private static void DetermineTargetsState( AuditModelType model, BlobAuditingPolicyState policyState) { if (policyState == BlobAuditingPolicyState.Disabled) { model.BlobStorageTargetState = AuditStateType.Disabled; model.EventHubTargetState = AuditStateType.Disabled; model.LogAnalyticsTargetState = AuditStateType.Disabled; } else { if (string.IsNullOrEmpty(model.StorageAccountResourceId)) { model.BlobStorageTargetState = AuditStateType.Disabled; } else { model.BlobStorageTargetState = AuditStateType.Enabled; } if (model.IsAzureMonitorTargetEnabled == null || model.IsAzureMonitorTargetEnabled == false || model.DiagnosticsEnablingAuditCategory == null) { model.EventHubTargetState = AuditStateType.Disabled; model.LogAnalyticsTargetState = AuditStateType.Disabled; } else { DiagnosticSettingsResource eventHubSettings = model.DiagnosticsEnablingAuditCategory.FirstOrDefault( settings => !string.IsNullOrEmpty(settings.EventHubAuthorizationRuleId)); if (eventHubSettings == null) { model.EventHubTargetState = AuditStateType.Disabled; } else { model.EventHubTargetState = AuditStateType.Enabled; model.EventHubName = eventHubSettings.EventHubName; model.EventHubAuthorizationRuleResourceId = eventHubSettings.EventHubAuthorizationRuleId; } DiagnosticSettingsResource logAnalyticsSettings = model.DiagnosticsEnablingAuditCategory.FirstOrDefault( settings => !string.IsNullOrEmpty(settings.WorkspaceId)); if (logAnalyticsSettings == null) { model.LogAnalyticsTargetState = AuditStateType.Disabled; } else { model.LogAnalyticsTargetState = AuditStateType.Enabled; model.WorkspaceResourceId = logAnalyticsSettings.WorkspaceId; } } } }
/// <summary> /// Initializes a new instance of the ServerDevOpsAuditingSettings /// class. /// </summary> /// <param name="state">Specifies the state of the audit. If state is /// Enabled, storageEndpoint or isAzureMonitorTargetEnabled are /// required. Possible values include: 'Enabled', 'Disabled'</param> /// <param name="id">Resource ID.</param> /// <param name="name">Resource name.</param> /// <param name="type">Resource type.</param> /// <param name="systemData">SystemData of /// ServerDevOpsAuditSettingsResource.</param> /// <param name="isAzureMonitorTargetEnabled">Specifies whether DevOps /// audit events are sent to Azure Monitor. /// In order to send the events to Azure Monitor, specify 'State' as /// 'Enabled' and 'IsAzureMonitorTargetEnabled' as true. /// /// When using REST API to configure DevOps audit, Diagnostic Settings /// with 'DevOpsOperationsAudit' diagnostic logs category on the master /// database should be also created. /// /// Diagnostic Settings URI format: /// PUT /// https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Sql/servers/{serverName}/databases/master/providers/microsoft.insights/diagnosticSettings/{settingsName}?api-version=2017-05-01-preview /// /// For more information, see [Diagnostic Settings REST /// API](https://go.microsoft.com/fwlink/?linkid=2033207) /// or [Diagnostic Settings /// PowerShell](https://go.microsoft.com/fwlink/?linkid=2033043) /// </param> /// <param name="storageEndpoint">Specifies the blob storage endpoint /// (e.g. https://MyAccount.blob.core.windows.net). If state is /// Enabled, storageEndpoint or isAzureMonitorTargetEnabled is /// required.</param> /// <param name="storageAccountAccessKey">Specifies the identifier key /// of the auditing storage account. /// If state is Enabled and storageEndpoint is specified, not /// specifying the storageAccountAccessKey will use SQL server /// system-assigned managed identity to access the storage. /// Prerequisites for using managed identity authentication: /// 1. Assign SQL Server a system-assigned managed identity in Azure /// Active Directory (AAD). /// 2. Grant SQL Server identity access to the storage account by /// adding 'Storage Blob Data Contributor' RBAC role to the server /// identity. /// For more information, see [Auditing to storage using Managed /// Identity /// authentication](https://go.microsoft.com/fwlink/?linkid=2114355)</param> /// <param name="storageAccountSubscriptionId">Specifies the blob /// storage subscription Id.</param> public ServerDevOpsAuditingSettings(BlobAuditingPolicyState state, string id = default(string), string name = default(string), string type = default(string), SystemData systemData = default(SystemData), bool?isAzureMonitorTargetEnabled = default(bool?), string storageEndpoint = default(string), string storageAccountAccessKey = default(string), System.Guid?storageAccountSubscriptionId = default(System.Guid?)) : base(id, name, type) { SystemData = systemData; IsAzureMonitorTargetEnabled = isAzureMonitorTargetEnabled; State = state; StorageEndpoint = storageEndpoint; StorageAccountAccessKey = storageAccountAccessKey; StorageAccountSubscriptionId = storageAccountSubscriptionId; CustomInit(); }
