Remediation
From Azure Portalโ
- Go to
SQL servers. - Select the SQL server instance.
- Under
Security, clickAuditing. - Click the toggle next to
Enable Azure SQL Auditing. - Select an Audit log destination.
- Click
Save.
From PowerShellโ
Get the list of all SQL Servers:
Get-AzSqlServer
For each Server, enable auditing and set the retention for at least 90 days.
Log Analytics Exampleโ
Set-AzSqlServerAudit `
-ResourceGroupName {{resource-group-name}} `
-ServerName {{sql-server-name}} `
-RetentionInDays {{retention-days-min-90}} `
-LogAnalyticsTargetState Enabled `
-WorkspaceResourceId "/subscriptions/{{subscription-id}}/resourceGroups/{{resource-group-name}}/providers/Microsoft.OperationalInsights/workspaces/{{workspace-name}}"
Event Hub Exampleโ
Set-AzSqlServerAudit `
-ResourceGroupName "{{resource-group-name}}" `
-ServerName "{{sql-server-name}}" `
-EventHubTargetState Enabled `
-EventHubName "{{event-hub-name}}" `
-EventHubAuthorizationRuleResourceId "{{event-hub-authorization-rule-resource-id}}"
Blob Storage Exampleโ
Set-AzSqlServerAudit `
-ResourceGroupName "{{resource-group-name}}" `
-ServerName "{{sql-server-name}}" `
-BlobStorageTargetState Enabled `
-StorageAccountResourceId "/subscriptions/{{subscription-id}}/resourceGroups/{{resource-group-name}}/providers/Microsoft.Storage/storageAccounts/{{storage-account-name}}"