From 22d70a1d4a47750bdfe73365e3ae6d9831da9926 Mon Sep 17 00:00:00 2001 From: audunsolemdal Date: Mon, 16 Nov 2020 10:40:03 +0100 Subject: [PATCH] SQL-db/quries/audits: Add example audit queries --- .../Queries/Audit/AllAuditEntires.kql | 14 ++++++++++++++ .../Queries/Audit/AllFailedAuditEntries.kql | 15 +++++++++++++++ 2 files changed, 29 insertions(+) create mode 100644 Azure Services/SQL databases/Queries/Audit/AllAuditEntires.kql create mode 100644 Azure Services/SQL databases/Queries/Audit/AllFailedAuditEntries.kql diff --git a/Azure Services/SQL databases/Queries/Audit/AllAuditEntires.kql b/Azure Services/SQL databases/Queries/Audit/AllAuditEntires.kql new file mode 100644 index 00000000..795fe812 --- /dev/null +++ b/Azure Services/SQL databases/Queries/Audit/AllAuditEntires.kql @@ -0,0 +1,14 @@ +AzureDiagnostics +| where Category =~ "SQLSecurityAuditEvents" +| extend additional_information_xml=parse_xml(additional_information_s) +| extend failure_reason=additional_information_xml.batch_information.failure_reason +| project + session_server_principal_name_s, + statement_s, + TimeGenerated, + action_name_s, + session_id_d, + application_name_s, + failure_reason, + client_ip_s +| sort by TimeGenerated desc \ No newline at end of file diff --git a/Azure Services/SQL databases/Queries/Audit/AllFailedAuditEntries.kql b/Azure Services/SQL databases/Queries/Audit/AllFailedAuditEntries.kql new file mode 100644 index 00000000..71055a31 --- /dev/null +++ b/Azure Services/SQL databases/Queries/Audit/AllFailedAuditEntries.kql @@ -0,0 +1,15 @@ +AzureDiagnostics +| where Category =~ "SQLSecurityAuditEvents" +| where succeeded_s == "false" +| extend additional_information_xml=parse_xml(additional_information_s) +| extend failure_reason=additional_information_xml.batch_information.failure_reason +| project + session_server_principal_name_s, + statement_s, + TimeGenerated, + action_name_s, + session_id_d, + application_name_s, + failure_reason, + client_ip_s +| sort by TimeGenerated desc \ No newline at end of file