Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Auditing for Azure SQL Database and Azure Synapse Analytics
In this articleApplies to: Azure SQL Database Azure Synapse AnalyticsAuditing for Azure SQL Database and Azure Synapse Analytics tracks database events and writes them to an audit log in your Azure storage account, Log Analytics workspace, or Event Hubs. Auditing also:
OverviewYou can use SQL Database auditing to:
Important Auditing for Azure SQL Database, Azure Synapse and Azure SQL Managed Instance is optimized for availability and performance of the database(s) or instance(s) that are being audited. During periods of very high activity or high network load, the auditing feature may allow transactions to proceed without recording all of the events marked for auditing. Auditing limitations
Define server-level vs. database-level auditing policyAn auditing policy can be defined for a specific database or as a default server policy in Azure (which hosts SQL Database or Azure Synapse):
Remarks
Set up auditing for your serverThe default auditing policy includes the following set of action groups, which will audit all the queries and stored procedures executed against the database, as well as successful and failed logins:
You can configure auditing for different types of actions and action groups using PowerShell, as described in the Manage SQL Database auditing using Azure PowerShell section. Azure SQL Database and Azure Synapse Audit stores 4000 characters of data for character fields in an audit record. When the statement or the data_sensitivity_information values returned from an auditable action contain more than 4000 characters, any data beyond the first 4000 characters will be truncated and not audited. The following section describes the configuration of auditing using the Azure portal. Note
Auditing of Microsoft Support operationsAuditing of Microsoft Support operations for your logical server allows you to audit Microsoft support engineers' operations when they need to access your server during a support request. The use of this capability, along with your auditing, enables more transparency into your workforce and allows for anomaly detection, trend visualization, and data loss prevention. To enable auditing of Microsoft Support operations navigate to Auditing under the Security heading in your Azure SQL server pane, and switch Enable Auditing of Microsoft support operations to ON. To review the audit logs of Microsoft Support operations in your Log Analytics workspace, use the following query:
You have the option of choosing a different storage destination for this auditing log, or use the same auditing configuration for your server.
Audit to storage destinationTo configure writing audit logs to a storage account, select Storage when you get to the Auditing section. Select the Azure storage account where you want to save your logs. You can use the following two storage authentication types: managed identity and storage access keys. For managed identity, system and user managed identity is supported. By default, the primary user identity assigned to the server is selected. If there is no user identity, then a system assigned identity is created and used for authentication purposes. After you have chosen an authentication type, select a retention period by opening *Advanced properties and selecting Save. Logs older than the retention period are deleted. Note If you are deploying from the Azure portal, be sure that the storage account is in the same region as your database and server. If you are deploying through other methods, the storage account can be in any region.
Audit to Log Analytics destinationTo configure writing audit logs to a Log Analytics workspace, select Log Analytics and open Log Analytics details. Select the Log Analytics workspace where logs will be written and then click OK. If you have not created a Log Analytics workspace, see Create a Log Analytics workspace in the Azure portal. For more details about Azure Monitor Log Analytics workspace, see Designing your Azure Monitor Logs deployment Audit to Event Hubs destinationTo configure writing audit logs to an event hub, select Event Hub. Select the event hub where logs will be written and then click Save. Be sure that the event hub is in the same region as your database and server. Analyze audit logs and reportsIf you chose to write audit logs to Log Analytics:
If you chose to write audit logs to Event Hub:
If you chose to write audit logs to an Azure storage account, there are several methods you can use to view the logs:
Production practicesAuditing geo-replicated databasesWith geo-replicated databases, when you enable auditing on the primary database the secondary database will have an identical auditing policy. It is also possible to set up auditing on the secondary database by enabling auditing on the secondary server, independently from the primary database.
Storage key regenerationIn production, you are likely to refresh your storage keys periodically. When writing audit logs to Azure storage, you need to resave your auditing policy when refreshing your keys. The process is as follows:
Manage Azure SQL Database auditingUsing Azure PowerShellPowerShell cmdlets (including WHERE clause support for additional filtering):
For a script example, see Configure auditing and threat detection using PowerShell. Using REST APIREST API:
Extended policy with WHERE clause support for additional filtering:
Using Azure CLI
Using Azure Resource Manager templatesYou can manage Azure SQL Database auditing using Azure Resource Manager templates, as shown in these examples:
Note The linked samples are on an external public repository and are provided 'as is', without warranty, and are not supported under any Microsoft support program/service. See also
FeedbackSubmit and view feedback for Additional resourcesAdditional resourcesIn this articleWhat are primary and secondary prevention strategies?Summary. Primary prevention includes those measures that prevent the onset of illness before the disease process begins. Immunization against infectious disease is a good example. Secondary prevention includes those measures that lead to early diagnosis and prompt treatment of a disease.
What are examples of primary and secondary prevention?Vaccinations, counseling to change high-risk behaviors, and sometimes chemoprevention are types of primary prevention. In secondary prevention, disease is detected and treated early, often before symptoms are present, thereby minimizing serious consequences.
What is an example of a secondary prevention strategy?Secondary prevention
Examples include: regular exams and screening tests to detect disease in its earliest stages (e.g. mammograms to detect breast cancer) daily, low-dose aspirins and/or diet and exercise programs to prevent further heart attacks or strokes.
Which is an example of primary prevention strategies?Primary Prevention:
It commonly institutes activities that limit risk exposure or increase the immunity of individuals at risk to prevent a disease from progressing in a susceptible individual to subclinical disease. For example, immunizations are a form of primary prevention.
|