SQLSecurityAuditEvent table not working correctly with Azure SQL Database Sentinel connector.

KieranBarry-6495 25 Reputation points

Hi all,

I am trying to ingest logs from Azure SQL Databases into Log Analytics to use for Microsoft Sentinel. I have followed the steps in the Microsoft Data Connector for Azure SQL Databases and can see a large number of logs now in Log Analytics, however, these logs appear to be stored in the AzureDiagnostics table and not the SQLSecurityAuditEvents table, which I believe is where they should be.

Has anyone encountered this issue before?


Kieran Barry

Azure SQL Database
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,057 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Clive Watson 5,951 Reputation points MVP

    Hello, If you look at the Analytic Rules, Hunting Queries and Workbook supplied they all use the AzureDiagnostics table. I think you have a correct setup, why do you believe this to be wrong?

    User's image