Merge pull request #108950 from DavidTrigano/patch-4

PMEds28 · web-flow · commit 24f1190f4204 · 2020-03-25T08:39:35.000Z
Update sql-database-auditing.md
diff --git a/articles/sql-database/sql-database-auditing.md b/articles/sql-database/sql-database-auditing.md
@@ -33,14 +33,7 @@ You can use SQL database auditing to:
 - **Analyze** reports. You can find suspicious events, unusual activity, and trends.
 
 > [!IMPORTANT]
-> Audit logs are written to **Append Blobs** in Azure Blob storage on your Azure subscription.
->
-> - All storage kinds (v1, v2, blob) are supported.
-> - All storage replication configurations are supported.
-> - Storage behind a virtual network and firewall is supported.
-> - **Premium storage** is currently **not supported**.
-> - **Hierarchical namespace** for **Azure Data Lake Storage Gen2 storage account** is currently **not supported**.
-> - Enabling auditing on a paused **Azure SQL Data Warehouse** is not supported. To enable auditing, resume the Data Warehouse.
+> - Azure SQL Database auditing is optimized for availability & performance. During very high activity Azure SQL Database allows operations to proceed and may not record some audited events.
    
 ## <a id="subheading-8"></a>Define server-level vs. database-level auditing policy
 
@@ -54,7 +47,7 @@ An auditing policy can be defined for a specific database or as a default server
 
    > [!NOTE]
    > You should avoid enabling both server blob auditing and database blob auditing together, unless:
-    > - You want to use a different *storage account* or *retention period* for a specific database.
+    > - You want to use a different *storage account*, *retention period* or *Log Analytics Workspace* for a specific database.
     > - You want to audit event types or categories for a specific database that differ from the rest of the databases on the server. For example, you might have table inserts that need to be audited only for a specific database.
    >
    > Otherwise, we recommended that you enable only server-level blob auditing and leave the database-level auditing disabled for all databases.
@@ -63,9 +56,6 @@ An auditing policy can be defined for a specific database or as a default server
 
 The following section describes the configuration of auditing using the Azure portal.
 
-  > [!NOTE]
-   >You now have multiple options for configuring where audit logs are written. You can write logs to an Azure storage account, to a Log Analytics workspace for consumption by Azure Monitor logs, or to event hub for consumption using event hub. You can configure any combination of these options, and audit logs will be written to each.
-
 1. Go to the [Azure portal](https://portal.azure.com).
 2. Navigate to **Auditing** under the Security heading in your SQL database/server pane.
 3. If you prefer to set up a server auditing policy, you can select the **View server settings** link on the database auditing page. You can then view or modify the server auditing settings. Server auditing policies  apply to all existing and newly created databases on this server.
@@ -74,9 +64,7 @@ The following section describes the configuration of auditing using the Azure po
 
 4. If you prefer to enable auditing on the database level, switch **Auditing** to **ON**. If server auditing is enabled, the database-configured audit will exist side-by-side with the server audit.
 
-    ![Navigation pane][3]
-
-5. **New** - You now have multiple options for configuring where audit logs will be written. You can write logs to an Azure storage account, to a Log Analytics workspace for consumption by Azure Monitor logs, or to event hub for consumption using event hub. You can configure any combination of these options, and audit logs will be written to each.
+5. You have multiple options for configuring where audit logs will be written. You can write logs to an Azure storage account, to a Log Analytics workspace for consumption by Azure Monitor logs (preview), or to event hub for consumption using event hub (preview). You can configure any combination of these options, and audit logs will be written to each.
   
    ![storage options](./media/sql-database-auditing-get-started/auditing-select-destination.png)
    
@@ -85,9 +73,28 @@ The following section describes the configuration of auditing using the Azure po
 To configure writing audit logs to a storage account, select **Storage** and open **Storage details**. Select the Azure storage account where logs will be saved, and then select the retention period. Then click **OK**. Logs older than the retention period are deleted.
 
