Detections
Analytics

Ensure that 'Auditing' is set to 'On'

MEDIUM

Description

Description:

Enable auditing on SQL Servers.

Rationale:

The Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited.
Auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted.

Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.

Remediation

From Azure Portal

  1. Go to 'SQL servers'
  2. For each server instance
  3. Click on 'Auditing'
  4. Set 'Enable Azure SQL Auditing' is set to 'On'

From Powershell

Get the list of all SQL Servers

Get-AzSqlServer

For each Server, enable auditing and set the retention for at least 90 days or longer.

Log Analytics Example

Set-AzSqlServerAudit -ResourceGroupName -ServerName -RetentionInDays <Number of Days to retain the audit logs, should be 90days minimum> -LogAnalyticsTargetState Enabled -WorkspaceResourceId "/subscriptions//resourceGroups/insights-integration/providers/Microsoft.OperationalInsights/workspaces/

Event Hub Example

Set-AzSqlServerAudit -ResourceGroupName "" -ServerName "" -EventHubTargetState Enabled -EventHubName
"" -EventHubAuthorizationRuleResourceId ""

Blob Storage Example*

Set-AzSqlServerAudit -ResourceGroupName "" -ServerName "" -BlobStorageTargetState Enabled
-StorageAccountResourceId "/subscriptions//resourceGroups//providers/Microsoft.Stora
ge/storageAccounts/"

Policy Details

Rule Reference ID: AC_AZURE_0376
CSP: Azure
Remediation Available: Yes
Domain: Logging and Monitoring
Resource: azurerm_sql_server
Resource Category: Database
Resource Type: SQL Server

Frameworks