1,572 questions
False positives for SQL Server Auditing in Azure Defender
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 6%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
Alexandre Ratte
0
Reputation points
Azure Defender shows an Azure SQL Server vulnerability where Auditing should be enabled at the server level. However, when looking at the Auditing section for the affecrted SQL Server resource, it is in fact enabled and correctly configured.
Furthermore, looking at the targeted Storage Account, I see audit logs being written to the sqldbauditlogs container up to today's date for the master database. Only two SQL Servers are affected by this finding out of ~60.
Any clue what could be causing this?
Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
{count} votes
-
Raja Pothuraju 27,510 Reputation points Microsoft External Staff Moderator2025-07-23T22:29:05.19+00:00 Hello Alexandre Ratte,
Based on your description, I understand that you have enabled Azure SQL Auditing at the server level for your SQL servers. However, you're still seeing the following Microsoft Defender for Cloud recommendation flagged under “SQL databases should have vulnerability findings resolved”:
Finding: “Auditing should be enabled at the server level”
If this is indeed a false positive, I’ll coordinate with our engineering team to investigate this further. However, to proceed, I’ll need some additional details from your end.
Since this involves Personally Identifiable Information (PII), please share the following items via private message:
- Subscription ID
- Resource ID of the affected SQL resource
- Tenant ID
Additionally, please provide the following screenshots:
A screenshot of Auditing enabled at the server level in the Azure Portal
A screenshot of the Defender for Cloud recommendation and finding
Run the SQL query provided in the finding, using either SQL Server Management Studio (SSMS) or Azure Data Studio, connected to the relevant Azure SQL Database
While running the SQL query if you get any error, please attach the screenshot.
This will help us validate the state and investigate why the recommendation is still being flagged despite auditing being enabled.
-
Raja Pothuraju 27,510 Reputation points Microsoft External Staff Moderator
2025-07-28T13:09:23.3066667+00:00 Hello Alexandre Ratte,
I just wanted to check if you'd be interested in taking this offline to get this resolved. Please share the necessary details in private message so I can proceed with engaging our engineering team.
Sign in to comment
Sign in to answer