Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Reference for VMConnection table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | VMinsights |
| Basic Logs Eligible | ✗ No |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account |
| _ResourceId | string | A unique identifier for the resource that the record is associated with |
| _SubscriptionId | string | A unique identifier for the subscription that the record is associated with |
| AgentId | string | Unique agent GUID for the agent reporting data on the server. |
| BytesReceived | long | Total number of bytes that have been received during the reporting time window. |
| BytesSent | long | Total number of bytes that have been sent during the reporting time window. |
| Computer | string | Name of the server from the ServiceMapComputer_CL table. |
| Confidence | string | Values are 0 - 100. |
| ConnectionId | string | Unique Id for the connection record. |
| Description | string | Description of the observed threat. |
| DestinationIp | string | IP address of the destination. |
| DestinationPort | int | Port number of the destination. |
| Direction | string | Direction of the connection value is inbound or outbound |
| FirstReportedDateTime | string | The first time the provider reported the indicator. |
| IndicatorThreatType | string | Threat indicator detected. Possible values are Botnet C2 CryptoMining Darknet DDos MaliciousUrl Malware Phishing Proxy PUA Watchlist. |
| IsActive | string | The last time the indicator was seen by Interflow. |
| LastReportedDateTime | string | Indicates indicators are deactivated with True or False value. |
| LinksEstablished | long | Number of physical network connections that have been established during the reporting time window. |
| LinksFailed | long | Number of physical network connections that have failed during the reporting time window. This information is currently available only for outbound connections. |
| LinksLive | long | Number of physical network connections that were open at the end of the reporting time window. |
| LinksTerminated | long | Number of physical network connections that have been terminated during the reporting time window. |
| Machine | string | FQDN of the computer. |
| MaliciousIp | string | Remote IP address. |
| Process | string | Identity of process or groups of processes initiating or accepting the connection. |
| ProcessName | string | Unique identifier for the process in the ServiceMapProcess_CL table. |
| Protocol | string | Protocol used for the connection. Only possible value is tcp. |
| RemoteClassification | string | A classification of the remote endpoint based on its ip and dns names and the corresponding Azure service. |
| RemoteCountry | string | Name of the country or region hosting RemoteIp. |
| RemoteDnsCanonicalNames | string | A JSON array of canonical names that came back from the DNS server. For example when using traffic manager you issue a question to foo.trafficmanage.net and get a canonical name as something.myservice.com together with an ip address. |
| RemoteDnsQuestions | string | A JSON array of DNS questions (lookups) that were performed on the machine and resolved to the RemoteIp listed in the record. |
| RemoteIp | string | The IP address of the remote end of a connection is included in the RemoteIp property. For inbound connections RemoteIp is the same as SourceIp while for outbound connections it is the same as DestinationIp. |
| RemoteLatitude | real | Geolocation latitude. An example would be 47.68. |
| RemoteLongitude | real | Geolocation longitude. An example would be -122.12. |
| Responses | long | Number of responses observed during the reporting time window. |
| ResponseTimeMax | long | Largest response time observed during the reporting time window in milliseconds. If no value the property is blank. |
| ResponseTimeMin | long | Smallest response time observed during the reporting time windowin milliseconds. If no value the property is blank. |
| ResponseTimeSum | long | Sum of all response times observed during the reporting time window in milliseconds. If no value the property is blank. |
| Severity | int | Possible values are 0 - 5 where 5 is the most severe and 0 is not severe at all. Default value is 3. |
| SourceIp | string | IP address of the source. |
| SourceSystem | string | The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics |
| TimeGenerated | datetime | Date and time the record was created. |
| TLPLevel | string | Traffic Light Protocol (TLP) Level. Possible values are White Green Amber Red. |
| Type | string | The name of the table |
This table is used by the following solutions:
In solution Apache Log4j Vulnerability Detection:
| Analytic Rule | Selection Criteria |
|---|---|
| Log4j vulnerability exploit aka Log4Shell IP IOC |
In solution SecurityThreatEssentialSolution:
| Analytic Rule | Selection Criteria |
|---|---|
| Threat Essentials - Time series anomaly for data size transferred to public internet |
In solution Threat Intelligence:
| Analytic Rule | Selection Criteria |
|---|---|
| TI Map IP Entity to VMConnection |
In solution Threat Intelligence (NEW):
| Analytic Rule | Selection Criteria |
|---|---|
| TI Map IP Entity to VMConnection |
In solution Zinc Open Source:
| Analytic Rule | Selection Criteria |
|---|---|
| [Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 2022 |
Standalone Content:
In solution Apache Log4j Vulnerability Detection:
| Hunting Query | Selection Criteria |
|---|---|
| Malicious Connection to LDAP port for CVE-2021-44228 vulnerability |
In solution Attacker Tools Threat Protection Essentials:
| Hunting Query | Selection Criteria |
|---|---|
| Cobalt Strike DNS Beaconing |
In solution Legacy IOC based Threat Protection:
| Hunting Query | Selection Criteria |
|---|---|
| Connection from external IP to OMI related Ports |
In solution Threat Intelligence:
| Hunting Query | Selection Criteria |
|---|---|
| TI Map File Entity to VMConnection Event |
In solution Threat Intelligence (NEW):
| Hunting Query | Selection Criteria |
|---|---|
| TI Map File Entity to VMConnection Event |
Standalone Content:
| Hunting Query | Selection Criteria |
|---|---|
| RareDNSLookupWithDataTransfer |
In solution SOC Handbook:
| Workbook | Selection Criteria |
|---|---|
| SecurityStatus |
In solution ZeroTrust(TIC3.0):
| Workbook | Selection Criteria |
|---|---|
| ZeroTrustTIC3 |
GitHub Only:
| Workbook | Selection Criteria |
|---|---|
| ExchangeCompromiseHunting | |
| SecurityStatus | |
| UserMap | |
| VirtualMachinesInsights |
| Parser | Schema | Product | Selection Criteria |
|---|---|---|---|
| ASimNetworkSessionVMConnection | NetworkSession | VMConnection |
This table collects data from the following Azure resource types:
microsoft.compute/virtualmachinesmicrosoft.conenctedvmwarevsphere/virtualmachinesmicrosoft.azurestackhci/virtualmachinesmicrosoft.scvmm/virtualmachinesmicrosoft.compute/virtualmachinescalesetsBrowse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