Azure Virtual Network Flow Logs

  • Updated on Jan 24, 2026
  • Published on Aug 20, 2025
Prev Next

NSG → VNF

Microsoft used to support NSG.

Since 2025 they asked all of the integrations to start ingesting Azure VNF (Azure Virtual Network Flow Logs) instead.

Hunters only supports the FlowLogEvent data (from the NetworkSecurityGroupFlowEvent category).

The NTAIpDetails, NTANetAnalytics, and NTATopologyDetails logs belong to Traffic Analytics in Azure and aren’t required not supported.

Hunters only processes the raw NSG Flow Logs, which looks like:

{"records":[{"time":"2022-09-14T09:00:52.5625085Z","flowLogVersion":4,"flowLogGUID":"GUID_1","macAddress":"MAC_1","category":"FlowLogFlowEvent","flowLogResourceID":"/SUBSCRIPTIONS/SUB_1/RESOURCEGROUPS/RG_1/PROVIDERS/MICROSOFT.NETWORK/NETWORKWATCHERS/NW_1/FLOWLOGS/FLOWLOG_1","targetResourceID":"/subscriptions/SUB_1/resourceGroups/RG_2/providers/Microsoft.Network/virtualNetworks/VNET_1","operationName":"FlowLogFlowEvent","flowRecords":{"flows":[{"aclID":"ACL_1","flowGroups":[{"rule":"DefaultRule_AllowInternetOutBound","flowTuples":["1663146003599,PRIV_IP_1,EXT_IP_1,23956,443,6,O,B,NX,0,0,0,0","1663146003606,PRIV_IP_1,EXT_IP_1,23956,443,6,O,E,NX,3,767,2,1580","1663146003637,PRIV_IP_1,EXT_IP_2,22730,443,6,O,B,NX,0,0,0,0","1663146003640,PRIV_IP_1,EXT_IP_2,22730,443,6,O,E,NX,3,705,4,4569","1663146004251,PRIV_IP_1,EXT_IP_2,22732,443,6,O,B,NX,0,0,0,0","1663146004251,PRIV_IP_1,EXT_IP_2,22732,443,6,O,E,NX,3,705,4,4569","1663146004622,PRIV_IP_1,EXT_IP_2,22734,443,6,O,B,NX,0,0,0,0","1663146004622,PRIV_IP_1,EXT_IP_2,22734,443,6,O,E,NX,2,134,1,108","1663146017343,PRIV_IP_1,EXT_IP_3,36776,443,6,O,B,NX,0,0,0,0","1663146022793,PRIV_IP_1,EXT_IP_3,36776,443,6,O,E,NX,22,2217,33,32466"]}]} ,{"aclID":"ACL_1","flowGroups":[{"rule":"BlockHighRiskTCPPortsFromInternet","flowTuples":["1663145998065,EXT_IP_4,PRIV_IP_1,55188,22,6,I,D,NX,0,0,0,0","1663146005503,EXT_IP_5,PRIV_IP_1,35276,119,6,I,D,NX,0,0,0,0"]},{"rule":"Internet","flowTuples":["1663145989563,EXT_IP_6,PRIV_IP_1,50557,44357,6,I,D,NX,0,0,0,0","1663145989679,EXT_IP_7,PRIV_IP_1,62797,35945,6,I,D,NX,0,0,0,0","1663145989709,EXT_IP_8,PRIV_IP_1,51961,65515,6,I,D,NX,0,0,0,0","1663145990049,EXT_IP_9,PRIV_IP_1,40497,40129,6,I,D,NX,0,0,0,0","1663145990145,EXT_IP_7,PRIV_IP_1,62797,30472,6,I,D,NX,0,0,0,0","1663145990175,EXT_IP_8,PRIV_IP_1,51961,28184,6,I,D,NX,0,0,0,0","1663146015545,EXT_IP_6,PRIV_IP_1,50557,31244,6,I,D,NX,0,0,0,0"]}]}]}}]}

Table name: azure_virtual_network_flow_logs

Azure Virtual Network Flow Logs capture information about network traffic flowing through network security groups in an Azure subscription, including details about allowed and denied connections, traffic volume, and flow patterns.

Send data to Hunters

Hunters supports the ingestion of these logs using Azure Event Hub. Follow the steps below to complete the connection. Azure Flow Logs are managed exclusively through Network Watcher and must be written to a Storage Account, with Log Analytics optional for Traffic Analytics and from there to be read by an Azure Function (holding a small reading-writing script) that would be triggered whenever there’s a new blob-json to be read from the Azure Storage and written by this function to Azure event-hub.

Hunters supports the ingestion of these logs using Azure Event Hub. Follow the steps below to complete the connection.

STEP 1: Set up Azure Event Hub

Before setting up the connection on the Hunters platform, you'll need to set up and create an Azure Event Hub.

Follow this guide to complete the set up.

