Cloud Enrichment — Azure
Enriched fields produced by this configuration are applied and available in the Network Conversations Module output.
When Azure NSG or VNet Flow Log ingestion is configured, NFO enriches flows with VM names, virtual network and subnet identifiers, subscription and resource group context, and cloud region data. The EDFN agent uses the same service principal or managed identity credentials configured for ingestion to retrieve this metadata. No additional access configuration is required.
Prerequisite: Azure Flow Log ingestion must be configured first. See Azure NSG and VNet Flow Logs Configuration for setup instructions.
Enriched Fields
The table below lists the enrichment fields added by NFO to Azure flow records. Fields marked as Built-in are populated from the Cloud Service & Region lookup and require no ingestion setup.
| Field | Source | Description |
|---|---|---|
src_cloud_service | Built-in | Azure service associated with the source IP (e.g. AzureAppService, AzureStorage) |
dest_cloud_service | Built-in | Azure service associated with the destination IP |
src_cloud_region | Built-in | Azure region of the source IP (e.g. eastus, westeurope) |
dest_cloud_region | Built-in | Azure region of the destination IP |
azure_src_vm_name | Ingestion | Name of the source VM |
azure_dest_vm_name | Ingestion | Name of the destination VM |
azure_src_vnet_name | Ingestion | Source virtual network name |
azure_dest_vnet_name | Ingestion | Destination virtual network name |
azure_src_subnet_name | Ingestion | Source subnet name |
azure_dest_subnet_name | Ingestion | Destination subnet name |
azure_src_nsg_name | Ingestion | Source NSG name |
azure_dest_nsg_name | Ingestion | Destination NSG name |
azure_src_subs_id | Ingestion | Source subscription ID |
azure_src_subs_name | Ingestion | Source subscription name |
azure_dest_subs_id | Ingestion | Destination subscription ID |
azure_dest_subs_name | Ingestion | Destination subscription name |
azure_src_res_grp_name | Ingestion | Source resource group name |
azure_dest_res_grp_name | Ingestion | Destination resource group name |
exp_name | Ingestion | Name of the NSG or VNet flow exporter |
How Enrichment Is Updated
The EDFN agent periodically queries the Azure Resource Manager API to refresh its lookup of VM names, VNet names, subnet names, and subscription metadata. The refresh interval is controlled by the Cron Schedule setting in the EDFN Agent configuration for Azure Flow Logs.
Credential Requirements
The service principal or managed identity used for ingestion must have the Reader role on each monitored subscription, and Storage Blob Data Reader and Storage Queue Data Message Processor roles on the flow log storage account. These permissions cover both ingestion and enrichment. No additional roles are required.
Note: NSG flow logs will be retired by Microsoft on 30 September 2027. We recommend configuring VNet flow logs for new deployments.