创建或更新数据库的 blob 审计策略。
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Sql/servers/{serverName}/databases/{databaseName}/auditingSettings/default?api-version=2025-01-01
URI 参数
| 名称 |
在 |
必需 |
类型 |
说明 |
|
blobAuditingPolicyName
|
path |
True
|
BlobAuditingPolicyName
|
blob审计策略的名称。
|
|
databaseName
|
path |
True
|
string
|
数据库的名称。
|
|
resourceGroupName
|
path |
True
|
string
minLength: 1 maxLength: 90
|
资源组的名称。 此名称不区分大小写。
|
|
serverName
|
path |
True
|
string
|
服务器的名称。
|
|
subscriptionId
|
path |
True
|
string
(uuid)
|
目标订阅的 ID。 该值必须是 UUID。
|
|
api-version
|
query |
True
|
string
minLength: 1
|
用于此作的 API 版本。
|
请求正文
| 名称 |
必需 |
类型 |
说明 |
|
properties.state
|
True
|
BlobAuditingPolicyState
|
指定审核的状态。 如果状态为“已启用”,则需要 storageEndpoint 或 isAzureMonitorTargetEnabled。
|
|
properties.auditActionsAndGroups
|
|
string[]
|
指定要审核的 Actions-Groups 和作。
建议使用的作组集是以下组合 - 这将审核针对数据库执行的所有查询和存储过程,以及成功和失败的登录:
BATCH_COMPLETED_GROUP,SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP,FAILED_DATABASE_AUTHENTICATION_GROUP。
上述组合也是启用 Azure 门户审计时默认配置的组合。
要审核的受支持作组(注意:仅选择涵盖审核需求的特定组。使用不必要的组可能会导致大量审核记录):
APPLICATION_ROLE_CHANGE_PASSWORD_GROUP BACKUP_RESTORE_GROUP DATABASE_LOGOUT_GROUP DATABASE_OBJECT_CHANGE_GROUP DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP DATABASE_OBJECT_PERMISSION_CHANGE_GROUP DATABASE_OPERATION_GROUP DATABASE_PERMISSION_CHANGE_GROUP DATABASE_PRINCIPAL_CHANGE_GROUP DATABASE_PRINCIPAL_IMPERSONATION_GROUP DATABASE_ROLE_MEMBER_CHANGE_GROUP FAILED_DATABASE_AUTHENTICATION_GROUP SCHEMA_OBJECT_ACCESS_GROUP SCHEMA_OBJECT_CHANGE_GROUP SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP USER_CHANGE_PASSWORD_GROUP BATCH_STARTED_GROUP BATCH_COMPLETED_GROUP DBCC_GROUP DATABASE_OWNERSHIP_CHANGE_GROUP DATABASE_CHANGE_GROUP LEDGER_OPERATION_GROUP
这些组涵盖针对数据库执行的所有 sql 语句和存储过程,不应与其他组结合使用,因为这将导致重复的审核日志。
有关详细信息,请参阅 Database-Level 审核作组。
对于数据库审核策略,还可以指定特定作(请注意,不能为服务器审核策略指定作)。 支持的审计作包括:选择、更新、插入、删除、执行、接收引用
定义待审计动作的一般形式为:{action} 对 {object} 由 {principal} 进行
请注意,采用上述格式的 <对象> 可以引用表、视图或存储过程或整个数据库或架构等对象。 对于后一种情况,将分别使用 FORMS DATABASE::{db_name} 和 SCHEMA::{schema_name}。
例如:在 dbo.myTable 上按 公用 在 DATABASE::myDatabase 上选 公用 在 SCHEMA::mySchema 上用公用 SELECT 在 SCHEMA::mySchema 上 由 public 推举
有关详细信息,请参阅 Database-Level 审核作
|
|
properties.isAzureMonitorTargetEnabled
|
|
boolean
|
指定审计事件是否发送到Azure Monitor。
为了将事件发送到 Azure Monitor,请将“State”设置为“Enabled”,“IsAzureMonitorTargetEnabled”为true。
使用 REST API 配置审核时,还应在数据库上创建具有“SQLSecurityAuditEvents”诊断日志类别的诊断设置。
请注意,对于服务器级别审核,应使用“master”数据库作为 {databaseName}。
诊断设置 URI 格式:PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Sql/servers/{serverName}/databases/{databaseName}/providers/microsoft.insights/diagnosticSettings/{settingsName}?api-version=2017-05-01-preview
有关详细信息,请参阅 诊断设置 REST API 或 诊断设置 PowerShell
|
|
properties.isManagedIdentityInUse
|
|
boolean
|
指定是否使用托管标识访问 Blob 存储
|
|
properties.isStorageSecondaryKeyInUse
|
|
boolean
|
指定 storageAccountAccessKey 值是否为存储的辅助密钥。
|
|
properties.queueDelayMs
|
|
integer
(int32)
|
指定在强制执行审核操作之前可以经过的时间(以毫秒为单位)。
默认值为 1000(1 秒)。 最大值为 2,147,483,647。
|
|
properties.retentionDays
|
|
integer
(int32)
|
指定要保留在存储帐户中的审核日志中的天数。
|
|
properties.storageAccountAccessKey
|
|
string
(password)
|
指定审核存储帐户的标识符密钥。
如果状态为 Enabled 且 storageEndpoint 已指定,则不指定 storageAccountAccessKey 将使用 SQL Server 系统分配的托管标识来访问存储。
使用托管标识身份验证的先决条件:
- 在 Azure Active Directory (AAD) 中为 SQL Server 分配系统指定的管理身份。