STEP 2: Route logs to the Event Hub

  1.   Azure no longer supports the simple “Diagnostic -> Stream to Event Hub” flow for VNet Flow Logs. There is no direct “Stream to Event Hub” option for VNet Flow Logs under Diagnostic Settings anymore. So in order to send logs to Event Hub, we must architect a forwarding mechanism:
    Write VNet Flow Logs to Azure Storage → Then use some forwarder (Event Grid → Event Hub, Logic App, Function App) to relay Storage blobs into Event Hub.
    Traffic Analytics / Log Analytics exports to Event Hub are summaries - If you try to export using Traffic Analytics → Event Hub, you only get the NTANetAnalytics summarized data -  not the full raw flow logs.

  2.    Some links to official Azure guides:
    📌 Flow Logs overview (how logs are stored)
    📌 How to manage (configure) VNet Flow Logs to Storage
    📌 Azure tutorial (enable / use VNet Flow Logs)

  3.    Create the Azure Function App (container first) - Create a resource - Function App

  4.    Basics tab 

    Subscription: your subscription

Resource Group: same or new

Function App name: vnet-flowlogs-to-eventhub

Runtime stack: Python

Region: same as Storage and Event Hub

    Hosting tab

    Operating System: Linux

Plan type: Consumption

Storage account: auto-create or reuse


    Click Review + Create → Create


  5.    Add Event Hub connection (output target)

    Azure Portal → Function App → your app → Configuration
    Add Application Setting

    Click + New application setting

    Name: EVENT_HUB_CONNECTION

Value: Event Hub connection string

(from Event Hub → Shared access policies → RootManageSharedAccessKey)


    Click Save

  6.    Create the Function itself

    Azure Portal → Function App → Functions → + Create

Create function

Development environment: Develop in portal

Template: Event Grid trigger

Function name: FlowLogBlobCreated


    Click Create

  7.    Connect Function output to Event Hub 

    Trigger: Event Grid

Outputs: empty


    Add Output

    Binding type: Event Hub

Event Hub name: your Event Hub name

Event Hub connection: EVENT_HUB_CONNECTION

Send batch: Yes


    Click Save

  8.    Connect Storage Account → Event Grid → Function

    Azure Portal → Storage Account (where flow logs are written)

Click Events → + Event Subscription → Basics

Name: vnet-flowlogs-to-function

Event Schema: Event Grid Schema

Event types: Blob Created



    Filters tab

    Subject begins with: /blobServices/default/containers/insights-logs-flowlogflowevent/ (this prevents other blobs from triggering)


    Endpoint tab

    1. Endpoint type: Azure Function

    2. Subscription: your subscription

    3. Resource group: RG of Function

    4. Function App: your app

    5. Function: FlowLogBlobCreated

      Click Confirm selection

      Create subscription

      Storage Account → Events

Event subscription filter (container path)

Endpoint = Azure Function


  9.    Minimal Function code (reads blob → sends to Event Hub)
    Azure gives you a stub. Replace it with minimal, raw-forward logic.

    Python example:

    import json
import logging
import azure.functions as func
import requests

def main(event: func.EventGridEvent, outputEventHub: func.Out[str]):
    data = event.get_json()

    blob_url = data["url"]

    # Read the blob
    response = requests.get(blob_url)
    response.raise_for_status()

    # Send raw JSON to Event Hub
    outputEventHub.set(response.text)

    1. Do NOT parse or enrich

    2. Forward raw blob JSON as-is

    3. Hunters expects FlowLogFlowEvent

  10.   In the Azure portal, search for and open Network Watcher and create a new exporter for the Vflow logs:

  11.    Under Logs, click Flow logs. Click + Create or Create flow log.

    On the Basics tab, select your Subscription and Virtual Network.
    Under Storage account, select an Azure Storage Account to which flow logs will be written.
    Click Review + create and then Create:

    Click Create

  12.   Now we have Azure VNet Flow Logs written to a Storage Account (Network Watcher writes VNet Flow Logs as blobs to our storage). And we also have a small function (python script) that ingest them into Event Hub. Customers must foollow steps 3 to 9 in order to create a forward pipeline from Storage → Event Hub.
    Azure gives you a few realistic, supported patterns. In our practice, this is the cleanest and most common option (recommended by hunters):

    Storage Account → Event Grid → Azure Function → Event Hub

  13.   If you would like to use Event Grid to fire an event whenever a new blob is created and Azure Function is triggered by Event Grid.
    To create Event Grid subscription please follow this next official Azure Event Grid guide.

  14.    Now the last step would be to create an Azure Function → Azure Event Hubs bindings for Azure Functions. Azure Functions supports trigger and output bindings for Event Hubs.

