Azure-SecurityCenter-Monitor-SQL-Auditing

Severity: High

Description: This control ensures that for Every SQL Server audit is enabled configured to capture all actions and logs are retained for more than 90 days. On a SQL server default 'auditing' policy should be 'enabled' to capture appropriate 'AuditActionGroups' with at least 90 days of log retention. A server policy applies to all existing and newly created databases on the server. If SQL server auditing is enabled, it always applies to the database. It helps to maintain regulatory compliance, understand database activity and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.

Remediation Steps:

Perform following to update parameters:

1. Login to Azure Portal using https://portal.azure.com.

2. Click SQL server instance to configure Audit policy

3. Click on Auditing.

4. Set Auditing to On.

5. For Audit log destination, Select Storage.

6. Click storage details to configure Storage Account and Retention Policy.

7. Set Retention (days) setting greater than 90 days or set to 0 for indefinite retention.

8. Click OK, Click save.

Important:

Reference:

• CIS Microsoft Azure Foundations Benchmark v1.3.0 - 02-01-2021 : Recommendation #4.1.1, 4.1.3

• https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-auditing-on-sql-servers

• https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0

• https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditingpolicy?view=azurermps-5.2.0