- 通过在服务器身份中添加“Storage Blob Data Contributor”(存储 Blob 数据贡献者)角色,赋予 SQL Server 身份访问存储账户的权限。
有关详细信息,请参阅 使用托管标识身份验证对存储的审核
|
|
properties.storageAccountSubscriptionId
|
|
string
(uuid)
|
指定 Blob 存储订阅 ID。
|
|
properties.storageEndpoint
|
|
string
|
指定 blob 存储终结点(例如 https://MyAccount.blob.core.windows.net)。 如果状态为“已启用”,则需要 storageEndpoint 或 isAzureMonitorTargetEnabled。
|
响应
安全性
azure_auth
Azure Active Directory OAuth2 流程。
类型:
oauth2
流向:
implicit
授权 URL:
https://login.microsoftonline.com/common/oauth2/authorize
作用域
| 名称 |
说明 |
|
user_impersonation
|
模拟用户帐户
|
示例
Create or update a database's azure monitor auditing policy with minimal parameters
示例请求
PUT https://management.azure.com/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/blobauditingtest-4799/providers/Microsoft.Sql/servers/blobauditingtest-6440/databases/testdb/auditingSettings/default?api-version=2025-01-01
{
"properties": {
"isAzureMonitorTargetEnabled": true,
"state": "Enabled"
}
}
from azure.identity import DefaultAzureCredential
from azure.mgmt.sql import SqlManagementClient
"""
# PREREQUISITES
pip install azure-identity
pip install azure-mgmt-sql
# USAGE
python database_azure_monitor_auditing_create_min.py
Before run the sample, please set the values of the client ID, tenant ID and client secret
of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""
def main():
client = SqlManagementClient(
credential=DefaultAzureCredential(),
subscription_id="SUBSCRIPTION_ID",
)
response = client.database_blob_auditing_policies.create_or_update(
resource_group_name="blobauditingtest-4799",
server_name="blobauditingtest-6440",
database_name="testdb",
parameters={"properties": {"isAzureMonitorTargetEnabled": True, "state": "Enabled"}},
)
print(response)
# x-ms-original-file: 2025-01-01/DatabaseAzureMonitorAuditingCreateMin.json
if __name__ == "__main__":
main()
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
const { SqlManagementClient } = require("@azure/arm-sql");
const { DefaultAzureCredential } = require("@azure/identity");
/**
* This sample demonstrates how to creates or updates a database's blob auditing policy.
*
* @summary creates or updates a database's blob auditing policy.
* x-ms-original-file: 2025-01-01/DatabaseAzureMonitorAuditingCreateMin.json
*/
async function createOrUpdateADatabaseAzureMonitorAuditingPolicyWithMinimalParameters() {
const credential = new DefaultAzureCredential();
const subscriptionId = "00000000-1111-2222-3333-444444444444";
const client = new SqlManagementClient(credential, subscriptionId);
const result = await client.databaseBlobAuditingPolicies.createOrUpdate(
"blobauditingtest-4799",
"blobauditingtest-6440",
"testdb",
{ isAzureMonitorTargetEnabled: true, state: "Enabled" },
);
console.log(result);
}
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
using Azure;
using Azure.ResourceManager;
using System;
using System.Threading.Tasks;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager.Sql.Models;
using Azure.ResourceManager.Sql;
// Generated from example definition: specification/sql/resource-manager/Microsoft.Sql/SQL/stable/2025-01-01/examples/DatabaseAzureMonitorAuditingCreateMin.json
// this example is just showing the usage of "DatabaseBlobAuditingPolicies_CreateOrUpdate" operation, for the dependent resources, they will have to be created separately.
// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://dotnet.territoriali.olinfo.it/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);
// this example assumes you already have this SqlDatabaseBlobAuditingPolicyResource created on azure
// for more information of creating SqlDatabaseBlobAuditingPolicyResource, please refer to the document of SqlDatabaseBlobAuditingPolicyResource
string subscriptionId = "00000000-1111-2222-3333-444444444444";
string resourceGroupName = "blobauditingtest-4799";
string serverName = "blobauditingtest-6440";
string databaseName = "testdb";
BlobAuditingPolicyName blobAuditingPolicyName = BlobAuditingPolicyName.Default;
ResourceIdentifier sqlDatabaseBlobAuditingPolicyResourceId = SqlDatabaseBlobAuditingPolicyResource.CreateResourceIdentifier(subscriptionId, resourceGroupName, serverName, databaseName, blobAuditingPolicyName);
SqlDatabaseBlobAuditingPolicyResource sqlDatabaseBlobAuditingPolicy = client.GetSqlDatabaseBlobAuditingPolicyResource(sqlDatabaseBlobAuditingPolicyResourceId);
// invoke the operation
SqlDatabaseBlobAuditingPolicyData data = new SqlDatabaseBlobAuditingPolicyData
{
IsAzureMonitorTargetEnabled = true,
State = BlobAuditingPolicyState.Enabled,
};
ArmOperation<SqlDatabaseBlobAuditingPolicyResource> lro = await sqlDatabaseBlobAuditingPolicy.UpdateAsync(WaitUntil.Completed, data);
SqlDatabaseBlobAuditingPolicyResource result = lro.Value;
// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
SqlDatabaseBlobAuditingPolicyData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
示例响应
{
"name": "default",
"type": "Microsoft.Sql/servers/databases/auditingSettings",
"id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/blobauditingtest-4799/providers/Microsoft.Sql/servers/blobauditingtest-6440/databases/testdb",
"kind": "V12",
"properties": {
"auditActionsAndGroups": [
"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP",
"FAILED_DATABASE_AUTHENTICATION_GROUP",
"BATCH_COMPLETED_GROUP"
],
"isAzureMonitorTargetEnabled": true,
"retentionDays": 0,
"state": "Enabled",
"storageAccountSubscriptionId": "00000000-0000-0000-0000-000000000000"
}
}
{
"name": "default",
"type": "Microsoft.Sql/servers/databases/auditingSettings",
"id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/blobauditingtest-4799/providers/Microsoft.Sql/servers/blobauditingtest-6440/databases/testdb",
"kind": "V12",
"properties": {
"auditActionsAndGroups": [
"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP",
"FAILED_DATABASE_AUTHENTICATION_GROUP",
"BATCH_COMPLETED_GROUP"
],
"isAzureMonitorTargetEnabled": true,
"retentionDays": 0,
"state": "Enabled",
"storageAccountSubscriptionId": "00000000-0000-0000-0000-000000000000"
}
}
Create or update a database's blob auditing policy with all parameters
示例请求
PUT https://management.azure.com/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/blobauditingtest-4799/providers/Microsoft.Sql/servers/blobauditingtest-6440/databases/testdb/auditingSettings/default?api-version=2025-01-01
{
"properties": {
"auditActionsAndGroups": [
"DATABASE_LOGOUT_GROUP",
"DATABASE_ROLE_MEMBER_CHANGE_GROUP",
"UPDATE on database::TestDatabaseName by public"
],
"isAzureMonitorTargetEnabled": true,
"isStorageSecondaryKeyInUse": false,
"queueDelayMs": 4000,
"retentionDays": 6,
"state": "Enabled",
"storageAccountAccessKey": "sdlfkjabc+sdlfkjsdlkfsjdfLDKFTERLKFDFKLjsdfksjdflsdkfD2342309432849328476458/3RSD==",
"storageAccountSubscriptionId": "00000000-1234-0000-5678-000000000000",
"storageEndpoint": "https://mystorage.blob.core.windows.net"
}
}
from azure.identity import DefaultAzureCredential
from azure.mgmt.sql import SqlManagementClient
"""
# PREREQUISITES
pip install azure-identity
pip install azure-mgmt-sql
# USAGE
python database_blob_auditing_create_max.py
Before run the sample, please set the values of the client ID, tenant ID and client secret
of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""
def main():
client = SqlManagementClient(
credential=DefaultAzureCredential(),
subscription_id="SUBSCRIPTION_ID",
)
response = client.database_blob_auditing_policies.create_or_update(
resource_group_name="blobauditingtest-4799",
server_name="blobauditingtest-6440",
database_name="testdb",
parameters={
"properties": {
"auditActionsAndGroups": [
"DATABASE_LOGOUT_GROUP",
"DATABASE_ROLE_MEMBER_CHANGE_GROUP",
"UPDATE on database::TestDatabaseName by public",
],
"isAzureMonitorTargetEnabled": True,
"isStorageSecondaryKeyInUse": False,
"queueDelayMs": 4000,
"retentionDays": 6,
"state": "Enabled",
"storageAccountAccessKey": "sdlfkjabc+sdlfkjsdlkfsjdfLDKFTERLKFDFKLjsdfksjdflsdkfD2342309432849328476458/3RSD==",
"storageAccountSubscriptionId": "00000000-1234-0000-5678-000000000000",
"storageEndpoint": "https://mystorage.blob.core.windows.net",
}
},
)
print(response)
# x-ms-original-file: 2025-01-01/DatabaseBlobAuditingCreateMax.json
if __name__ == "__main__":
main()
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
const { SqlManagementClient } = require("@azure/arm-sql");
const { DefaultAzureCredential } = require("@azure/identity");
/**
* This sample demonstrates how to creates or updates a database's blob auditing policy.
*
* @summary creates or updates a database's blob auditing policy.
* x-ms-original-file: 2025-01-01/DatabaseBlobAuditingCreateMax.json
*/
async function createOrUpdateADatabaseBlobAuditingPolicyWithAllParameters() {
const credential = new DefaultAzureCredential();
const subscriptionId = "00000000-1111-2222-3333-444444444444";
const client = new SqlManagementClient(credential, subscriptionId);
const result = await client.databaseBlobAuditingPolicies.createOrUpdate(
"blobauditingtest-4799",
"blobauditingtest-6440",
"testdb",
{
auditActionsAndGroups: [
"DATABASE_LOGOUT_GROUP",
"DATABASE_ROLE_MEMBER_CHANGE_GROUP",
"UPDATE on database::TestDatabaseName by public",
],
isAzureMonitorTargetEnabled: true,
isStorageSecondaryKeyInUse: false,
queueDelayMs: 4000,
retentionDays: 6,
state: "Enabled",
storageAccountAccessKey:
"sdlfkjabc+sdlfkjsdlkfsjdfLDKFTERLKFDFKLjsdfksjdflsdkfD2342309432849328476458/3RSD==",
storageAccountSubscriptionId: "00000000-1234-0000-5678-000000000000",
storageEndpoint: "https://mystorage.blob.core.windows.net",
},
);
console.log(result);
}
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
using Azure;
using Azure.ResourceManager;
using System;
using System.Threading.Tasks;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager.Sql.Models;
using Azure.ResourceManager.Sql;
// Generated from example definition: specification/sql/resource-manager/Microsoft.Sql/SQL/stable/2025-01-01/examples/DatabaseBlobAuditingCreateMax.json
// this example is just showing the usage of "DatabaseBlobAuditingPolicies_CreateOrUpdate" operation, for the dependent resources, they will have to be created separately.
// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://dotnet.territoriali.olinfo.it/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);
// this example assumes you already have this SqlDatabaseBlobAuditingPolicyResource created on azure
// for more information of creating SqlDatabaseBlobAuditingPolicyResource, please refer to the document of SqlDatabaseBlobAuditingPolicyResource
string subscriptionId = "00000000-1111-2222-3333-444444444444";
string resourceGroupName = "blobauditingtest-4799";
string serverName = "blobauditingtest-6440";
string databaseName = "testdb";
BlobAuditingPolicyName blobAuditingPolicyName = BlobAuditingPolicyName.Default;
ResourceIdentifier sqlDatabaseBlobAuditingPolicyResourceId = SqlDatabaseBlobAuditingPolicyResource.CreateResourceIdentifier(subscriptionId, resourceGroupName, serverName, databaseName, blobAuditingPolicyName);
SqlDatabaseBlobAuditingPolicyResource sqlDatabaseBlobAuditingPolicy = client.GetSqlDatabaseBlobAuditingPolicyResource(sqlDatabaseBlobAuditingPolicyResourceId);
// invoke the operation
SqlDatabaseBlobAuditingPolicyData data = new SqlDatabaseBlobAuditingPolicyData
{
RetentionDays = 6,
AuditActionsAndGroups = { "DATABASE_LOGOUT_GROUP", "DATABASE_ROLE_MEMBER_CHANGE_GROUP", "UPDATE on database::TestDatabaseName by public" },
IsStorageSecondaryKeyInUse = false,
IsAzureMonitorTargetEnabled = true,
QueueDelayMs = 4000,
State = BlobAuditingPolicyState.Enabled,
StorageEndpoint = "https://mystorage.blob.core.windows.net",
StorageAccountAccessKey = "sdlfkjabc+sdlfkjsdlkfsjdfLDKFTERLKFDFKLjsdfksjdflsdkfD2342309432849328476458/3RSD==",
StorageAccountSubscriptionId = Guid.Parse("00000000-1234-0000-5678-000000000000"),
};
ArmOperation<SqlDatabaseBlobAuditingPolicyResource> lro = await sqlDatabaseBlobAuditingPolicy.UpdateAsync(WaitUntil.Completed, data);
SqlDatabaseBlobAuditingPolicyResource result = lro.Value;
// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
SqlDatabaseBlobAuditingPolicyData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
示例响应
{
"name": "default",
"type": "Microsoft.Sql/servers/databases/auditingSettings",
"id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/blobauditingtest-4799/providers/Microsoft.Sql/servers/blobauditingtest-6440/databases/testdb",
"kind": "V12",
"properties": {
"auditActionsAndGroups": [
"DATABASE_LOGOUT_GROUP",
"DATABASE_ROLE_MEMBER_CHANGE_GROUP",
"UPDATE on database::TestDatabaseName by public"
],
"isAzureMonitorTargetEnabled": true,
"isStorageSecondaryKeyInUse": false,
"queueDelayMs": 4000,
"retentionDays": 0,
"state": "Enabled",
"storageAccountSubscriptionId": "00000000-1234-0000-5678-000000000000",
"storageEndpoint": "https://mystorage.blob.core.windows.net"
}
}
{
"name": "default",
"type": "Microsoft.Sql/servers/databases/auditingSettings",
"id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/blobauditingtest-4799/providers/Microsoft.Sql/servers/blobauditingtest-6440/databases/testdb",
"kind": "V12",
"properties": {
"auditActionsAndGroups": [
"DATABASE_LOGOUT_GROUP",
"DATABASE_ROLE_MEMBER_CHANGE_GROUP",
"UPDATE on database::TestDatabaseName by public"
],
"isAzureMonitorTargetEnabled": true,
"isStorageSecondaryKeyInUse": false,
"queueDelayMs": 4000,
"retentionDays": 0,
"state": "Enabled",
"storageAccountSubscriptionId": "00000000-1234-0000-5678-000000000000",
"storageEndpoint": "https://mystorage.blob.core.windows.net"
}
}
Create or update a database's blob auditing policy with minimal parameters
示例请求
PUT https://management.azure.com/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/blobauditingtest-4799/providers/Microsoft.Sql/servers/blobauditingtest-6440/databases/testdb/auditingSettings/default?api-version=2025-01-01
{
"properties": {
"state": "Enabled",
"storageAccountAccessKey": "sdlfkjabc+sdlfkjsdlkfsjdfLDKFTERLKFDFKLjsdfksjdflsdkfD2342309432849328476458/3RSD==",
"storageEndpoint": "https://mystorage.blob.core.windows.net"
}
}
from azure.identity import DefaultAzureCredential
from azure.mgmt.sql import SqlManagementClient
"""
# PREREQUISITES
pip install azure-identity
pip install azure-mgmt-sql
# USAGE
python database_blob_auditing_create_min.py
Before run the sample, please set the values of the client ID, tenant ID and client secret
of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""
def main():
client = SqlManagementClient(
credential=DefaultAzureCredential(),
subscription_id="SUBSCRIPTION_ID",
)
response = client.database_blob_auditing_policies.create_or_update(
resource_group_name="blobauditingtest-4799",
server_name="blobauditingtest-6440",
database_name="testdb",
parameters={
"properties": {
"state": "Enabled",
"storageAccountAccessKey": "sdlfkjabc+sdlfkjsdlkfsjdfLDKFTERLKFDFKLjsdfksjdflsdkfD2342309432849328476458/3RSD==",
"storageEndpoint": "https://mystorage.blob.core.windows.net",
}
},
)
print(response)
# x-ms-original-file: 2025-01-01/DatabaseBlobAuditingCreateMin.json
if __name__ == "__main__":
main()
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
const { SqlManagementClient } = require("@azure/arm-sql");
const { DefaultAzureCredential } = require("@azure/identity");
/**
* This sample demonstrates how to creates or updates a database's blob auditing policy.
*
* @summary creates or updates a database's blob auditing policy.
* x-ms-original-file: 2025-01-01/DatabaseBlobAuditingCreateMin.json
*/
async function createOrUpdateADatabaseBlobAuditingPolicyWithMinimalParameters() {
const credential = new DefaultAzureCredential();
const subscriptionId = "00000000-1111-2222-3333-444444444444";
const client = new SqlManagementClient(credential, subscriptionId);
const result = await client.databaseBlobAuditingPolicies.createOrUpdate(
"blobauditingtest-4799",
"blobauditingtest-6440",
"testdb",
{
state: "Enabled",
storageAccountAccessKey:
"sdlfkjabc+sdlfkjsdlkfsjdfLDKFTERLKFDFKLjsdfksjdflsdkfD2342309432849328476458/3RSD==",
storageEndpoint: "https://mystorage.blob.core.windows.net",
},
);
console.log(result);
}
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
using Azure;
using Azure.ResourceManager;
using System;
using System.Threading.Tasks;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager.Sql.Models;
using Azure.ResourceManager.Sql;
// Generated from example definition: specification/sql/resource-manager/Microsoft.Sql/SQL/stable/2025-01-01/examples/DatabaseBlobAuditingCreateMin.json
// this example is just showing the usage of "DatabaseBlobAuditingPolicies_CreateOrUpdate" operation, for the dependent resources, they will have to be created separately.
// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://dotnet.territoriali.olinfo.it/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);
// this example assumes you already have this SqlDatabaseBlobAuditingPolicyResource created on azure
// for more information of creating SqlDatabaseBlobAuditingPolicyResource, please refer to the document of SqlDatabaseBlobAuditingPolicyResource
string subscriptionId = "00000000-1111-2222-3333-444444444444";
string resourceGroupName = "blobauditingtest-4799";
string serverName = "blobauditingtest-6440";
string databaseName = "testdb";
BlobAuditingPolicyName blobAuditingPolicyName = BlobAuditingPolicyName.Default;
ResourceIdentifier sqlDatabaseBlobAuditingPolicyResourceId = SqlDatabaseBlobAuditingPolicyResource.CreateResourceIdentifier(subscriptionId, resourceGroupName, serverName, databaseName, blobAuditingPolicyName);
SqlDatabaseBlobAuditingPolicyResource sqlDatabaseBlobAuditingPolicy = client.GetSqlDatabaseBlobAuditingPolicyResource(sqlDatabaseBlobAuditingPolicyResourceId);
// invoke the operation
SqlDatabaseBlobAuditingPolicyData data = new SqlDatabaseBlobAuditingPolicyData
{
State = BlobAuditingPolicyState.Enabled,
StorageEndpoint = "https://mystorage.blob.core.windows.net",
StorageAccountAccessKey = "sdlfkjabc+sdlfkjsdlkfsjdfLDKFTERLKFDFKLjsdfksjdflsdkfD2342309432849328476458/3RSD==",
};
ArmOperation<SqlDatabaseBlobAuditingPolicyResource> lro = await sqlDatabaseBlobAuditingPolicy.UpdateAsync(WaitUntil.Completed, data);
SqlDatabaseBlobAuditingPolicyResource result = lro.Value;
// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
SqlDatabaseBlobAuditingPolicyData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
示例响应
{
"name": "default",
"type": "Microsoft.Sql/servers/databases/auditingSettings",
"id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/blobauditingtest-4799/providers/Microsoft.Sql/servers/blobauditingtest-6440/databases/testdb",
"kind": "V12",
"properties": {
"auditActionsAndGroups": [
"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP",
"FAILED_DATABASE_AUTHENTICATION_GROUP",
"BATCH_COMPLETED_GROUP"
],
"isAzureMonitorTargetEnabled": false,
"isStorageSecondaryKeyInUse": false,
"retentionDays": 0,
"state": "Enabled",
"storageAccountSubscriptionId": "00000000-0000-0000-0000-000000000000",
"storageEndpoint": "https://mystorage.blob.core.windows.net"
}
}
{
"name": "default",
"type": "Microsoft.Sql/servers/databases/auditingSettings",
"id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/blobauditingtest-4799/providers/Microsoft.Sql/servers/blobauditingtest-6440/databases/testdb",
"kind": "V12",
"properties": {
"auditActionsAndGroups": [
"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP",
"FAILED_DATABASE_AUTHENTICATION_GROUP",
"BATCH_COMPLETED_GROUP"
],
"isAzureMonitorTargetEnabled": false,
"isStorageSecondaryKeyInUse": false,
"retentionDays": 0,
"state": "Enabled",
"storageAccountSubscriptionId": "00000000-0000-0000-0000-000000000000",
"storageEndpoint": "https://mystorage.blob.core.windows.net"
}
}
定义
BlobAuditingPolicyName
枚举
blob审计策略的名称。
BlobAuditingPolicyState
枚举
指定审核的状态。 如果状态为“已启用”,则需要 storageEndpoint 或 isAzureMonitorTargetEnabled。
| 值 |
说明 |
|
Enabled
|
已启用
|
|
Disabled
|
已禁用
|
createdByType
枚举
创建资源的标识的类型。
| 值 |
说明 |
|
User
|
|
|
Application
|
|
|
ManagedIdentity
|
|
|
Key
|
|
DatabaseBlobAuditingPolicy
对象
数据库 Blob 审核策略。
| 名称 |
类型 |
说明 |
|
id
|
string
(arm-id)
|
资源的完全限定资源 ID。 例如,“/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}”
|
|
kind
|
string
|
资源类型。
|
|
name
|
string
|
资源的名称
|
|
properties.auditActionsAndGroups
|
string[]
|
指定要审核的 Actions-Groups 和作。
建议使用的作组集是以下组合 - 这将审核针对数据库执行的所有查询和存储过程,以及成功和失败的登录:
BATCH_COMPLETED_GROUP,SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP,FAILED_DATABASE_AUTHENTICATION_GROUP。
上述组合也是启用 Azure 门户审计时默认配置的组合。
要审核的受支持作组(注意:仅选择涵盖审核需求的特定组。使用不必要的组可能会导致大量审核记录):
APPLICATION_ROLE_CHANGE_PASSWORD_GROUP BACKUP_RESTORE_GROUP DATABASE_LOGOUT_GROUP DATABASE_OBJECT_CHANGE_GROUP DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP DATABASE_OBJECT_PERMISSION_CHANGE_GROUP DATABASE_OPERATION_GROUP DATABASE_PERMISSION_CHANGE_GROUP DATABASE_PRINCIPAL_CHANGE_GROUP DATABASE_PRINCIPAL_IMPERSONATION_GROUP DATABASE_ROLE_MEMBER_CHANGE_GROUP FAILED_DATABASE_AUTHENTICATION_GROUP SCHEMA_OBJECT_ACCESS_GROUP SCHEMA_OBJECT_CHANGE_GROUP SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP USER_CHANGE_PASSWORD_GROUP BATCH_STARTED_GROUP BATCH_COMPLETED_GROUP DBCC_GROUP DATABASE_OWNERSHIP_CHANGE_GROUP DATABASE_CHANGE_GROUP LEDGER_OPERATION_GROUP