    The Function:

    • Reads the blob (Vflow log blob)

    • Sends the raw JSON to Event Hub

    • Hunters consumes from Event Hub (as today)

  15.   Now you have a full pipeline:

    Network Watcher
  (creates flow logs)
        ↓
Storage Account
  (stores blobs)
        ↓
Event Grid
  (detects blob creation and triggers the Azure Function to work)
        ↓
Azure Function
  (reads blob and write it as blob json to Event Hub)
        ↓
Event Hub
        ↓
Hunters

STEP 3: Set up the connection on Hunters

📘 Before you begin
To complete this process you will need the information gathered when following this guide.
To connect logs to Hunters:
  1. Open the Hunters platform and navigate to Data > Data Sources.
    Data sources1
  2. Click ADD DATA SOURCES.
    Add data source4
  3. Locate the Microsoft Azure panel and click Connect.
    The Add Data Flows window opens.
  4. Fill in the required Azure application details, as gathered here under STEP 2.
    Connect Azure logs on Hunters
  5. Under the Data Types section, activate the data types you want to connect.
  6. For each activated data type, fill in the required information, as gathered here:
    1. Under STEP 1 - Subscription ID
    2. Under STEP 3 - Resource group name and Event Hub namespace and
    3. Under STEP 4 - Event Hub name.
  7. OPTIONAL: Under the Consumer group field you can specify a specific Azure Event Hub consumer group, or leave this field empty to use the default consumer group.
  8. Click Test Connection to make sure everything was set up correctly.
  9. Once the connection is established, click Submit.

Expected format

{
    "records": [
        {
            "time": "2022-09-14T09:00:52.5625085Z",
            "flowLogVersion": 4,
            "flowLogGUID": "66aa66aa-bb77-cc88-dd99-00ee00ee00ee",
            "macAddress": "112233445566",
            "category": "FlowLogFlowEvent",
            "flowLogResourceID": "/SUBSCRIPTIONS/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/RESOURCEGROUPS/NETWORKWATCHERRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKWATCHERS/NETWORKWATCHER_EASTUS2EUAP/FLOWLOGS/VNETFLOWLOG",
            "targetResourceID": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVNet",
            "operationName": "FlowLogFlowEvent",
            "flowRecords": {
                "flows": [
                    {
                        "aclID": "00aa00aa-bb11-cc22-dd33-44ee44ee44ee",
                        "flowGroups": [
                            {
                                "rule": "DefaultRule_AllowInternetOutBound",
                                "flowTuples": [
                                    "1663146003599,10.0.0.6,192.0.2.180,23956,443,6,O,B,NX,0,0,0,0",
                                    "1663146003606,10.0.0.6,192.0.2.180,23956,443,6,O,E,NX,3,767,2,1580",
                                    "1663146003637,10.0.0.6,203.0.113.17,22730,443,6,O,B,NX,0,0,0,0",
                                    "1663146003640,10.0.0.6,203.0.113.17,22730,443,6,O,E,NX,3,705,4,4569",
                                    "1663146004251,10.0.0.6,203.0.113.17,22732,443,6,O,B,NX,0,0,0,0",
                                    "1663146004251,10.0.0.6,203.0.113.17,22732,443,6,O,E,NX,3,705,4,4569",
                                    "1663146004622,10.0.0.6,203.0.113.17,22734,443,6,O,B,NX,0,0,0,0",
                                    "1663146004622,10.0.0.6,203.0.113.17,22734,443,6,O,E,NX,2,134,1,108",
                                    "1663146017343,10.0.0.6,198.51.100.84,36776,443,6,O,B,NX,0,0,0,0",
                                    "1663146022793,10.0.0.6,198.51.100.84,36776,443,6,O,E,NX,22,2217,33,32466"
                                ]
                            }
                        ]
                    },
                    {
                        "aclID": "00aa00aa-bb11-cc22-dd33-44ee44ee44ee",
                        "flowGroups": [
                            {
                                "rule": "BlockHighRiskTCPPortsFromInternet",
                                "flowTuples": [
                                    "1663145998065,101.33.218.153,10.0.0.6,55188,22,6,I,D,NX,0,0,0,0",
                                    "1663146005503,192.241.200.164,10.0.0.6,35276,119,6,I,D,NX,0,0,0,0"
                                ]
                            },
                            {
                                "rule": "Internet",
                                "flowTuples": [
                                    "1663145989563,192.0.2.10,10.0.0.6,50557,44357,6,I,D,NX,0,0,0,0",
                                    "1663145989679,203.0.113.81,10.0.0.6,62797,35945,6,I,D,NX,0,0,0,0",
                                    "1663145989709,203.0.113.5,10.0.0.6,51961,65515,6,I,D,NX,0,0,0,0",
                                    "1663145990049,198.51.100.51,10.0.0.6,40497,40129,6,I,D,NX,0,0,0,0",
                                    "1663145990145,203.0.113.81,10.0.0.6,62797,30472,6,I,D,NX,0,0,0,0",
                                    "1663145990175,203.0.113.5,10.0.0.6,51961,28184,6,I,D,NX,0,0,0,0",
                                    "1663146015545,192.0.2.10,10.0.0.6,50557,31244,6,I,D,NX,0,0,0,0"
                                ]
                            }
                        ]
                    }
                ]
            }
        }
    ]

The official Azure flow logs are written to Azure Storage in JSON format and from there on with Azure Function to Azure Blob-Storage. There is no direct “Stream to Event Hub” option for VNet Flow Logs under Diagnostic Settings anymore.