Detections
Analytics

Ensure that 'Auditing' Retention is 'greater than 90 days'

LOW

Description

Description:

SQL Server Audit Retention should be configured to be greater than 90 days.

Rationale:

Audit Logs can be used to check for anomalies and give insight into suspected breaches or misuse of information and access.

Remediation

From Azure Portal

  1. Go to 'SQL servers'
  2. For each server instance
  3. Click on 'Auditing'
  4. If storage is selected, expand 'Advanced properties'
  5. Set the 'Retention (days)' setting greater than '90' days or '0' for unlimited retention.
  6. Select 'Save'

From Powershell

For each Server, set retention policy for more than or equal to 90 days

Log Analytics Example

Set-AzSqlServerAudit -ResourceGroupName -ServerName -RetentionInDays <Number of Days to retain the audit logs, should be 90days minimum> -LogAnalyticsTargetState Enabled -WorkspaceResourceId "/subscriptions//resourceGroups/insights-integration/providers/Microsoft.OperationalInsights/workspaces/

Event Hub Example

Set-AzSqlServerAudit -ResourceGroupName "" -ServerName "" -EventHubTargetState Enabled -EventHubName
"" -EventHubAuthorizationRuleResourceId ""

Blob Storage Example*

Set-AzSqlServerAudit -ResourceGroupName "" -ServerName "" -BlobStorageTargetState Enabled
-StorageAccountResourceId "/subscriptions//resourceGroups//providers/Microsoft.Stora
ge/storageAccounts/"

Policy Details

Rule Reference ID: AC_AZURE_0375
CSP: Azure
Remediation Available: Yes
Domain: Compliance Validation
Resource: azurerm_sql_server
Resource Category: Database
Resource Type: SQL Server

Frameworks