From 9e4145f9c6afab0eeafeb975cd4712ad350b88d5 Mon Sep 17 00:00:00 2001
From: long0712 <87366891+ljun0712@users.noreply.github.com>
Date: Fri, 25 Apr 2025 16:45:07 +0800
Subject: [PATCH 1/8] Update tidb-cloud-auditing.md

Updated the database audit log description for Azure deployment scenarios
---
 tidb-cloud/tidb-cloud-auditing.md | 46 +++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/tidb-cloud/tidb-cloud-auditing.md b/tidb-cloud/tidb-cloud-auditing.md
index 1cd8b00a5418a..0996e692535f4 100644
--- a/tidb-cloud/tidb-cloud-auditing.md
+++ b/tidb-cloud/tidb-cloud-auditing.md
@@ -174,6 +174,52 @@ In the TiDB Cloud console, go back to the **Enable Database Audit Logging** dial
 > - After enabling audit logging, if you make any new changes to the bucket URI or location, you must click **Test Connection** again to verify that TiDB Cloud can connect to the bucket. Then, click **Enable** to apply the changes.
 > - To remove TiDB Cloud's access to your GCS bucket, delete the trust policy granted to this cluster in the Google Cloud console.
 
+### Enable audit logging for Azure
+
+#### Step 1. Create an Azure Blob
+
+Specify Blob Storage in your corporate-owned Azure account as a destination to which TiDB Cloud writes the audit logs.
+
+For more information, see [Create an Azure storage account](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create?tabs=azure-portal) in the Azure User Guide.
+
+#### Step 2. Configure Azure Blob access
+
+1. In the Azure Management Console, go to **Storage Accounts**, select a **Storage Account** that you want to prepare for the database audit log, and enter the **Storage Account** management panel.
+2. In the management panel, go to **Data storage > Containers**, click ** + Container ** to create a storage container for the audit log.
+3. Select the Container you want to access, click **...**, and select **Container properties**. Get the access URL of the Blob in the **Container** properties panel for later use.
+4. Select the Container you want to access, click **...**, and select Generate SAS to enter the operation panel.
+
+    1. For the option **Signing method**, click **Account key**.
+    2. For the option **Permissions**, select **Write**, **Read**, **Create** to ensure that the audit log file can be written to the Blob normally based on SAS token.
+    3. For the option **Start and expiry date/time**, set the validity period of SAS token.
+    4. For the option **Allowed protocols**, select **HTTPS only** to ensure the security of access.
+    5. Click **Generate SAS token and URL**.
+    6. Get the **Blob SAS token** in the panel for later use.
+
+> **Note:**
+>
+> - Audit log is a long-term active function. You need to set a longer-term SAS token. However, a long-term token may bring the risk of information leakage. Therefore, considering security considerations, it is recommended that you replace your SAS token every six months or every year.
+> - You need to generate and replace a new SAS token for the database audit log before the SAS token expires to ensure the availability of the audit log function.
+> - SAS token cannot be revoked. Please set the validity period of SAS token reasonably.
+
+#### Step 3. Enable audit logging
+
+In the TiDB Cloud console, enter the Enable Database Audit Logging dialog box and perform the following steps:
+
+1. Enter the URL of the storage container where the audit log files are to be written in the Blob URL field.
+2. Enter the SAS token associated with the audit log storage container in the SAS Token field.
+3. Click Test Connection to verify whether TiDB Cloud can access and write to the container.
+
+If it is successful, The connection is successfully is displayed. Otherwise, check your access configuration.
+
+4. Click Enable to enable audit logging for the cluster.
+
+TiDB Cloud is ready to write audit logs for the specified cluster to your Azure Blob.
+
+> **Note:**
+>
+> After enabling audit logging, if you make any new changes to the bucket URI, location, or ARN, you must click Test Connection again to verify that TiDB Cloud can connect to the bucket. Then, click Enable to apply the changes.
+
 ## Specify auditing filter rules
 
 After enabling audit logging, you must specify auditing filter rules to control which user access events to capture and write to audit logs. If no filter rules are specified, TiDB Cloud does not log anything.

