This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 47%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK6%3C/text%3E%3C/svg%3E)
Hi all,
I am trying to ingest logs from Azure SQL Databases into Log Analytics to use for Microsoft Sentinel. I have followed the steps in the Microsoft Data Connector for Azure SQL Databases and can see a large number of logs now in Log Analytics, however, these logs appear to be stored in the AzureDiagnostics table and not the SQLSecurityAuditEvents table, which I believe is where they should be.
Has anyone encountered this issue before?
Thanks,
Kieran Barry
Hello, If you look at the Analytic Rules, Hunting Queries and Workbook supplied they all use the AzureDiagnostics table. I think you have a correct setup, why do you believe this to be wrong?
https://github.com/Azure/Azure-Sentinel/tree/49db31296bbf686bce71d131abb10bef5b025dce/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel
Hi Clive,
Thanks for the reply and information.
I think I am just a little bit confused as within the data connector for Azure SQL Databases it states that a SQLSecurityAuditEvents table is created and there are 16M of these logs, however when I query that table it is empty, and I can only find them in:
"AzureDiagnostics
| where category = 'SQLSecurityAuditEvents'"
Should they not be in the individual SQLSecurityAuditEvents table?
Thanks,
Kieran
Do you mean on this screen, under Data Types?
If you click on "go to Log Analytics", you will see the code all looks at the AzureDiagnostics table - the title you see is just a legend/title that is displayed, which maps to the Category column in AzureDiagnostics. Its a little confusing but the fact that the supplied Rules, Hunting and Workbook all use AzureDiagnostics means you should...
