Detections
Analytics

Ensure that 'Auditing' Retention is 'greater than 90 days'

MEDIUM

Description

Description:

SQL Server Audit Retention should be configured to be greater than 90 days.

Rationale:

Audit Logs can be used to check for anomalies and give insight into suspected breaches or misuse of information and access.

Remediation

From Azure Portal

  1. Go to 'SQL servers'
  2. For each server instance
  3. Click on 'Auditing'
  4. If storage is selected, expand 'Advanced properties'
  5. Set the 'Retention (days)' setting greater than '90' days or '0' for unlimited retention.
  6. Select 'Save'

From PowerShell
For each Server, set retention policy to more than 90 days

Log Analytics Example

Set-AzSqlServerAudit -ResourceGroupName -ServerName -RetentionInDays <Number of Days to retain the audit logs, should be more than 90 days> -LogAnalyticsTargetState Enabled -WorkspaceResourceId "/subscriptions//resourceGroups/insights-integration/providers/Microsoft.OperationalInsights/workspaces/

Event Hub Example

Set-AzSqlServerAudit -ResourceGroupName "" -ServerName "" -EventHubTargetState Enabled -EventHubName
"" -EventHubAuthorizationRuleResourceId ""

Blob Storage Example*

Set-AzSqlServerAudit -ResourceGroupName "" -ServerName "" -BlobStorageTargetState Enabled
-StorageAccountResourceId "/subscriptions//resourceGroups//providers/Microsoft.Stora
ge/storageAccounts/"

Policy Details

Rule Reference ID: AC_AZURE_0136
CSP: Azure
Remediation Available: Yes
Domain: Logging and Monitoring
Resource: azurerm_mssql_server
Resource Category: Database
Resource Type: SQL Server

Frameworks