From 14591dad905af811fe6f64d9980432d968acb9c7 Mon Sep 17 00:00:00 2001
From: Grace Cai <qqzczy@126.com>
Date: Fri, 25 Apr 2025 17:49:36 +0800
Subject: [PATCH 2/8] Update tidb-cloud-auditing.md

---
 tidb-cloud/tidb-cloud-auditing.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tidb-cloud/tidb-cloud-auditing.md b/tidb-cloud/tidb-cloud-auditing.md
index 0996e692535f4..4ca9e13373806 100644
--- a/tidb-cloud/tidb-cloud-auditing.md
+++ b/tidb-cloud/tidb-cloud-auditing.md
@@ -65,7 +65,7 @@ For more information, see [Creating a bucket](https://docs.aws.amazon.com/Amazon
     - If yes, record the matched storage bucket policy for later use.
     - If not, go to **IAM** > **Access Management** > **Policies** > **Create Policy**, and define a bucket policy according to the following policy template.
 
-        ```json
+        ```
         {
             "Version": "2012-10-17",
             "Statement": [

From 2d67d375acb9c333cf770bc8e36ff8c1a986be3b Mon Sep 17 00:00:00 2001
From: Test User <qqzczy@126.com>
Date: Wed, 30 Apr 2025 13:14:00 +0800
Subject: [PATCH 3/8] update the descriptions according to the UI

---
 tidb-cloud/tidb-cloud-auditing.md | 77 ++++++++++++++++++++-----------
 1 file changed, 51 insertions(+), 26 deletions(-)

diff --git a/tidb-cloud/tidb-cloud-auditing.md b/tidb-cloud/tidb-cloud-auditing.md
index 4ca9e13373806..f58db345bbae8 100644
--- a/tidb-cloud/tidb-cloud-auditing.md
+++ b/tidb-cloud/tidb-cloud-auditing.md
@@ -176,49 +176,74 @@ In the TiDB Cloud console, go back to the **Enable Database Audit Logging** dial
 
 ### Enable audit logging for Azure
 
-#### Step 1. Create an Azure Blob
+To enable audit logging for Azure, take the following steps:
 
-Specify Blob Storage in your corporate-owned Azure account as a destination to which TiDB Cloud writes the audit logs.
+#### Step 1. Create an Azure storage account
 
-For more information, see [Create an Azure storage account](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create?tabs=azure-portal) in the Azure User Guide.
+Create an Azure storage account in your organization's Azure subscription as the destination to which TiDB Cloud writes the database audit logs.
+
+For more information, see [Create an Azure storage account](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create?tabs=azure-portal) in Azure documentation.
 
 #### Step 2. Configure Azure Blob access
 
-1. In the Azure Management Console, go to **Storage Accounts**, select a **Storage Account** that you want to prepare for the database audit log, and enter the **Storage Account** management panel.
-2. In the management panel, go to **Data storage > Containers**, click ** + Container ** to create a storage container for the audit log.
-3. Select the Container you want to access, click **...**, and select **Container properties**. Get the access URL of the Blob in the **Container** properties panel for later use.
-4. Select the Container you want to access, click **...**, and select Generate SAS to enter the operation panel.
+1. In the [Azure portal](https://portal.azure.com/), create a container used for storing database audit logs as follows:
 
-    1. For the option **Signing method**, click **Account key**.
-    2. For the option **Permissions**, select **Write**, **Read**, **Create** to ensure that the audit log file can be written to the Blob normally based on SAS token.
-    3. For the option **Start and expiry date/time**, set the validity period of SAS token.
-    4. For the option **Allowed protocols**, select **HTTPS only** to ensure the security of access.
-    5. Click **Generate SAS token and URL**.
-    6. Get the **Blob SAS token** in the panel for later use.
+    1. In the left navigation pane of the Azure portal, click **Storage Accounts**, and then select the storage account for storing database audit logs.
 
