Description:

SQL Server Audit Retention should be configured to be greater than 90 days.SQL Server Audit Retention should be configured to be greater than 90 days to allow to collect the necessary amount of audit data useful to check for anomalies and potential security breaches, or misuse of information and access to your SQL database. 

Rationale:

Audit Logs can be used to check for anomalies and give insight into suspected breaches or misuse of information and access.

Impact:

A log data retention period of 90 days or more, should allow you to collect the necessary amount of audit data useful to check for anomalies and potential security breaches


Default Value:

By default, SQL Server audit storage is disabled.

Audit:

From Azure Console

  1. Go to SQL servers

  2. For each server instance

  3. Click on Auditing

  4. Select Storage Details

  5. Ensure Retention (days) setting greater than 90 days

Using Azure PowerShell

Get the list of all SQL Servers

1Get-AzureRmSqlServer

For each Server

1Get-AzureRmSqlServerAuditing -ResourceGroupName <resource group name> - ServerName <server name>

Ensure that RetentionInDays is set to more than or equal to 90

Remediation:

From Azure Console

  1. Go to SQL servers

  2. For each server instance

  3. Click on Auditing

  4. Select Storage Details

  5. Set Retention (days) setting greater than 90 days

  6. Select OK

  7. Select Save

Using Azure PowerShell

For each Server, set retention policy for more than or equal to 90 days

1set-AzureRmSqlServerAuditing -ResourceGroupName <resource group name> - ServerName <server name> -RetentionInDays <Number of Days to retain the audit logs, should be 90days minimum>

Backout Plan:

  1. Go to SQL servers

  2. For each server instance

  3. Click on Auditing

  4. Ensure that SQL Server audit storage is disabled

Using Azure PowerShell

For each Server, set retention policy for more than or equal to 90 days

1set-AzureRmSqlServerAuditing -ResourceGroupName <resource group name> - ServerName <server name> -Re

References:

  1. Azure SQL Auditing for Azure SQL Database and Azure Synapse Analytics - Azure SQL Database 

  2. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get- azurermsqlserverauditing?view=azurermps-5.2.0

  3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set- azurermsqlserverauditing?view=azurermps-5.2.0

  4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-logging-threat-detection#lt-6-configure-log-storage-retention