Blog Post

Azure Database Support Blog
2 MIN READ

Use Azure SQL Audit policy to filter Audit data.

tarashee's avatar
tarashee
Icon for Microsoft rankMicrosoft
Apr 02, 2023

The Azure SQL Auditing feature is used to track database events and writes them to an audit log in your Azure storage account, Log Analytics workspace, or Event Hubs.

If you enable SQL Audit on your Azure SQL database, there will be default settings that your Audit is configured with, including the default Action Groups  "BATCH_COMPLETED_GROUP", "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP","FAILED_DATABASE_AUTHENTICATION_GROUP"

 

If you use Log Analytics, Blob Storage, or both, you will see different Audit Actions as below:

- On Log Analytics:

 

 

AzureDiagnostics
| where Category == 'SQLSecurityAuditEvents'
|where LogicalServerName_s =~ 'ServerName'
|summarize  count() by action_name_s,action_id_s

 

 

 

- From the Audit xel files on Blob Storage:

 

 

SELECT count(*) as count,action_id FROM sys.fn_get_audit_file ('https://mystorageaccount.blob.core.windows.net/sqldbauditlogs/',default,default)
group by action_id

 

 

An example of the Result set:

 

You can filter the Audit Logs, on Log analytics by adding a where clause |where action_name_s != 'Audit Action name' as below:

 

 

AzureDiagnostics
| where Category == 'SQLSecurityAuditEvents'
|where LogicalServerName_s =~ 'ServerName'
//| where ResourceId =~ '/subscriptions/...’
|where action_name_s != 'RPC COMPLETED'
| project action_name_s,action_id_s, event_time_t, statement_s, succeeded_s, affected_rows_d, server_principal_name_s, client_ip_s, application_name_s, additional_information_s, data_sensitivity_information_s
| order by event_time_t desc

 

 

 

But, if you to change the Audit Policies to exclude RPC completed completely, the filtering will be by a T-SQL predicate added to your PowerShell script. as the following steps:

1- Identify the Action ID of the action ID ‘RCM’ ( RPC COMPLETED) or any other action, by running the following TSQL script on SSMS:

 

 

declare @class_type varchar(4)

set @class_type= 'RCM'

declare @x int

SET @x = convert(int, convert(varbinary(1), upper(substring(@class_type, 1, 1))))

if LEN(@class_type)>=2

SET @x = convert(int, convert(varbinary(1), upper(substring(@class_type, 2, 1)))) * power(2,8) + @x

else

SET @x = convert(int, convert(varbinary(1), ' ')) * power(2,8) + @x

select @x

 

 

For more info: Filter SQL Server Audit on action_id / class_type predicate | Microsoft Learn

 

2- Use the returned result (17234) for Set-AzSqlDatabaseAudit powershell command.

 

 

3- The PowerShell command will be as the following:

 

 

Set-AzSqlDatabaseAudit -ResourceGroupName "ResourceGroupName" -ServerName "ServerName" -databasename "DatabaseName" -PredicateExpression "action_id != 17234"

 

 

 

For more info:

Set-AzSqlDatabaseAudit (Az.Sql) | Microsoft Learn

Configure Auditing for Azure SQL Database series - part1 - Microsoft Community Hub

Configure Auditing for Azure SQL Database series - Part2 - Microsoft Community Hub

 

4- You can remove the predicate expression when needed by running the command  with -PredicateExpression ""  as below:

 

 

Set-AzSqlDatabaseAudit -ResourceGroupName "ResourceGroupName" -ServerName "ServerName" -DatabaseName "DatabaseName" -PredicateExpression ""

 

 

 

For more information:

https://learn.microsoft.com/en-us/powershell/module/az.sql/set-azsqldatabaseaudit?view=azps-9.4.0#example-4-remove-the-filtering-from-the-auditing-policy-of-an-azure-sql-database

 

Note  - 6th April 2023:  currently there is an issue with step 4 in this article (Remove the predicate expression using -PredicateExpression "" due to a code defect. I will update here when the issue is fixed.

Updated Apr 06, 2023
Version 2.0
  • VictorSilva1260's avatar
    VictorSilva1260
    Copper Contributor

    Hi, thank you for your useful article. This works for Log Analytics or only for Storage Account?

  • VictorSilva1260's avatar
    VictorSilva1260
    Copper Contributor

    Hello tarashee!

     

    Thank you for your reply. I applied in my enviroment, but RPC_COMPLETED still arrive in my log analytics. Do you have any suggestions?

     

     

     

    Thanks

    Victor

  • Colin_Hunter's avatar
    Colin_Hunter
    Copper Contributor

    "currently there is an issue with step 4 in this article (Remove the predicate expression using -PredicateExpression "" due to a code defect. I will update here when the issue is fixed."

     

    Please elaborate, as I seem to have the same issue now.  Tried to remove filtering that I had on for 'rpc completed' events, with the code below, which ran successfully, and also reports that there is no longer any filtering in place - but now no 'rpc completed' calls are being registered: 

    -PredicateExpression ""