Difference between "SQLSecurityAuditEvents" and "ExecRequests"

%3CLINGO-SUB%20id%3D%22lingo-sub-1231875%22%20slang%3D%22en-US%22%3EDifference%20between%20%22SQLSecurityAuditEvents%22%20and%20%22ExecRequests%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1231875%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20I've%20been%20working%20on%20KQL%20for%20some%20weeks%20now%20and%20recently%20I've%20been%20doing%20a%20task%20in%20which%20I've%20to%20get%20the%20statement%20type%20(like%20SELECT%2C%20INSERT%2CUPDATE%20etc)%20for%20the%20respective%20SQL%20queries%20that%20are%20in%20the%20database%2C%20I've%20found%20that%20we%20can%20get%20that%20by%20using%20the%20following%20command%20for%20example%3C%2FP%3E%3CP%3EAzureDiagnostics%26nbsp%3B%3C%2FP%3E%3CP%3E%7C%20where%26nbsp%3BResource%20%3D%3D%22ABCXYZ%22%3C%2FP%3E%3CP%3E%7C%20where%20StartTime_t%20%26gt%3B%20todatetime(%222020-01-10T23%3A30%22)%20%7C%20where%20StartTime_t%20%26lt%3B%20todatetime(%222020-02-11T06%3A30%22)%3C%2FP%3E%3CP%3E%7C%20where%20Category%3D%3D%22ExecRequests%22%3C%2FP%3E%3CP%3E%7C%20where%20StatementType_s%20%3D%3D%22Select%22%3C%2FP%3E%3CP%3E%7C%20extend%20Length%3Dstrlen(Command_s)%3C%2FP%3E%3CP%3E%7C%20extend%20Execution_in_Seconds%3D%20datetime_diff('second'%2CEndTime_t%2CStartTime_t)%3C%2FP%3E%3CP%3E%7C%20where%20Status_s%20%3D%3D%20%22Completed%22%3C%2FP%3E%3CP%3E%7C%20where%20datetime_diff('second'%2CEndTime_t%2CStartTime_t)%26gt%3B%20100%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20the%20problem%20arises%20when%20I've%20to%20relate%20this%20to%20the%20username%20or%20the%20table%20name%20as%20I'm%20not%20able%20to%20find%20any%20columns%20in%20it%20which%20displays%20the%20username%20or%20table%20name%2C%20so%20I%20want%20to%20know%20is%20there%20any%20other%20way%20by%20which%20i%20can%20get%20Statement%20type%20along%20with%20the%20username%20or%20table%20%3F%3C%2FP%3E%3CP%3EOne%20more%20thing%20I%20wanted%20to%20ask%20is%20what%20is%20the%20difference%20between%20%22SQLSecurityAuditEvents%22%20and%20%22ExecRequests%22%20as%20I%20use%20the%26nbsp%3BSQLSecurityAuditEvents%20generally%20to%20get%20the%20username%20along%20with%20the%20respective%20sql%20query%20%2C%20a%20simple%20query%20for%20example%20is%3C%2FP%3E%3CP%3EAzureDiagnostics%3C%2FP%3E%3CP%3E%7C%20where%20Category%20%3D%3D%20%22SQLSecurityAuditEvents%22%3C%2FP%3E%3CP%3E%7C%20where%20ResourceProvider%20%3D%3D%20%22MICROSOFT.SQL%22%3C%2FP%3E%3CP%3E%7C%20where%20database_name_s%20%3D%3D%20%22ABCXYZ%22%26nbsp%3B%3C%2FP%3E%3CP%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(24h)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20is%20any%20way%20that%20we%20can%20relate%20the%20above%20two%20queries%20and%20get%20the%20Statement%20type%20along%20with%20username%20or%20table%20name%3F%3C%2FP%3E%3CP%3EThank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1231875%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EQuery%20Language%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
New Contributor

Hi, I've been working on KQL for some weeks now and recently I've been doing a task in which I've to get the statement type (like SELECT, INSERT,UPDATE etc) for the respective SQL queries that are in the database, I've found that we can get that by using the following command for example

AzureDiagnostics 

| where Resource =="ABCXYZ"

| where StartTime_t > todatetime("2020-01-10T23:30") | where StartTime_t < todatetime("2020-02-11T06:30")

| where Category=="ExecRequests"

| where StatementType_s =="Select"

| extend Length=strlen(Command_s)

| extend Execution_in_Seconds= datetime_diff('second',EndTime_t,StartTime_t)

| where Status_s == "Completed"

| where datetime_diff('second',EndTime_t,StartTime_t)> 100

 

But the problem arises when I've to relate this to the username or the table name as I'm not able to find any columns in it which displays the username or table name, so I want to know is there any other way by which i can get Statement type along with the username or table ?

One more thing I wanted to ask is what is the difference between "SQLSecurityAuditEvents" and "ExecRequests" as I use the SQLSecurityAuditEvents generally to get the username along with the respective sql query , a simple query for example is

AzureDiagnostics

| where Category == "SQLSecurityAuditEvents"

| where ResourceProvider == "MICROSOFT.SQL"

| where database_name_s == "ABCXYZ" 

| where TimeGenerated > ago(24h)

 

Is there is any way that we can relate the above two queries and get the Statement type along with username or table name?

Thank you.