NetworkSessions
Network connections or sessions such as those logged by firewalls, Wire Data, NSG, Netflow, proxy systems and web security gateways.
Table attributes
| Attribute | Value |
|---|---|
| Resource types | - |
| Categories | Security |
| Solutions | SecurityInsights |
| Basic log | No |
| Ingestion-time transformation | No |
| Sample Queries | Yes |
Columns
| Column | Type | Description |
|---|---|---|
| AdditionalFields | dynamic | When no respective column in the schema matches, additional fields can be stored in a JSON bag. |
| _BilledSize | real | The record size in bytes |
| CloudAppId | string | The ID of the destination application for an HTTP application as identified by a proxy. This value is usually specific to the proxy used. |
| CloudAppName | string | The name of the destination application for an HTTP application as identified by a proxy. |
| CloudAppOperation | string | The operation the user performed in the context of the destination application for an HTTP application as identified by a proxy. This value is usually specific to the proxy used. |
| CloudAppRiskLevel | string | The risk level associated with an HTTP application as identified by a proxy. This value is usually specific to the proxy used. |
| DstBytes | long | The number of bytes sent from the destination to the source for the connection or session. |
| DstDomainHostname | string | The domain of the destination host. |
| DstDvcDomain | string | The Domain of the destination device. |
| DstDvcFqdn | string | The fully qualified domain name of the host where the log was created. |
| DstDvcHostname | string | The device name of the destination device. |
| DstDvcIpAddr | string | The destination IP address of a device that is not directly associated with the network packet. |
| DstDvcMacAddr | string | The destination MAC address of a device that is not directly associated with the network packet. |
| DstGeoCity | string | The city associated with the destination IP address. |
| DstGeoCountry | string | The country associated with the source IP address. |
| DstGeoLatitude | real | The latitude of the geographical coordinate associated with the destination IP address. |
| DstGeoLongitude | real | The longitude of the geographical coordinate associated with the destination IP address |
| DstGeoRegion | string | The region within a country associated with the destination IP address. |
| DstInterfaceGuid | string | GUID of the network interface which was used for authentication request. |
| DstInterfaceName | string | The network interface used for the connection or session by the destination device. |
| DstIpAddr | string | The IP address of the connection or session destination. |
| DstMacAddr | string | The MAC address of the network interface at which the connection or session terminated. |
| DstNatIpAddr | string | If reported by an intermediary NAT device such as a firewall, the IP address used by the NAT device for communication with the source. |
| DstNatPortNumber | int | If reported by an intermediary NAT device such as a firewall, the port used by the NAT device for communication with the source. |
| DstPackets | long | The number of packets sent from the destination to the source for the connection or session. The meaning of a packet is defined by the reporting device. |
| DstPortNumber | int | The destination IP port. |
| DstResourceId | string | The resource Id of the destination device. |
| DstUserAadId | string | The Azure AD account object ID of the user at the destination end of the session. |
| DstUserDomain | string | The domain or computer name of the account at the destination of the session. |
| DstUserName | string | The username of the identity associated with the session’s destination. |
| DstUserSid | string | The User ID of the identity associated with the session's destination. Typically, the identity used to authenticate a server. |
| DstUserUpn | string | The UPN of the identity associated with the session’s destination. |
| DstZone | string | The network zone of the destination, as defined by the reporting device. |
| DvcAction | string | If reported by an intermediary device such as a firewall, the action taken by device. |
| DvcHostname | string | The device name of the device generating the message. |
| DvcInboundInterface | string | If reported by an intermediary device such as a firewall, the network interface used by it for the connection to the source device. |
| DvcIpAddr | string | The IP address of the device generating the record. |
| DvcMacAddr | string | The MAC address of the network interface of the reporting device from which the event was sent. |
| DvcOutboundInterface | string | If reported by an intermediary device such as a firewall, the network interface used by it for the connection to the destination device. |
| EventCount | int | The number of events aggregated, if applicable. |
| EventEndTime | datetime | The time in which the event ended. |
| EventMessage | string | A general message or description, either included in, or generated from the record. |
| EventOriginalUid | string | The record ID from the reporting device. |
| EventProduct | string | The product generating the event. |
| EventProductVersion | string | The version of the product generating the event. |
| EventReportUrl | string | A link to the full report created by the reporting device. |
| EventResourceId | string | The resource ID of the device generating the message. |
| EventResult | string | The result reported for the activity. Empty value when not applicable. |
| EventResultDetails | string | Reason for the result reported in EventResult |
| EventSchemaVersion | string | Azure Sentinel Schema Version. |
| EventSeverity | string | If the activity reported has a security impact, denotes the severity of the impact. |
| EventStartTime | datetime | The time in which the event stated. |
| EventSubType | string | Additional description of type if applicable. |
| EventTimeIngested | datetime | The time the event was ingested to Azure Sentinel. Will be added by Azure Sentinel. |
| EventType | string | Type of event being collected. |
| EventUid | string | Unique identifier used by Sentinel to mark a row. |
| EventVendor | string | The vendor of the product generating the event. |
| FileExtension | string | The type of the file transmitted over the network connections for protocols such as FTP and HTTP. |
| FileHashMd5 | string | The MD5 hash value of the file transmitted over the network connections for protocols. |
| FileHashSha1 | string | The SHA1 hash value of the file transmitted over the network connections for protocols. |
| FileHashSha256 | string | The SHA256 hash value of the file transmitted over the network connections for protocols. |
