Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home KQL

How to Send Azure SQL Server Audit Logs to Azure Sentinel

Azure Sentinel News Editor by Azure Sentinel News Editor
December 25, 2020
in KQL
0
Microsoft Releases Azure Sentinel, a Cloud Native SIEM, to General Availability
2.9kViews
685 Shares Share on Facebook Share on Twitter

Still in preview, you can send your Azure-based SQL Server Audit logs to the same Log Analytics workspace that is being used by Azure Sentinel.

In many other services, you would enable a Diagnostic Setting to send the logs to Azure Sentinel. But, Azure SQL Server is a bit different so it’s good to highlight.

  1. In your SQL Server instance, jump to the Auditing blade.
  2. Enable Azure SQL Auditing by toggling the switch.
  3. Select the Log Analytics workspace for which you want to send the log files (your Azure Sentinel workspace).
  4. Save it.
Enable Azure SQL Auditing

Also, note that there’s an option now that you can turn on logging for when Microsoft support persons are called on to help with service issues for your SQL Server instances.

Auditing data is stored in the AzureDiagnostics table in a SQLSecurityAuditEvents category:

AzureDiagnostics 
| where TimeGenerated > ago(24h) 
| where Category == "SQLSecurityAuditEvents"

All audit log fields can be researched here: https://docs.microsoft.com/en-us/azure/azure-sql/database/audit-log-format#subheading-1

Some ideas of things you want to look for:

  • Audit trail
  • Database activity
  • Suspicious events
  • Unusual activity

P.S. If you decide to enable this, it comes with a sort of gotcha – or at least a scary message. When you start shifting through Azure Sentinel blades you’ll be met with the following message periodically…

Azure Sentinel Workspace locked?

A Delete lock gets placed against the Resource Group for the Log Analytics Workspace when enabling the SQL Audit log flow. There’s no other indication that this is going to happen other than the nasty message that starts popping up.

You can jump into the Resource Group for the Log Analytics Workspace and delete the locks and the Audit logs still continue to flow just fine. Make sure to log out of the Azure portal and back in for the changes to take effect.

Reference: https://azurecloudai.blog/2020/10/29/how-to-send-azure-sql-server-audit-logs-to-azure-sentinel/

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

What’s new: Microsoft Teams connector in Public Preview
KQL

New Azure Sentinel Learning Modules Released

February 1, 2021
What’s new: Microsoft Teams connector in Public Preview
KQL

How to Connect the New Intune Devices Log Azure Sentinel

January 26, 2021
What’s new: Microsoft Teams connector in Public Preview
KQL

How to Create a Backup Notification in the Event an Unauthorized User Accesses Azure Sentinel

January 11, 2021
Next Post
With new release, CrowdStrike targets Google Cloud, Azure and container adopters

How to Be Notified When an Azure Sentinel Analytics Rule Has been Created or Modified

Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

MITRE ATT&CK Framework Reference Workbook for Azure Sentinel Updated with Latest Techniques

Microsoft is quietly becoming a cybersecurity powerhouse

What is the app@sharepoint Account in my Azure Sentinel Data?

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

BlueVoyant acquires Managed Sentinel, builds out Microsoft MSS offerings

How to Get Splunk Data into Azure Sentinel

2 months ago
Vectra AI and Microsoft partner on security integration

Suggested Daily, Weekly, and Monthly Tasks for Azure Sentinel

2 months ago
Azure Sentinel All-In-One Accelerator

Azure Sentinel All-In-One Accelerator

4 months ago
AttackIQ integrates Security Optimization Platform with Microsoft Azure Sentinel cloud-native SIEM platform

Why Microsoft’s Azure Arc Is A ‘Value Proposition’

3 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

Trending

What’s new: Microsoft Teams connector in Public Preview
IR

How to Generate Azure Sentinel Incidents for Testing

by Azure Sentinel News Editor
February 26, 2021
0

Do you want to generate an Incident in Azure Sentinel for testing/demoing? Here’s a couple easy ways...

What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

February 17, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021
  • The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting February 22, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News