Audit Logs

Hi!

We detected possible anomalies in your Azure SQL Database on October 14 from 3:00pm to 9:00pm (UTC). Since then, we’ve enabled all logs and have not seen further issues. What’s the best way to obtain additional diagnostic telemetry?

Thank you!

Hello again Full Of Tradition,

Thanks for the providing additional context.

Since the anomalies occurred on October 14 (before you enabled logging), the key challenge is that Azure SQL Database only retains telemetry that was actively captured at the time. Unfortunately, if Auditing, Diagnostic Settings, or Microsoft Defender for Cloud were not enabled during that window (3:00 PM to 9:00 PM UTC), then detailed historical data—such as specific queries, login attempts, or source IP addresses—is not available to customers afterward.

However, Microsoft may retain limited internal telemetry for security and operational purposes. If you suspect a genuine security incident (e.g., data exfiltration, unauthorized access), your best next step is to open a support case with Microsoft immediately and request a security investigation. During such a case, Microsoft’s security or support teams can check internal logs (like gateway logs or threat detection signals) that aren’t exposed to customers but may include connection sources, error patterns, or anomalous behavior indicators from that timeframe.

To initiate this:

• Go to the Azure portal > Help + support > New support request.
• Choose Technical > Security concern as the issue type.
• Clearly state the time window (October 14, 15:00–21:00 UTC) and describe the anomalies observed (e.g., unexpected CPU spikes, logins from unknown regions, etc.).

For future readiness, ensure these are enabled:

• SQL Auditing: Captures database-level events, including client IP addresses and T-SQL statements. https://free.blessedness.top/en-us/azure/azure-sql/database/auditing-overview
• Diagnostic Settings: Streams metrics and logs (like SQLInsights, QueryStoreRuntimeStatistics) to Log Analytics for deep analysis. https://free.blessedness.top/en-us/azure/azure-sql/database/metrics-diagnostic-telemetry-logging-streaming-export-configure
• Microsoft Defender for SQL: Provides threat detection with alerts for suspicious activities (e.g., potential SQL injection, anomalous login patterns). https://free.blessedness.top/en-us/azure/defender-for-cloud/defender-for-sql-introduction

If you haven’t already, also review the Azure SQL Database performance insights and Query Store (if enabled), as they might still hold query-level data from that period—though they don’t capture IP addresses.

Let me know if you’d like help drafting the support request or interpreting any logs you’ve collected since enabling monitoring.
Please "Accept as Answer" if the answer provided is useful, so that you can help others in the community looking for remediation for similar issues.

Thanks

Pratyush

Hello Full Of Tradition, just checking in to see if the above answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Thanks

Pratyush

Hi!

Thank you for your answer.

I can't open a new support request. After click on the link I have this option"Describe your issue" but never ends with a "open a request" or similar....

Thank you

Thanks for pointing that out, this is a common experience when your Azure subscription doesn’t have an active support plan. By default, all Azure accounts include free access to billing and subscription management support, but technical or security support (including incident investigations) requires a paid support plan like Developer, Standard, or Premier.

If you don’t have a support plan, you won’t see the option to actually submit a technical support request—only the “Describe your issue” screen without a final “Create” button.

What you can do:

1. Check if you have any support plan: Go to the Azure portal > Help + support > Support plans. If you only see “Basic” (which is free), you’ll need to upgrade to at least the Developer plan ($29/month) to open technical cases. More details: https://azure.microsoft.com/en-in/support/plans

2. If this is a suspected security breach, and you don’t have a support plan:

• Contact Microsoft Defender for Cloud support through the Microsoft Security portal, which sometimes allows security-related submissions even without a standard Azure support plan. Visit: https://security.microsoft.com Sign in with your Azure account > Go to Settings > Support > Submit a request. (This path is available for tenants with Defender for Cloud enabled, even on free tiers.)

3. Use Azure’s “Report a vulnerability” channel (for confirmed or high-severity security issues): If you believe customer data was compromised or there’s evidence of exploitation, you can report it via Microsoft’s coordinated vulnerability disclosure program: https://msrc.microsoft.com/create-report

4. For immediate log review (even post-incident): Double-check if any diagnostic data was captured during the incident window:

• In the Azure portal, go to your SQL database > Monitoring > Logs.
• Run this query in Log Analytics (if you had Diagnostic Settings enabled even partially):

    123AzureDiagnostics
    | where TimeGenerated between (datetime(2025-10-14T15:00:00Z) .. datetime(2025-10-14T21:00:00Z))
    | where ResourceProvider == "MICROSOFT.SQL"
  

• Also check SQL Auditing logs in your storage account (if auditing was on, even briefly).

All referenced links are verified and active as of October 21, 2025.

If none of these paths work and the concern is serious, consider escalating through your organization’s Microsoft account team (if you’re an enterprise customer) or purchasing a one-time support incident (available in some regions via the Azure portal under “Support + troubleshooting” > “New support request” > “One-time assistance”).

Let me know your subscription type or whether Defender for Cloud is enabled—I can help narrow the best path.

Thanks

Pratyush