-> **Note:**
->
-> - Audit log is a long-term active function. You need to set a longer-term SAS token. However, a long-term token may bring the risk of information leakage. Therefore, considering security considerations, it is recommended that you replace your SAS token every six months or every year.
-> - You need to generate and replace a new SAS token for the database audit log before the SAS token expires to ensure the availability of the audit log function.
-> - SAS token cannot be revoked. Please set the validity period of SAS token reasonably.
+        >**Tip:**
+        >
+        > If the left navigation pane is hidden, click the menu button in the upper-left corner to toggle its visibility.
+
+    2. In the navigation pane for the selected storage account, click **Data storage > Containers**, and then click **+ Container** to open the **New container** pane.
+    3. In the **New container** pane, enter a name for your new container, set the anonymous access level (the recommended level is **Private**, which means no anonymous access), and then click **Create**. The new container will be created and displayed in the container list in a few seconds.
+
+2. Get the URL of the target container:
+
+    1. In the container list, select the target container, click **...** for the container, and then select **Container properties**.
+    2. On the displayed properties page, copy the **URL** value for later use, and then return to the container list.
+
+3. Generate a SAS token for the target container:
+
+    1. In the container list, select the target container, click **...** for the container, and then select **Generate SAS**.
+    2. In the displayed **Generate SAS** pane, select **Account key** for **Signing method**.
+    3. In the **Permissions** drop-down list, select **Read**, **Write**, and **Create** to allow writing audit log files.
+    4. In the **Start** and **Expiry** fields, specify a validity period for the SAS token.
+
+        > **Note:**
+        >
+        > - Audit logging is a long-term feature that requires a SAS token with a sufficiently long validity period. However, longer validity increases the risk of token leakage. For security, it is recommended to replace your SAS token every six to twelve months.
+        > - The generated SAS token cannot be revoked, so you need to set its validity period carefully.
+        > - Make sure to re-generate and update the SAS token before it expires to ensure continuous availability of audit logs.
+
+    5. For **Allowed protocols**, select **HTTPS only** to ensure secure access.
+    6. Click **Generate SAS token and URL**, and then copy the displayed **Blob SAS token** for later use.
 
 #### Step 3. Enable audit logging
 
-In the TiDB Cloud console, enter the Enable Database Audit Logging dialog box and perform the following steps:
+1. In the TiDB Cloud console, navigate to the [**Clusters**](https://tidbcloud.com/console/clusters) page of your project.
 
-1. Enter the URL of the storage container where the audit log files are to be written in the Blob URL field.
-2. Enter the SAS token associated with the audit log storage container in the SAS Token field.
-3. Click Test Connection to verify whether TiDB Cloud can access and write to the container.
+    > **Tip:**
+    >
+    > If you have multiple projects, you can click <MDSvgIcon name="icon-left-projects" /> in the lower-left corner and switch to another project.
 
-If it is successful, The connection is successfully is displayed. Otherwise, check your access configuration.
+2. Click the name of your target cluster to go to its overview page, and then click **DB Audit Logging** in the left navigation pane.
+3. On the **DB Audit Logging** page, click **Enable** in the upper-right corner.
+4. In the **Enable Database Audit Logging** dialog, provide the blob URL and SAS token that you obtained from [Step 2. Configure Azure Blob access](#step-2-configure-azure-blob-access):
+
+    - In the **Blob URL** field, enter the URL of the container where audit logs will be stored.
+    - In the **SAS Token** field, enter the SAS token for accessing the container.
+
+5. Click **Test Connection** to verify whether TiDB Cloud can access and write to the container.
+
+    If it is successful, **The connection is successfully** is displayed. Otherwise, check your access configuration.
 
-4. Click Enable to enable audit logging for the cluster.
+6. Click **Enable** to enable audit logging for the cluster.
 