    > [!IMPORTANT]
+   > - All storage kinds (v1, v2, blob) are supported.
+   > - All storage replication configurations are supported.
+   > - Storage behind a virtual network and firewall is supported.
+   > - **Premium storage** is currently **not supported**.
+   > - **Hierarchical namespace** for **Azure Data Lake Storage Gen2 storage account** is currently **not supported**.
+   > - Enabling auditing on a paused **Azure SQL Data Warehouse** is not supported. To enable auditing, resume the Data Warehouse.
+   > 
    > - The default value for retention period is 0 (unlimited retention). You can change this value by moving the **Retention (Days)** slider in **Storage settings** when configuring the storage account for auditing.
-   > - If you change retention period from 0 (unlimited retention) to any other value, please note that retention will only apply to logs written after retention value was changed (logs written during the period when retention was set to unlimited are preserved, even after retention is enabled)
-   > - Customer wishing to configure an immutable log store for their server- or database-level audit events should follow the [instructions provided by Azure Storage](https://docs.microsoft.com/azure/storage/blobs/storage-blob-immutability-policies-manage#enabling-allow-protected-append-blobs-writes) (Please ensure you have selected **Allow selected Appends** when you configure the immutable blob storage)
+   > If you change retention period from 0 (unlimited retention) to any other value, please note that retention will only apply to logs written after retention value was changed (logs written during the period when retention was set to unlimited are preserved, even after retention is enabled)
+   > - Customer wishing to configure an immutable log store for their server- or database-level audit events should follow the [instructions provided by Azure Storage](https://docs.microsoft.com/azure/storage/blobs/storage-blob-immutability-policies-manage#enabling-allow-protected-append-blobs-writes) (Please ensure you have selected **Allow additional appends** when you configure the immutable blob storage)
+   > - After you've configured your auditing settings, you can turn on the new threat detection feature and configure emails to receive security alerts. When you use threat detection, you receive proactive alerts on anomalous database activities that can indicate potential security threats. For more information, see [Getting started with threat detection](sql-database-threat-detection-get-started.md).
+  > - For details about the log format, hierarchy of the storage folder and naming conventions, see the [Blob Audit Log Format Reference](https://go.microsoft.com/fwlink/?linkid=829599).
+  > - Azure SQL Database Audit stores 4000 characters of data for character fields in an audit record. When the **statement** or the **data_sensitivity_information** values returned from an auditable action contain more than 4000 characters, any data beyond the first 4000 characters will be **truncated and not audited**.
+  > - Audit logs are written to **Append Blobs** in an Azure Blob storage on your Azure subscription
+  > - The default auditing policy includes all actions and the following set of action groups, which will audit all the queries and stored procedures executed against the database, as well as successful and failed logins:
+  >
+  >  BATCH_COMPLETED_GROUP<br>
+  >  SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP<br>
+  >  FAILED_DATABASE_AUTHENTICATION_GROUP<br>
+  >
+  > You can configure auditing for different types of actions and action groups using PowerShell, as described in the [Manage SQL database auditing using Azure PowerShell](#subheading-7) section.
+  > - When using AAD Authentication, failed logins records will *not* appear in the SQL audit log. To view failed login audit records, you need to visit the [Azure Active Directory portal]( ../active-directory/reports-monitoring/reference-sign-ins-error-codes.md), which logs details of these events.
    
    ![storage account](./media/sql-database-auditing-get-started/auditing_select_storage.png)
 
@@ -106,11 +113,9 @@ To configure writing audit logs to a Log Analytics workspace, select **Log Analy
 
 ### <a id="audit-event-hub-destination">Audit to Event Hub destination</a>
 
-> [!IMPORTANT]
-> Enabling auditing on a paused SQL pool is not possible. To enable it, un-pause the SQL pool.
-
 > [!WARNING]
 > Enabling auditing on a server that has a SQL pool on it **results in the SQL pool being resumed and re-paused again** which may incur billing charges.
+> Enabling auditing on a paused SQL pool is not possible. To enable it, un-pause the SQL pool.
 
 To configure writing audit logs to an event hub, select **Event Hub (Preview)** and open **Event Hub details**. Select the event hub where logs will be written and then click **OK**. Be sure that the event hub is in the same region as your database and server.
 
@@ -219,34 +224,6 @@ In production, you are likely to refresh your storage keys periodically. When wr
 3. Go back to the auditing configuration page, switch the storage access key from secondary to primary, and then click **OK**. Then click **Save** at the top of the auditing configuration page.
 4. Go back to the storage configuration page and regenerate the secondary access key (in preparation for the next key's refresh cycle).
 
-## Additional Information
-
-- If you want to customize the audited events, you can do this via [PowerShell cmdlets](#subheading-7) or the [REST API](#subheading-9).
-
-- After you've configured your auditing settings, you can turn on the new threat detection feature and configure emails to receive security alerts. When you use threat detection, you receive proactive alerts on anomalous database activities that can indicate potential security threats. For more information, see [Getting started with threat detection](sql-database-threat-detection-get-started.md).
-- For details about the log format, hierarchy of the storage folder and naming conventions, see the [Blob Audit Log Format Reference](https://go.microsoft.com/fwlink/?linkid=829599).
-
-    > [!IMPORTANT]
-    > Azure SQL Database Audit stores 4000 characters of data for character fields in an audit record. When the **statement** or the **data_sensitivity_information** values returned from an auditable action contain more than 4000 characters, any data beyond the first 4000 characters will be **truncated and not audited**.
-
-- Audit logs are written to **Append Blobs** in an Azure Blob storage on your Azure subscription:
-  - **Premium Storage** is currently **not supported** by Append Blobs.
-
-- The default auditing policy includes all actions and the following set of action groups, which will audit all the queries and stored procedures executed against the database, as well as successful and failed logins:
-
-    BATCH_COMPLETED_GROUP<br>
-    SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP<br>
-    FAILED_DATABASE_AUTHENTICATION_GROUP
-
-    You can configure auditing for different types of actions and action groups using PowerShell, as described in the [Manage SQL database auditing using Azure PowerShell](#subheading-7) section.
-
-- When using AAD Authentication, failed logins records will *not* appear in the SQL audit log. To view failed login audit records, you need to visit the [Azure Active Directory portal]( ../active-directory/reports-monitoring/reference-sign-ins-error-codes.md), which logs details of these events.
-
-- Azure SQL Database auditing is optimized for availability & performance. During very high activity Azure SQL Database allows operations to proceed and may not record some audited events.
-
-- For configuring Immutable Auditing on storage account, see [Allow protected append blobs writes](../storage/blobs/storage-blob-immutable-storage.md#allow-protected-append-blobs-writes). Please note that the container name for Auditing is **sqldbauditlogs**.
-
-
 ## <a id="subheading-7"></a>Manage Azure SQL Server and Database auditing using Azure PowerShell
 
 **PowerShell cmdlets (including WHERE clause support for additional filtering)**:
