Remediation

From Azure Portal

Go to SQL servers.
Select the SQL server instance.
Under Security, click Auditing.
Click the toggle next to Enable Azure SQL Auditing.
Select an Audit log destination.
Click Save.

From PowerShell

Get the list of all SQL Servers:

Get-AzSqlServer

For each Server, enable auditing and set the retention for at least 90 days.

Log Analytics Example

Set-AzSqlServerAudit -ResourceGroupName <resource group name> -ServerName <SQL Server name> -RetentionInDays <Number of Days to retain the audit logs, should be 90days minimum> -LogAnalyticsTargetState Enabled -WorkspaceResourceId "/subscriptions/<subscription ID>/resourceGroups/insights-integration/providers/Microsoft.OperationalInsights/workspaces/<workspace name>

Event Hub Example

Set-AzSqlServerAudit -ResourceGroupName "<resource group name>" -ServerName "<SQL Server name>" -EventHubTargetState Enabled -EventHubName "<Event Hub name>" -EventHubAuthorizationRuleResourceId "<Event Hub Authorization Rule Resource ID>"

Blob Storage Example

Set-AzSqlServerAudit -ResourceGroupName "<resource group name>" -ServerName "<SQL Server name>" -BlobStorageTargetState Enabled -StorageAccountResourceId "/subscriptions/<subscription_ID>/resourceGroups/<Resource_Group>/providers/Microsoft.Stora ge/storageAccounts/<Storage Account name>"

From Azure Portal​

From PowerShell​

Log Analytics Example​

Event Hub Example​

Blob Storage Example​

From Azure Portal

From PowerShell

Log Analytics Example

Event Hub Example

Blob Storage Example