internal static string ToSerializedValue(this BlobAuditingPolicyState value) { switch (value) { case BlobAuditingPolicyState.Enabled: return("Enabled"); case BlobAuditingPolicyState.Disabled: return("Disabled"); } return(null); }
internal void ModelizeAuditPolicy(AuditModelType model, BlobAuditingPolicyState state, string storageEndpoint, bool?isSecondary, Guid?storageAccountSubscriptionId, bool?isAzureMonitorTargetEnabled, int?retentionDays) { model.IsAzureMonitorTargetEnabled = isAzureMonitorTargetEnabled; ModelizeStorageInfo(model, storageEndpoint, isSecondary, storageAccountSubscriptionId, IsAuditEnabled(state), retentionDays); DetermineTargetsState(model, state); }
/// <summary> /// Initializes a new instance of the ServerBlobAuditingPolicyInner /// class. /// </summary> /// <param name="state">Specifies the state of the policy. If state is /// Enabled, storageEndpoint or isAzureMonitorTargetEnabled are /// required. Possible values include: 'Enabled', 'Disabled'</param> /// <param name="storageEndpoint">Specifies the blob storage endpoint /// (e.g. https://MyAccount.blob.core.windows.net). If state is /// Enabled, storageEndpoint is required.</param> /// <param name="storageAccountAccessKey">Specifies the identifier key /// of the auditing storage account. If state is Enabled and /// storageEndpoint is specified, storageAccountAccessKey is /// required.</param> /// <param name="retentionDays">Specifies the number of days to keep in /// the audit logs in the storage account.</param> /// <param name="auditActionsAndGroups">Specifies the Actions-Groups /// and Actions to audit. /// /// The recommended set of action groups to use is the following /// combination - this will audit all the queries and stored procedures /// executed against the database, as well as successful and failed /// logins: /// /// BATCH_COMPLETED_GROUP, /// SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, /// FAILED_DATABASE_AUTHENTICATION_GROUP. /// /// This above combination is also the set that is configured by /// default when enabling auditing from the Azure portal. /// /// The supported action groups to audit are (note: choose only /// specific groups that cover your auditing needs. Using unnecessary /// groups could lead to very large quantities of audit records): /// /// APPLICATION_ROLE_CHANGE_PASSWORD_GROUP /// BACKUP_RESTORE_GROUP /// DATABASE_LOGOUT_GROUP /// DATABASE_OBJECT_CHANGE_GROUP /// DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP /// DATABASE_OBJECT_PERMISSION_CHANGE_GROUP /// DATABASE_OPERATION_GROUP /// DATABASE_PERMISSION_CHANGE_GROUP /// DATABASE_PRINCIPAL_CHANGE_GROUP /// DATABASE_PRINCIPAL_IMPERSONATION_GROUP /// DATABASE_ROLE_MEMBER_CHANGE_GROUP /// FAILED_DATABASE_AUTHENTICATION_GROUP /// SCHEMA_OBJECT_ACCESS_GROUP /// SCHEMA_OBJECT_CHANGE_GROUP /// SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP /// SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP /// SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP /// USER_CHANGE_PASSWORD_GROUP /// BATCH_STARTED_GROUP /// BATCH_COMPLETED_GROUP /// /// These are groups that cover all sql statements and stored /// procedures executed against the database, and should not be used in /// combination with other groups as this will result in duplicate /// audit logs. /// /// For more information, see [Database-Level Audit Action /// Groups](https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions#database-level-audit-action-groups). /// /// For Database auditing policy, specific Actions can also be /// specified (note that Actions cannot be specified for Server /// auditing policy). The supported actions to audit are: /// SELECT /// UPDATE /// INSERT /// DELETE /// EXECUTE /// RECEIVE /// REFERENCES /// /// The general form for defining an action to be audited is: /// {action} ON {object} BY {principal} /// /// Note that <object> in the above format can refer to an object /// like a table, view, or stored procedure, or an entire database or /// schema. For the latter cases, the forms DATABASE::{db_name} and /// SCHEMA::{schema_name} are used, respectively. /// /// For example: /// SELECT on dbo.myTable by public /// SELECT on DATABASE::myDatabase by public /// SELECT on SCHEMA::mySchema by public /// /// For more information, see [Database-Level Audit /// Actions](https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions#database-level-audit-actions)</param> /// <param name="storageAccountSubscriptionId">Specifies the blob /// storage subscription Id.