81,10.0.0.6,62797,30472,6,I,D,NX,0,0,0,0",
                                    "1663145990175,203.0.113.5,10.0.0.6,51961,28184,6,I,D,NX,0,0,0,0",
                                    "1663146015545,192.0.2.10,10.0.0.6,50557,31244,6,I,D,NX,0,0,0,0"
                                ]
                            }
                        ]
                    }
                ]
            }
        }
    ]