Set-AzSqlServerAudit

Changes the auditing settings of an Azure SQL server.

Syntax

Set-AzSqlServerAudit
   [-AuditActionGroup <AuditActionGroups[]>]
   [-PredicateExpression <String>]
   [-StorageKeyType <String>]
   [-RetentionInDays <UInt32>]
   [-BlobStorageTargetState <String>]
   [-StorageAccountResourceId <String>]
   [-EventHubTargetState <String>]
   [-EventHubName <String>]
   [-EventHubAuthorizationRuleResourceId <String>]
   [-LogAnalyticsTargetState <String>]
   [-WorkspaceResourceId <String>]
   [-PassThru]
   [-UseIdentity <String>]
   [-ResourceGroupName] <String>
   [-ServerName] <String>
   [-AsJob]
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]
Set-AzSqlServerAudit
   [-AuditActionGroup <AuditActionGroups[]>]
   [-PredicateExpression <String>]
   [-StorageKeyType <String>]
   [-RetentionInDays <UInt32>]
   [-BlobStorageTargetState <String>]
   [-StorageAccountResourceId <String>]
   [-EventHubTargetState <String>]
   [-EventHubName <String>]
   [-EventHubAuthorizationRuleResourceId <String>]
   [-LogAnalyticsTargetState <String>]
   [-WorkspaceResourceId <String>]
   [-PassThru]
   [-UseIdentity <String>]
   -ServerObject <AzureSqlServerModel>
   [-AsJob]
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

The Set-AzSqlServerAudit cmdlet changes the auditing settings of an Azure SQL server. To use the cmdlet, use the ResourceGroupName and ServerName parameters to identify the server. When blob storage is a destination for audit logs, specify the StorageAccountResourceId parameter to determine the storage account for the audit logs and the StorageKeyType parameter to define the storage keys. If using blob storage as destination, you can also define retention for the audit logs by setting the value of the RetentionInDays parameter to define the period for the audit logs.

Examples

Example 1: Enable the blob storage auditing policy of an Azure SQL server

Set-AzSqlServerAudit -ResourceGroupName "ResourceGroup01" -ServerName "Server01" -BlobStorageTargetState Enabled -StorageAccountResourceId "/subscriptions/7fe3301d-31d3-4668-af5e-211a890ba6e3/resourceGroups/resourcegroup01/providers/Microsoft.Storage/storageAccounts/mystorage"

Example 2: Disable the blob storage auditing policy of an Azure SQL server

Set-AzSqlServerAudit -ResourceGroupName "ResourceGroup01" -ServerName "Server01" -BlobStorageTargetState Disabled

Example 3: Enable the blob storage auditing policy of an Azure SQL server with filtering using a T-SQL predicate

Set-AzSqlServerAudit -ResourceGroupName "ResourceGroup01" -ServerName "Server01" -BlobStorageTargetState Enabled -StorageAccountResourceId "/subscriptions/7fe3301d-31d3-4668-af5e-211a890ba6e3/resourceGroups/resourcegroup01/providers/Microsoft.Storage/storageAccounts/mystorage" -PredicateExpression "statement <> 'select 1'"

Example 4: Remove the filtering setting from the auditing policy of an Azure SQL server

Set-AzSqlServerAudit -ResourceGroupName "ResourceGroup01" -ServerName "Server01" -PredicateExpression ""

Example 5: Enable the event hub auditing policy of an Azure SQL server

Set-AzSqlServerAudit -ResourceGroupName "ResourceGroup01" -ServerName "Server01" -EventHubTargetState Enabled -EventHubName "EventHubName" -EventHubAuthorizationRuleResourceId "EventHubAuthorizationRuleResourceId"

Example 6: Disable the event hub auditing policy of an Azure SQL server

Set-AzSqlServerAudit -ResourceGroupName "ResourceGroup01" -ServerName "Server01" -EventHubTargetState Disabled

Example 7: Enable the log analytics auditing policy of an Azure SQL server

Set-AzSqlServerAudit -ResourceGroupName "ResourceGroup01" -ServerName "Server01" -LogAnalyticsTargetState Enabled -WorkspaceResourceId "/subscriptions/4b9e8510-67ab-4e9a-95a9-e2f1e570ea9c/resourceGroups/insights-integration/providers/Microsoft.OperationalInsights/workspaces/viruela2"

Example 8: Disable the log analytics auditing policy of an Azure SQL server

Set-AzSqlServerAudit -ResourceGroupName "ResourceGroup01" -ServerName "Server01" -LogAnalyticsTargetState Disabled

Example 9: Disable, through pipeline, the log analytics auditing policy of an Azure SQL server

Get-AzSqlServer -ResourceGroupName "ResourceGroup01" -ServerName "Server01" | Set-AzSqlServerAudit -LogAnalyticsTargetState Disabled

Example 10: Disable sending audit records of an Azure SQL server to blob storage, and enable sending them to log analytics.

