Remediation
From Azure Portalβ
- Go to
SQL servers. - Select the SQL server instance.
- Under
Security, clickAuditing. - Click the toggle next to
Enable Azure SQL Auditing. - Select an Audit log destination.
- Click
Save.
From PowerShellβ
Get the list of all SQL Servers:
Get-AzSqlServer
For each Server, enable auditing and set the retention for at least 90 days.
Log Analytics Exampleβ
Set-AzSqlServerAudit -ResourceGroupName <resource group name> -ServerName <SQL Server name> -RetentionInDays <Number of Days to retain the audit logs, should be 90days minimum> -LogAnalyticsTargetState Enabled -WorkspaceResourceId "/subscriptions/<subscription ID>/resourceGroups/insights-integration/providers/Microsoft.OperationalInsights/workspaces/<workspace name>
Event Hub Exampleβ
Set-AzSqlServerAudit -ResourceGroupName "<resource group name>" -ServerName "<SQL Server name>" -EventHubTargetState Enabled -EventHubName "<Event Hub name>" -EventHubAuthorizationRuleResourceId "<Event Hub Authorization Rule Resource ID>"
Blob Storage Exampleβ
Set-AzSqlServerAudit -ResourceGroupName "<resource group name>" -ServerName "<SQL Server name>" -BlobStorageTargetState Enabled -StorageAccountResourceId "/subscriptions/<subscription_ID>/resourceGroups/<Resource_Group>/providers/Microsoft.Stora ge/storageAccounts/<Storage Account name>"