SQLSecurityAuditEvent table not working correctly with Azure SQL Database Sentinel connector.

KieranBarry-6495 25 Reputation points
2023-11-23T16:11:17.08+00:00

Hi all,

I am trying to ingest logs from Azure SQL Databases into Log Analytics to use for Microsoft Sentinel. I have followed the steps in the Microsoft Data Connector for Azure SQL Databases and can see a large number of logs now in Log Analytics, however, these logs appear to be stored in the AzureDiagnostics table and not the SQLSecurityAuditEvents table, which I believe is where they should be.

Has anyone encountered this issue before?

Thanks,

Kieran Barry

Azure SQL Database
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,057 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Clive Watson 5,951 Reputation points MVP
    2023-11-23T23:03:29.8+00:00

    Hello, If you look at the Analytic Rules, Hunting Queries and Workbook supplied they all use the AzureDiagnostics table. I think you have a correct setup, why do you believe this to be wrong?
    https://github.com/Azure/Azure-Sentinel/tree/49db31296bbf686bce71d131abb10bef5b025dce/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel

    User's image