Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Reference for VMConnection table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | VMinsights |
| Basic Logs Eligible | ✗ No |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| _ResourceId | string | A unique identifier for the resource that the record is associated with |
| _SubscriptionId | string | A unique identifier for the subscription that the record is associated with |
| AgentId | string | Unique agent GUID for the agent reporting data on the server. |
| BytesReceived | long | Total number of bytes that have been received during the reporting time window. |
| BytesSent | long | Total number of bytes that have been sent during the reporting time window. |
| Computer | string | Name of the server from the ServiceMapComputer_CL table. |
| Confidence | string | Values are 0 - 100. |
| ConnectionId | string | Unique Id for the connection record. |
| Description | string | Description of the observed threat. |
| DestinationIp | string | IP address of the destination. |
| DestinationPort | int | Port number of the destination. |
| Direction | string | Direction of the connection value is inbound or outbound |
| FirstReportedDateTime | string | The first time the provider reported the indicator. |
| IndicatorThreatType | string | Threat indicator detected. Possible values are Botnet C2 CryptoMining Darknet DDos MaliciousUrl Malware Phishing Proxy PUA Watchlist. |
| IsActive | string | The last time the indicator was seen by Interflow. |
| LastReportedDateTime | string | Indicates indicators are deactivated with True or False value. |
| LinksEstablished | long | Number of physical network connections that have been established during the reporting time window. |
| LinksFailed | long | Number of physical network connections that have failed during the reporting time window. This information is currently available only for outbound connections. |
| LinksLive | long | Number of physical network connections that were open at the end of the reporting time window. |
| LinksTerminated | long | Number of physical network connections that have been terminated during the reporting time window. |
| Machine | string | FQDN of the computer. |
| MaliciousIp | string | Remote IP address. |
| Process | string | Identity of process or groups of processes initiating or accepting the connection. |
| ProcessName | string | Unique identifier for the process in the ServiceMapProcess_CL table. |
| Protocol | string | Protocol used for the connection. Only possible value is tcp. |
| RemoteClassification | string | A classification of the remote endpoint based on its ip and dns names and the corresponding Azure service. |
| RemoteCountry | string | Name of the country or region hosting RemoteIp. |
| RemoteDnsCanonicalNames | string | A JSON array of canonical names that came back from the DNS server. For example when using traffic manager you issue a question to foo.trafficmanage.net and get a canonical name as something.myservice.com together with an ip address. |
| RemoteDnsQuestions | string | A JSON array of DNS questions (lookups) that were performed on the machine and resolved to the RemoteIp listed in the record. |
| RemoteIp | string | The IP address of the remote end of a connection is included in the RemoteIp property. For inbound connections RemoteIp is the same as SourceIp while for outbound connections it is the same as DestinationIp. |
| RemoteLatitude | real | Geolocation latitude. An example would be 47.68. |
| RemoteLongitude | real | Geolocation longitude. An example would be -122.12. |
| Responses | long | Number of responses observed during the reporting time window. |
| ResponseTimeMax | long | Largest response time observed during the reporting time window in milliseconds. If no value the property is blank. |
| ResponseTimeMin | long | Smallest response time observed during the reporting time windowin milliseconds. If no value the property is blank. |
| ResponseTimeSum | long | Sum of all response times observed during the reporting time window in milliseconds. If no value the property is blank. |
| Severity | int | Possible values are 0 - 5 where 5 is the most severe and 0 is not severe at all. Default value is 3. |
| SourceIp | string | IP address of the source. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| TimeGenerated | datetime | Date and time the record was created. |
| TLPLevel | string | Traffic Light Protocol (TLP) Level. Possible values are White Green Amber Red. |
| Type | string | The name of the table |
This table is used by the following solutions:
In solution Apache Log4j Vulnerability Detection:
| Analytic Rule | Selection Criteria |
|---|---|
| Log4j vulnerability exploit aka Log4Shell IP IOC |
In solution SecurityThreatEssentialSolution:
| Analytic Rule | Selection Criteria |
|---|---|
| Threat Essentials - Time series anomaly for data size transferred to public internet |
In solution Threat Intelligence:
| Analytic Rule | Selection Criteria |
|---|---|
| TI Map IP Entity to VMConnection |
In solution Threat Intelligence (NEW):
| Analytic Rule | Selection Criteria |
|---|---|
| TI Map IP Entity to VMConnection |
In solution Zinc Open Source:
| Analytic Rule | Selection Criteria |
|---|---|
| [Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 2022 |
In solution Apache Log4j Vulnerability Detection:
| Hunting Query | Selection Criteria |
|---|---|
| Malicious Connection to LDAP port for CVE-2021-44228 vulnerability |
In solution Attacker Tools Threat Protection Essentials:
| Hunting Query | Selection Criteria |
|---|---|
| Cobalt Strike DNS Beaconing |
In solution Legacy IOC based Threat Protection:
| Hunting Query | Selection Criteria |
|---|---|
| Connection from external IP to OMI related Ports |
In solution Threat Intelligence:
| Hunting Query | Selection Criteria |
|---|---|
| TI Map File Entity to VMConnection Event |
In solution Threat Intelligence (NEW):
| Hunting Query | Selection Criteria |
|---|---|
| TI Map File Entity to VMConnection Event |
In solution SOC Handbook:
| Workbook | Selection Criteria |
|---|---|
| SecurityStatus |
In solution ZeroTrust(TIC3.0):
| Workbook | Selection Criteria |
|---|---|
| ZeroTrustTIC3 |
| Parser | Schema | Product | Selection Criteria |
|---|---|---|---|
| ASimNetworkSessionVMConnection | NetworkSession | VMConnection |
This table collects data from the following Azure resource types:
microsoft.compute/virtualmachinesmicrosoft.conenctedvmwarevsphere/virtualmachinesmicrosoft.azurestackhci/virtualmachinesmicrosoft.scvmm/virtualmachinesmicrosoft.compute/virtualmachinescalesetsBrowse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