Azure Security Center Recommendations Log Analytics Query syntax




My customer wants to write custom Log Search Queries (in Log Analytics) for Azure SQL for the following Scenarios:


• Log failures, manual logging shut down and attempts to purge
• Attempts to access OS functionality via the database
• Known attack profiles, such as Buffer overflow, Denial of Service, SQL inject
• Use of the Application ID (ApplID) from a source other than the defined owner Application location (based on host name or IP address of App / Reporting Server)


Please Note: I know Advanced Threat Protection covers some of the scenarios mentioned here e.g. detecting SQL Injections, etc… But the customer wants custom queries for all of these scenarios.


I have the following Questions:
• Which AUDIT GROUPS should I enable to capture more Logs(apart from the 3 that are enabled by default) so that I can write queries for the above use cases using KQL on the logs collected ?
• If we keep ATP aside and assume that SQL Server is running on a VM in Azure, how would we achieve the above use cases based on the logs collected via the MMA agent installed on the VM ?
• The customer is using these custom queries to get appropriate result set and in turn to create PowerBI Dashboards which they want to share with their customers, how can I get ATP data/ recommendation outside the Azure Portal so that customer can create visualizations on top it and share with it’s customers.
Please Note: I have seen Azure Security Centre REST API Documentation and I know I can pull Recommendations and Tasks using these APIs, but that’s not what the customer is looking for. Customer wants the underlying data and a custom query on top it which detects the security incident. I know these incidents are generated by complex ML algorithm running under the hood, but I hope I was able to put across the customer’s expectation clearly.


Please let me know your inputs on what’s possible and pointers on how to achieve it.

0 Replies