Back to Blog
Azure

Find write queries

Audit for write operations on an Azure database

Cl

Claus Munch

Mar 04, 2026 ยท 1 min read

5 views
Find write queries

An auditor requested, if some specific users ever did any write statements to a production database. Log analytics to the rescue :)

//Find queries by users in the list, that did INSERT, UPDATE, DELETE, ALTER, CREATE and DROP

AzureDiagnostics
| where Category == "SQLSecurityAuditEvents"
| where action_name_s in ("BATCH COMPLETED")
| where server_principal_name_s in ("usr@domain.tld")
| where statement_s matches regex @"INSERT|UPDATE|DELETE|ALTER|CREATE|DROP"
| project
    TimeGenerated,
    User = server_principal_name_s,
    Action = action_name_s,
    Database = database_name_s,
    Statement = statement_s,
    ClientIP = client_ip_s,
    ApplicationName = application_name_s,
    Succeeded = succeeded_s
| order by TimeGenerated desc
Tags: Azure SQL Server Log Analytics KQL Audit
Share this article:

Related Articles

Space used by table

Space used by table

Sometimes we just need a simple list of space used for some tables

Azure bug

Azure bug

DTU count, determines if user can access VIEW SERVER PERFORMANCE STATE through role

Get index size and usage

Had a question about the usage of some indexes. Ended up with this script to document my findings.