</param> /// <param name="isStorageSecondaryKeyInUse">Specifies whether /// storageAccountAccessKey value is the storage's secondary /// key.</param> /// <param name="isAzureMonitorTargetEnabled">Specifies whether audit /// events are sent to Azure Monitor. /// In order to send the events to Azure Monitor, specify 'State' as /// 'Enabled' and 'IsAzureMonitorTargetEnabled' as true. /// /// When using REST API to configure auditing, Diagnostic Settings with /// 'SQLSecurityAuditEvents' diagnostic logs category on the database /// should be also created. /// Note that for server level audit you should use the 'master' /// database as {databaseName}. /// /// Diagnostic Settings URI format: /// PUT /// https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Sql/servers/{serverName}/databases/{databaseName}/providers/microsoft.insights/diagnosticSettings/{settingsName}?api-version=2017-05-01-preview /// /// For more information, see [Diagnostic Settings REST /// API](https://go.microsoft.com/fwlink/?linkid=2033207) /// or [Diagnostic Settings /// PowerShell](https://go.microsoft.com/fwlink/?linkid=2033043) /// </param> public ServerBlobAuditingPolicyInner(BlobAuditingPolicyState state, string id = default(string), string name = default(string), string type = default(string), string storageEndpoint = default(string), string storageAccountAccessKey = default(string), int?retentionDays = default(int?), IList <string> auditActionsAndGroups = default(IList <string>), System.Guid?storageAccountSubscriptionId = default(System.Guid?), bool?isStorageSecondaryKeyInUse = default(bool?), bool?isAzureMonitorTargetEnabled = default(bool?)) : base(id, name, type) { State = state; StorageEndpoint = storageEndpoint; StorageAccountAccessKey = storageAccountAccessKey; RetentionDays = retentionDays; AuditActionsAndGroups = auditActionsAndGroups; StorageAccountSubscriptionId = storageAccountSubscriptionId; IsStorageSecondaryKeyInUse = isStorageSecondaryKeyInUse; IsAzureMonitorTargetEnabled = isAzureMonitorTargetEnabled; CustomInit(); }
/// <summary> /// Initializes a new instance of the /// ExtendedDatabaseBlobAuditingPolicy class. /// </summary> /// <param name="state">Specifies the state of the audit. If state is /// Enabled, storageEndpoint or isAzureMonitorTargetEnabled are /// required. Possible values include: 'Enabled', 'Disabled'</param> /// <param name="id">Resource ID.</param> /// <param name="name">Resource name.</param> /// <param name="type">Resource type.</param> /// <param name="predicateExpression">Specifies condition of where /// clause when creating an audit.</param> /// <param name="retentionDays">Specifies the number of days to keep in /// the audit logs in the storage account.</param> /// <param name="auditActionsAndGroups">Specifies the Actions-Groups /// and Actions to audit. /// /// The recommended set of action groups to use is the following /// combination - this will audit all the queries and stored procedures /// executed against the database, as well as successful and failed /// logins: /// /// BATCH_COMPLETED_GROUP, /// SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, /// FAILED_DATABASE_AUTHENTICATION_GROUP. /// /// This above combination is also the set that is configured by /// default when enabling auditing from the Azure portal. /// /// The supported action groups to audit are (note: choose only /// specific groups that cover your auditing needs. Using unnecessary /// groups could lead to very large quantities of audit records): /// /// APPLICATION_ROLE_CHANGE_PASSWORD_GROUP /// BACKUP_RESTORE_GROUP /// DATABASE_LOGOUT_GROUP /// DATABASE_OBJECT_CHANGE_GROUP /// DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP /// DATABASE_OBJECT_PERMISSION_CHANGE_GROUP /// DATABASE_OPERATION_GROUP /// DATABASE_PERMISSION_CHANGE_GROUP /// DATABASE_PRINCIPAL_CHANGE_GROUP /// DATABASE_PRINCIPAL_IMPERSONATION_GROUP /// DATABASE_ROLE_MEMBER_CHANGE_GROUP /// FAILED_DATABASE_AUTHENTICATION_GROUP /// SCHEMA_OBJECT_ACCESS_GROUP /// SCHEMA_OBJECT_CHANGE_GROUP /// SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP /// SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP /// SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP /// USER_CHANGE_PASSWORD_GROUP /// BATCH_STARTED_GROUP /// BATCH_COMPLETED_GROUP /// /// These are groups that cover all sql statements and stored /// procedures executed against the database, and should not be used in /// combination with other groups as this will result in duplicate /// audit logs. /// /// For more information, see [Database-Level Audit Action /// Groups](https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions#database-level-audit-action-groups). /// /// For