-TiDB Cloud is ready to write audit logs for the specified cluster to your Azure Blob.
+    TiDB Cloud is ready to write audit logs for the specified cluster to your Azure blob container.
 
 > **Note:**
 >
-> After enabling audit logging, if you make any new changes to the bucket URI, location, or ARN, you must click Test Connection again to verify that TiDB Cloud can connect to the bucket. Then, click Enable to apply the changes.
+> After enabling audit logging, if you make new changes to the **Blob URL** or **SAS Token** fields, you must click **Test Connection** again to verify that TiDB Cloud can connect to the container. Then, click **Enable** to apply the changes.
 
 ## Specify auditing filter rules
 

From 2e385098c8051af4e323ef4ffd2488f84e870e20 Mon Sep 17 00:00:00 2001
From: Lilian Lee <lilin@pingcap.com>
Date: Tue, 6 May 2025 14:30:20 +0800
Subject: [PATCH 4/8] Update note format

---
 tidb-cloud/tidb-cloud-auditing.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tidb-cloud/tidb-cloud-auditing.md b/tidb-cloud/tidb-cloud-auditing.md
index f58db345bbae8..9bf55de61e8af 100644
--- a/tidb-cloud/tidb-cloud-auditing.md
+++ b/tidb-cloud/tidb-cloud-auditing.md
@@ -190,7 +190,7 @@ For more information, see [Create an Azure storage account](https://learn.micros
 
     1. In the left navigation pane of the Azure portal, click **Storage Accounts**, and then select the storage account for storing database audit logs.
 
-        >**Tip:**
+        > **Tip:**
         >
         > If the left navigation pane is hidden, click the menu button in the upper-left corner to toggle its visibility.
 

From fa5775848333c794f6afc4df930e12586ff4eea6 Mon Sep 17 00:00:00 2001
From: lilin90 <lilin@pingcap.com>
Date: Tue, 6 May 2025 14:37:38 +0800
Subject: [PATCH 5/8] tidb-cloud: update wording and format for consistency

---
 tidb-cloud/tidb-cloud-auditing.md | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/tidb-cloud/tidb-cloud-auditing.md b/tidb-cloud/tidb-cloud-auditing.md
index 9bf55de61e8af..f1ad726b4b7e1 100644
--- a/tidb-cloud/tidb-cloud-auditing.md
+++ b/tidb-cloud/tidb-cloud-auditing.md
@@ -186,7 +186,7 @@ For more information, see [Create an Azure storage account](https://learn.micros
 
 #### Step 2. Configure Azure Blob access
 
-1. In the [Azure portal](https://portal.azure.com/), create a container used for storing database audit logs as follows:
+1. In the [Azure portal](https://portal.azure.com/), create a container used for storing database audit logs.
 
     1. In the left navigation pane of the Azure portal, click **Storage Accounts**, and then select the storage account for storing database audit logs.
 
@@ -195,14 +195,15 @@ For more information, see [Create an Azure storage account](https://learn.micros
         > If the left navigation pane is hidden, click the menu button in the upper-left corner to toggle its visibility.
 
     2. In the navigation pane for the selected storage account, click **Data storage > Containers**, and then click **+ Container** to open the **New container** pane.
+
     3. In the **New container** pane, enter a name for your new container, set the anonymous access level (the recommended level is **Private**, which means no anonymous access), and then click **Create**. The new container will be created and displayed in the container list in a few seconds.
 
-2. Get the URL of the target container:
+2. Get the URL of the target container.
 
     1. In the container list, select the target container, click **...** for the container, and then select **Container properties**.
     2. On the displayed properties page, copy the **URL** value for later use, and then return to the container list.
 
-3. Generate a SAS token for the target container:
+3. Generate a SAS token for the target container.
 
     1. In the container list, select the target container, click **...** for the container, and then select **Generate SAS**.
     2. In the displayed **Generate SAS** pane, select **Account key** for **Signing method**.