| FileHashSha512 | string | The SHA512 hash value of the file transmitted over the network connections for protocols. |
| FileMimeType | string | The MIME type of the file transmitted over the network connections for protocols such as FTP and HTTP. |
| FileName | string | The filename transmitted over the network connections for protocols such as FTP and HTTP which provide the file name information. |
| FilePath | string | The full path, including file name, of the file. |
| FileSize | int | The file size, in bytes, of the file transmitted over the network connections for protocols. |
| HttpContentType | string | The HTTP Response content type header for HTTP/HTTPS network sessions. |
| HttpReferrerOriginal | string | The HTTP referrer header for HTTP/HTTPS network sessions. |
| HttpRequestMethod | string | The HTTP Method for HTTP/HTTPS network sessions. |
| HttpRequestTime | int | The amount of time it took to send the request to the server, if applicable. |
| HttpRequestXff | string | The HTTP X-Forwarded-For header for HTTP/HTTPS network sessions. |
| HttpResponseTime | int | The amount of time it took to receive a response in the server, if applicable. |
| HttpStatusCode | string | The HTTP Status Code for HTTP/HTTPS network sessions. |
| HttpUserAgentOriginal | string | The HTTP user agent header for HTTP/HTTPS network sessions. |
| HttpVersion | string | The HTTP Request Version for HTTP/HTTPS network connections. |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| NetworkApplicationProtocol | string | The application layer protocol used by the connection or session. |
| NetworkBytes | long | Number of bytes sent in both directions. If both BytesReceived and BytesSent exist, BytesTotal should equal their sum. |
| NetworkDirection | string | The direction the connection or session, into or out of the organization. |
| NetworkDuration | int | The amount of time, in millisecond, for the completion of the network session or connection. |
| NetworkIcmpCode | int | For an ICMP message, ICMP message type numeric value (RFC 2780 or RFC 4443). |
| NetworkIcmpType | string | For an ICMP message, ICMP message type text representation (RFC 2780 or RFC 4443). |
| NetworkPackets | long | Number of packets sent in both directions. If both PacketsReceived and PacketsSent exist, BytesTotal should equal their sum. |
| NetworkProtocol | string | The IP protocol used by the connection or session. Typically, TCP, UDP or ICMP. |
| NetworkRuleName | string | The name or ID of the rule by which DeviceAction was decided upon. |
| NetworkRuleNumber | int | Matched rule number. |
| NetworkSessionId | string | The session identifier as reported by the reporting device. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| SrcBytes | long | The number of bytes sent from the source to the destination for the connection or session. |
| SrcDvcDomain | string | Domain of the device from which session was initiated. |
| SrcDvcFqdn | string | The fully qualified domain name of the host where the log was created. |
| SrcDvcHostname | string | The device name of the source device. |
| SrcDvcIpAddr | string | The source IP address of a device not directly associated with the network packet (collected by a provider or explicitly calculated). |
| SrcDvcMacAddr | string | The source MAC address of a device that is not directly associated with the network packet. |
| SrcDvcModelName | string | The model of the source device. |
| SrcDvcModelNumber | string | The model number of the source device. |
| SrcDvcOs | string | The OS of the source device. |
| SrcDvcType | string | The type of the source device. |
| SrcGeoCity | string | The city associated with the source IP address. |
| SrcGeoCountry | string | The country associated with the source IP address. |
| SrcGeoLatitude | real | The latitude of the geographical coordinate associated with the source IP address. |
| SrcGeoLongitude | real | The longitude of the geographical coordinate associated with the source IP address. |
| SrcGeoRegion | string | The region within a country associated with the source IP address. |
| SrcInterfaceGuid | string | GUID of the network interface used. |
| SrcInterfaceName | string | The network interface used for the connection or session by the source device. |
| SrcIpAddr | string | The IP address from which the connection or session originated. |
| SrcMacAddr | string | The MAC address of the network interface from which the connection od session originated. |
| SrcNatIpAddr | string | If reported by an intermediary NAT device such as a firewall, the IP address used by the NAT device for communication with the destination. |
| SrcNatPortNumber | int | If reported by an intermediary NAT device such as a firewall, the port used by the NAT device for communication with the destination. |
| SrcPackets | long | The number of packets sent from the source to the destination for the connection or session. The meaning of a packet is defined by the reporting device. |
| SrcPortNumber | int | The IP port from which the connection originated. May not be relevant for a session comprising multiple connections. |
| SrcResourceId | string | The resource ID of the device generating the message. |
| SrcUserAadId | string | The Azure AD account object ID of the user at the source end of the session. |
| SrcUserDomain | string | The domain for the account initiating the session. |
| SrcUserName | string | The username of the identity associated with the sessions source. Typically, user performing an action on the client. |
| SrcUserSid | string | The user ID of the identity associated with the sessions source. Typically, user performing an action on the client. |
| SrcUserUpn | string | UPN of the account initiating the session. |
| SrcZone | string | The network zone of the source, as defined by the reporting device. |
| TenantId | string | The Log Analytics workspace ID |
| ThreatCategory | string | The category of a threat identified by a security system such as Web Security Gateway of an IPS and is associated with this network session. |
| ThreatId | string | The ID of a threat identified by a security system such as Web Security Gateway of an IPS and is associated with this network session. |
| ThreatName | string | The name of the threat or malware identified. |
| TimeGenerated | datetime | The time the event occurred, as reported by reporting source. |
| Type | string | The name of the table |
| UrlCategory | string | The defined grouping of a URL (or could be just based on the domain in the URL) related to what it is (i.e.: adult, news, advertising, parked domains, etc.). |
| UrlHostname | string | The domain part of an HTTP request URL for HTTP/HTTPS network sessions. |
| UrlOriginal | string | The HTTP request URL for HTTP/HTTPS network sessions. |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for