Database auditing policy, specific Actions can also be /// specified (note that Actions cannot be specified for Server /// auditing policy). The supported actions to audit are: /// SELECT /// UPDATE /// INSERT /// DELETE /// EXECUTE /// RECEIVE /// REFERENCES /// /// The general form for defining an action to be audited is: /// {action} ON {object} BY {principal} /// /// Note that <object> in the above format can refer to an object /// like a table, view, or stored procedure, or an entire database or /// schema. For the latter cases, the forms DATABASE::{db_name} and /// SCHEMA::{schema_name} are used, respectively. /// /// For example: /// SELECT on dbo.myTable by public /// SELECT on DATABASE::myDatabase by public /// SELECT on SCHEMA::mySchema by public /// /// For more information, see [Database-Level Audit /// Actions](https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions#database-level-audit-actions)</param> /// <param name="isStorageSecondaryKeyInUse">Specifies whether /// storageAccountAccessKey value is the storage's secondary /// key.</param> /// <param name="isAzureMonitorTargetEnabled">Specifies whether audit /// events are sent to Azure Monitor. /// In order to send the events to Azure Monitor, specify 'State' as /// 'Enabled' and 'IsAzureMonitorTargetEnabled' as true. /// /// When using REST API to configure auditing, Diagnostic Settings with /// 'SQLSecurityAuditEvents' diagnostic logs category on the database /// should be also created. /// Note that for server level audit you should use the 'master' /// database as {databaseName}. /// /// Diagnostic Settings URI format: /// PUT /// https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Sql/servers/{serverName}/databases/{databaseName}/providers/microsoft.insights/diagnosticSettings/{settingsName}?api-version=2017-05-01-preview /// /// For more information, see [Diagnostic Settings REST /// API](https://go.microsoft.com/fwlink/?linkid=2033207) /// or [Diagnostic Settings /// PowerShell](https://go.microsoft.com/fwlink/?linkid=2033043) /// </param> /// <param name="queueDelayMs">Specifies the amount of time in /// milliseconds that can elapse before audit actions are forced to be /// processed. /// The default minimum value is 1000 (1 second). The maximum is /// 2,147,483,647.</param> /// <param name="storageEndpoint">Specifies the blob storage endpoint /// (e.g. https://MyAccount.blob.core.windows.net). If state is /// Enabled, storageEndpoint or isAzureMonitorTargetEnabled is /// required.</param> /// <param name="storageAccountAccessKey">Specifies the identifier key /// of the auditing storage account. /// If state is Enabled and storageEndpoint is specified, not /// specifying the storageAccountAccessKey will use SQL server /// system-assigned managed identity to access the storage. /// Prerequisites for using managed identity authentication: /// 1. Assign SQL Server a system-assigned managed identity in Azure /// Active Directory (AAD). /// 2. Grant SQL Server identity access to the storage account by /// adding 'Storage Blob Data Contributor' RBAC role to the server /// identity. /// For more information, see [Auditing to storage using Managed /// Identity /// authentication](https://go.microsoft.com/fwlink/?linkid=2114355)</param> /// <param name="storageAccountSubscriptionId">Specifies the blob /// storage subscription Id.</param> public ExtendedDatabaseBlobAuditingPolicy(BlobAuditingPolicyState state, string id = default(string), string name = default(string), string type = default(string), string predicateExpression = default(string), int?retentionDays = default(int?), IList <string> auditActionsAndGroups = default(IList <string>), bool?isStorageSecondaryKeyInUse = default(bool?), bool?isAzureMonitorTargetEnabled = default(bool?), int?queueDelayMs = default(int?), string storageEndpoint = default(string), string storageAccountAccessKey = default(string), System.Guid?storageAccountSubscriptionId = default(System.Guid?)) : base(id, name, type) { PredicateExpression = predicateExpression; RetentionDays = retentionDays; AuditActionsAndGroups = auditActionsAndGroups; IsStorageSecondaryKeyInUse = isStorageSecondaryKeyInUse; IsAzureMonitorTargetEnabled = isAzureMonitorTargetEnabled; QueueDelayMs = queueDelayMs; State = state; StorageEndpoint = storageEndpoint; StorageAccountAccessKey = storageAccountAccessKey; StorageAccountSubscriptionId = storageAccountSubscriptionId; CustomInit(); }
private bool IsAuditEnabled(BlobAuditingPolicyState state) { return(state == BlobAuditingPolicyState.Enabled); }
public static string ToSerialString(this BlobAuditingPolicyState value) => value switch {