From 83f5f3749ebc61fc57de896e7c6ab79dee7fc968 Mon Sep 17 00:00:00 2001
From: Grace Cai <qqzczy@126.com>
Date: Tue, 6 May 2025 14:49:03 +0800
Subject: [PATCH 6/8] Update tidb-cloud/tidb-cloud-auditing.md

Co-authored-by: Lilian Lee <lilin@pingcap.com>
---
 tidb-cloud/tidb-cloud-auditing.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tidb-cloud/tidb-cloud-auditing.md b/tidb-cloud/tidb-cloud-auditing.md
index f1ad726b4b7e1..14e50f2954db6 100644
--- a/tidb-cloud/tidb-cloud-auditing.md
+++ b/tidb-cloud/tidb-cloud-auditing.md
@@ -184,7 +184,7 @@ Create an Azure storage account in your organization's Azure subscription as the
 
 For more information, see [Create an Azure storage account](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create?tabs=azure-portal) in Azure documentation.
 
-#### Step 2. Configure Azure Blob access
+#### Step 2. Configure Azure Blob Storage access
 
 1. In the [Azure portal](https://portal.azure.com/), create a container used for storing database audit logs.
 

From 3e725bd7eb191149e4c360190237d1c0fc90db3d Mon Sep 17 00:00:00 2001
From: Grace Cai <qqzczy@126.com>
Date: Tue, 13 May 2025 11:44:43 +0800
Subject: [PATCH 7/8] Update tidb-cloud/tidb-cloud-auditing.md

---
 tidb-cloud/tidb-cloud-auditing.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tidb-cloud/tidb-cloud-auditing.md b/tidb-cloud/tidb-cloud-auditing.md
index 14e50f2954db6..5540265f516e9 100644
--- a/tidb-cloud/tidb-cloud-auditing.md
+++ b/tidb-cloud/tidb-cloud-auditing.md
@@ -188,7 +188,7 @@ For more information, see [Create an Azure storage account](https://learn.micros
 
 1. In the [Azure portal](https://portal.azure.com/), create a container used for storing database audit logs.
 
-    1. In the left navigation pane of the Azure portal, click **Storage Accounts**, and then select the storage account for storing database audit logs.
+    1. In the left navigation pane of the Azure portal, click **Storage Accounts**, and then click the storage account for storing database audit logs.
 
         > **Tip:**
         >

From 9882431f59dd0fd949175f48f28331de6a464758 Mon Sep 17 00:00:00 2001
From: Grace Cai <qqzczy@126.com>
Date: Wed, 14 May 2025 18:20:29 +0800
Subject: [PATCH 8/8] fix a broken link

---
 tidb-cloud/tidb-cloud-auditing.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tidb-cloud/tidb-cloud-auditing.md b/tidb-cloud/tidb-cloud-auditing.md
index 5540265f516e9..eb8b044ca9e8e 100644
--- a/tidb-cloud/tidb-cloud-auditing.md
+++ b/tidb-cloud/tidb-cloud-auditing.md
@@ -229,7 +229,7 @@ For more information, see [Create an Azure storage account](https://learn.micros
 
 2. Click the name of your target cluster to go to its overview page, and then click **DB Audit Logging** in the left navigation pane.
 3. On the **DB Audit Logging** page, click **Enable** in the upper-right corner.
-4. In the **Enable Database Audit Logging** dialog, provide the blob URL and SAS token that you obtained from [Step 2. Configure Azure Blob access](#step-2-configure-azure-blob-access):
+4. In the **Enable Database Audit Logging** dialog, provide the blob URL and SAS token that you obtained from [Step 2. Configure Azure Blob access](#step-2-configure-azure-blob-storage-access):
 
     - In the **Blob URL** field, enter the URL of the container where audit logs will be stored.
     - In the **SAS Token** field, enter the SAS token for accessing the container.