Azure Log Analytics fields for Azure SQL Server/Database

Here’s a detailed explanation of the Azure Log Analytics fields for SQLSecurityAuditEvents from an Azure SQL Server (e.g., server-level audit logs):

Log Analytics fields for SQLSecurityAuditEvents from an Azure SQL Server

---

🔐 Audit Metadata & Identity Fields

Field	Meaning
TenantId	Azure Active Directory tenant ID of your organization.
SubscriptionId	Azure subscription ID where the SQL Server resource is hosted.
ResourceGroup	Name of the Azure resource group that contains the SQL Server.
ResourceProvider	Azure service provider – here it’s MICROSOFT.SQL for SQL Database.
ResourceType	The type of resource (e.g., SERVERS/DATABASES).
Resource	The name of the database resource – here it’s MASTER.
LogicalServerName_s	The logical SQL server name (e.g., c10wdedhdatamart01d).
ResourceId	Full resource path of the database in Azure (used for correlation).

---

🕒 Timestamps

Field	Meaning
TimeGenerated	When the log was collected by Azure Monitor (UTC).
event_time_t	Actual time the event occurred in the SQL Server (UTC).
originalEventTimestamp_t	Original timestamp of the audit event (UTC).

---

📘 Audit & Operation Information

Field	Meaning
Category	Log category – here it’s SQLSecurityAuditEvents.
OperationName	Type of audit event – usually “AuditEvent”.
action_id_s	Code for the operation – e.g., BCM = “Batch Completed”.
action_name_s	Name of the action performed – e.g., BATCH COMPLETED.
succeeded_s	Indicates whether the operation was successful (true or false).
audit_schema_version_d	Version of the audit schema.
event_id_g	Unique ID for the specific audit event.
is_server_level_audit_s	Indicates if this is a server-level audit (true/false).

---

🧑‍💻 User & Session Information

Field	Meaning
session_id_d	Internal SQL Server session ID for the query.
server_principal_id_d	Internal ID of the server principal (login/user).
server_principal_name_s	The name of the user/login that ran the query (e.g., certificate login).
session_server_principal_name_s	Full name of the session’s identity (often includes instance cert).
server_principal_sid_s	Security identifier (SID) of the login/user.
database_principal_id_d	Internal ID of the database-level principal (user).
database_principal_name_s	Database-level user name (e.g., public).

---

🧾 Query & Target Object Info

Field	Meaning
statement_s	The actual SQL query run – e.g., SELECT * FROM sys.workload_management_workload_groups.
object_name_s	The database object accessed (table/view/procedure etc.).
object_id_d	Internal ID of the object accessed.
class_type_s	Type of securable accessed – here, DB = database.
class_type_description_s	Description of the object class – DATABASE.
securable_class_type_s	Securable class – what is being secured or audited (DATABASE).

---

⏱️ Performance & Outcome Info

Field	Meaning
duration_milliseconds_d	Duration of the operation in milliseconds.
response_rows_d	Number of rows returned.
affected_rows_d	Number of rows affected (for INSERT, UPDATE, etc.).
succeeded_s	Indicates if the operation was successful (true or false).

---

🌐 Connection & Client Info

Field	Meaning
client_ip_s	IP address of the client (can be <named pipe> for internal or secure connections).
host_name_s	Hostname of the client machine connecting to SQL Server.
application_name_s	Name of the application or tool executing the query (e.g., DWShellDb).
client_tls_version_d	TLS version used for the connection (0 if not applicable).
connection_id_g	Unique identifier of the client connection.

---

🔄 Transaction Info (if applicable)

Field	Meaning
transaction_id_d	Transaction ID if the query was part of a SQL transaction.
user_defined_event_id_d	Reserved for custom user-defined audit events (usually 0).
target_server_principal_id_d	Target server user ID (for permission/audit scope).
target_database_principal_id_d	Target database user ID.

---

🧩 Security Context

Field	Meaning
permission_bitmask_g	Bitmask representing the specific permission checked.
sequence_number_d	Order of the event in an audit batch.
sequence_group_id_g	ID grouping multiple audit events together logically.

---

Azure Log Analytics entry at the database level

Here’s a detailed explanation of the fields from the Azure Log Analytics entry at the database level (SqlRequests category) for HS SQL / Dedicated SQL Pool (Synapse):

---

🔷 Azure SQL Request Log Fields – Explained

Field	Description
TenantId	The Azure Active Directory (AAD) tenant ID associated with your Azure environment.
TimeGenerated	Timestamp when the log was collected by Azure Monitor (in UTC).
ResourceId	Full path to the database resource in Azure (includes subscription, resource group, server, and database).
Category	Log type — SqlRequests indicates it’s tracking SQL query requests.
ResourceGroup	The Azure resource group containing the database resource.
SubscriptionId	ID of the Azure subscription that owns the database.
ResourceProvider	Azure service provider — MICROSOFT.SQL for SQL services.
Resource	The name of the database — here it is EDH_DATA_MART.
ResourceType	Indicates what type of Azure resource it is — in this case, SERVERS/DATABASES.
OperationName	Type of event captured — here it’s SqlRequestsEvent, which logs SQL query execution details.
LogicalServerName_s	The name of the logical SQL Server (e.g., c10wdedhdatamart01d).
SourceSystem	Always Azure — indicates logs are collected from an Azure resource.
Status_s	Indicates the status of the query — Complete means the query finished successfully.
location_s	Azure region where the resource is hosted — here, it’s westus.
Type	Resource type in the log ingestion context — typically AzureDiagnostics.
_ResourceId	Same as ResourceId, but normalized for diagnostics queries in Kusto (lowercase path).

---

🧾 Detailed Query Execution Info (from AdditionalFields)

Field	Description
RequestId	Unique identifier for the SQL request — useful for tracing across logs.
StartTime	The exact time when the query started execution.
EndTime	The exact time when the query finished execution.
ErrorId	If the query failed, this field would contain the error code (empty here = no error).
Command	The type of SQL command executed (e.g., SELECT, INSERT) — blank here, so possibly system internal or metadata access.
StepIndex	Index of the step in a distributed query (used in Synapse MPP execution).
PdwNodeId	The ID of the node in the Synapse MPP engine that processed this part of the query.
DistributionId	Internal distribution ID used in parallel processing in dedicated SQL pools.
RowCount	Number of rows returned or affected — -1 may indicate no rows returned or metadata access.
Spid	SQL Server Process ID — uniquely identifies the session within the server.

---

📌 Use Case of These Logs

These logs are particularly helpful when:

• Debugging performance issues or slow-running queries
• Monitoring distributed query execution in Synapse SQL Pools
• Tracking which nodes processed specific steps
• Checking success/failure status of background or user queries

---