Set-AzSqlServerAudit -ResourceGroupName "ResourceGroup01" -ServerName "Server01" -LogAnalyticsTargetState Enabled -WorkspaceResourceId "/subscriptions/4b9e8510-67ab-4e9a-95a9-e2f1e570ea9c/resourceGroups/insights-integration/providers/Microsoft.OperationalInsights/workspaces/viruela2" -BlobStorageTargetState Disabled

Example 11: Enable sending audit records of an Azure SQL server to blob storage, event hub and log analytics.

Set-AzSqlServerAudit -ResourceGroupName "ResourceGroup01" -ServerName "Server01" -BlobStorageTargetState Enabled -StorageAccountResourceId "/subscriptions/7fe3301d-31d3-4668-af5e-211a890ba6e3/resourceGroups/resourcegroup01/providers/Microsoft.Storage/storageAccounts/mystorage" -EventHubTargetState Enabled -EventHubName "EventHubName" -EventHubAuthorizationRuleResourceId "EventHubAuthorizationRuleResourceId" -LogAnalyticsTargetState Enabled  -WorkspaceResourceId "/subscriptions/4b9e8510-67ab-4e9a-95a9-e2f1e570ea9c/resourceGroups/insights-integration/providers/Microsoft.OperationalInsights/workspaces/viruela2"

Parameters

-AsJob

Run cmdlet in the background

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-AuditActionGroup

The recommended set of action groups to use is the following combination - this will audit all the queries and stored procedures executed against the database, as well as successful and failed logins:

"BATCH_COMPLETED_GROUP",
"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP",
"FAILED_DATABASE_AUTHENTICATION_GROUP"
This above combination is also the set that is configured by default. These groups cover all SQL statements and stored procedures executed against the database, and should not be used in combination with other groups as this will result in duplicate audit logs. For more information, see https://video2.skills-academy.com/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions#database-level-audit-action-groups.

Type:AuditActionGroups[]
Accepted values:BATCH_STARTED_GROUP, BATCH_COMPLETED_GROUP, APPLICATION_ROLE_CHANGE_PASSWORD_GROUP, BACKUP_RESTORE_GROUP, DATABASE_LOGOUT_GROUP, DATABASE_OBJECT_CHANGE_GROUP, DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP, DATABASE_OBJECT_PERMISSION_CHANGE_GROUP, DATABASE_OPERATION_GROUP, DATABASE_PERMISSION_CHANGE_GROUP, DATABASE_PRINCIPAL_CHANGE_GROUP, DATABASE_PRINCIPAL_IMPERSONATION_GROUP, DATABASE_ROLE_MEMBER_CHANGE_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, SCHEMA_OBJECT_ACCESS_GROUP, SCHEMA_OBJECT_CHANGE_GROUP, SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP, SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP, SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, USER_CHANGE_PASSWORD_GROUP, LEDGER_OPERATION_GROUP, DBCC_GROUP, DATABASE_OWNERSHIP_CHANGE_GROUP, DATABASE_CHANGE_GROUP
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-BlobStorageTargetState

Indicates whether blob storage is a destination for audit records.

Type:String
Accepted values:Enabled, Disabled
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with Azure.

Type:IAzureContextContainer
Aliases:AzContext, AzureRmContext, AzureCredential
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-EventHubAuthorizationRuleResourceId

The resource Id for the event hub authorization rule

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-EventHubName

The name of the event hub. If none is specified when providing EventHubAuthorizationRuleResourceId, the default event hub will be selected.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-EventHubTargetState

Indicates whether event hub is a destination for audit records.

Type:String
Accepted values:Enabled, Disabled
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-LogAnalyticsTargetState

Indicates whether log analytics is a destination for audit records.

Type:String
Accepted values:Enabled, Disabled
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-PassThru

Specifies whether to output the auditing policy at end of cmdlet execution

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-PredicateExpression

The T-SQL predicate (WHERE clause) used to filter audit logs.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ResourceGroupName

The name of the resource group.

Type:String
Position:0
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-RetentionInDays

The number of retention days for the audit logs. Only applies to Storage account as destination.

Type:Nullable<T>[UInt32]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ServerName

SQL server name.

Type:String
Position:1
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-ServerObject

The server object to manage its audit policy.

Type:AzureSqlServerModel
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-StorageAccountResourceId

The storage account resource id

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-StorageKeyType

Specifies which of the storage access keys to use.

Type:String
Accepted values:Primary, Secondary
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-UseIdentity

Indicates whether to use managed identity or not. It is required when you want to use managed identity while target storage is not behind firewall.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-WorkspaceResourceId

The workspace ID (resource ID of a Log Analytics workspace) for a Log Analytics workspace to which you would like to send Audit Logs. Example: /subscriptions/4b9e8510-67ab-4e9a-95a9-e2f1e570ea9c/resourceGroups/insights-integration/providers/Microsoft.OperationalInsights/workspaces/viruela2

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

String

AzureSqlServerModel

AuditActionGroups[]

Guid

Nullable<T>[[System.UInt32, System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]]

ServerAuditModel

Outputs

Boolean