SQL Server Audit Retention should be configured greater than 90 days

azure.sql

Warning: This rule will be deprecated 18 December 2023 as part of the update to Azure CIS version 2.0.0

Description

SQL Server Audit Retention should be configured to be greater than 90 days.

Rationale

Use Audit Logs to check for anomalies and to get insight into suspected breaches or misuse of information and access.

Remediation

From the console

  1. Go to SQL servers
  2. For each server instance
  3. Click on Auditing
  4. Select Storage Details
  5. Set Retention (days) setting greater than 90 days
  6. Select OK
  7. Select Save using Azure PowerShell.

From the commandline

  1. For each server, [set retention policy][3] for more than or equal to 90 days.
Set-AzSqlServerAuditing -State Enabled -ServerName "<server name>" -ResourceGroupName "<resource group name>" -StorageAccountName "abcd1234abcd1234abcd1234" -RetentionInDays <Number of Days to retain the audit logs, should be 90 days minimum>

Note: You can set the number of days to 0 for unlimited retention.

References

  1. [https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing][1]
  2. [https://learn.microsoft.com/en-us/powershell/module/az.sql/get-azsqlserveraudit?view=azps-9.2.0][2]
  3. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention][4]

[https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing][1] [https://learn.microsoft.com/en-us/powershell/module/az.sql/get-azsqlserveraudit?view=azps-9.2.0][2] [https://learn.microsoft.com/en-us/powershell/module/az.sql/set-azsqlserveraudit?view=azps-9.2.0][3] [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention][4]