这些组涵盖针对数据库执行的所有 sql 语句和存储过程,不应与其他组结合使用,因为这将导致重复的审核日志。
有关详细信息,请参阅 Database-Level 审核作组。
对于数据库审核策略,还可以指定特定作(请注意,不能为服务器审核策略指定作)。 支持的审计作包括:选择、更新、插入、删除、执行、接收引用
定义待审计动作的一般形式为:{action} 对 {object} 由 {principal} 进行
请注意,采用上述格式的 <对象> 可以引用表、视图或存储过程或整个数据库或架构等对象。 对于后一种情况,将分别使用 FORMS DATABASE::{db_name} 和 SCHEMA::{schema_name}。
例如:在 dbo.myTable 上按 公用 在 DATABASE::myDatabase 上选 公用 在 SCHEMA::mySchema 上用公用 SELECT 在 SCHEMA::mySchema 上 由 public 推举
有关详细信息,请参阅 Database-Level 审核作
|
|
properties.isAzureMonitorTargetEnabled
|
boolean
|
指定审计事件是否发送到Azure Monitor。
为了将事件发送到 Azure Monitor,请将“State”设置为“Enabled”,“IsAzureMonitorTargetEnabled”为true。
使用 REST API 配置审核时,还应在数据库上创建具有“SQLSecurityAuditEvents”诊断日志类别的诊断设置。
请注意,对于服务器级别审核,应使用“master”数据库作为 {databaseName}。
诊断设置 URI 格式:PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Sql/servers/{serverName}/databases/{databaseName}/providers/microsoft.insights/diagnosticSettings/{settingsName}?api-version=2017-05-01-preview
有关详细信息,请参阅 诊断设置 REST API 或 诊断设置 PowerShell
|
|
properties.isManagedIdentityInUse
|
boolean
|
指定是否使用托管标识访问 Blob 存储
|
|
properties.isStorageSecondaryKeyInUse
|
boolean
|
指定 storageAccountAccessKey 值是否为存储的辅助密钥。
|
|
properties.queueDelayMs
|
integer
(int32)
|
指定在强制执行审核操作之前可以经过的时间(以毫秒为单位)。
默认值为 1000(1 秒)。 最大值为 2,147,483,647。
|
|
properties.retentionDays
|
integer
(int32)
|
指定要保留在存储帐户中的审核日志中的天数。
|
|
properties.state
|
BlobAuditingPolicyState
|
指定审核的状态。 如果状态为“已启用”,则需要 storageEndpoint 或 isAzureMonitorTargetEnabled。
|
|
properties.storageAccountAccessKey
|
string
(password)
|
指定审核存储帐户的标识符密钥。
如果状态为 Enabled 且 storageEndpoint 已指定,则不指定 storageAccountAccessKey 将使用 SQL Server 系统分配的托管标识来访问存储。
使用托管标识身份验证的先决条件:
- 在 Azure Active Directory (AAD) 中为 SQL Server 分配系统指定的管理身份。
- 通过在服务器身份中添加“Storage Blob Data Contributor”(存储 Blob 数据贡献者)角色,赋予 SQL Server 身份访问存储账户的权限。
有关详细信息,请参阅 使用托管标识身份验证对存储的审核
|
|
properties.storageAccountSubscriptionId
|
string
(uuid)
|
指定 Blob 存储订阅 ID。
|
|
properties.storageEndpoint
|
string
|
指定 blob 存储终结点(例如 https://MyAccount.blob.core.windows.net)。 如果状态为“已启用”,则需要 storageEndpoint 或 isAzureMonitorTargetEnabled。
|
|
systemData
|
systemData
|
Azure 资源管理器 包含 createdBy 和 modifiedBy 信息的元数据。
|
|
type
|
string
|
资源类型。 例如,“Microsoft。计算/虚拟机“或”Microsoft“。存储/存储账户”
|
ErrorAdditionalInfo
对象
资源管理错误附加信息。
| 名称 |
类型 |
说明 |
|
info
|
object
|
附加信息。
|
|
type
|
string
|
附加信息类型。
|
ErrorDetail
对象
错误详细信息。
ErrorResponse
对象
错误响应
systemData
对象
与创建和上次修改资源相关的元数据。
| 名称 |
类型 |
说明 |
|
createdAt
|
string
(date-time)
|
资源创建时间戳(UTC)。
|
|
createdBy
|
string
|
创建资源的标识。
|
|
createdByType
|
createdByType
|
创建资源的标识的类型。
|
|
lastModifiedAt
|
string
(date-time)
|
资源上次修改的时间戳 (UTC)
|
|
lastModifiedBy
|
string
|
上次修改资源的标识。
|
|
lastModifiedByType
|
createdByType
|
上次修改资源的标识的类型。
|