SQL Server auditing retention should be 90 days or greater

Description

Audit Logs can be used to check for anomalies and give insight into suspected breaches or misuse of information and access.

Azure Portal

  • Navigate to SQL Servers.

  • Select the SQL server.

  • In the left navigation in the Security section, select Auditing.

  • Select Storage Details and set Retention (days) to 90 days or greater.

  • Click OK > Save.

PowerShell

  • To enable retention for a SQL Server:

set-AzureRmSqlServerAuditing -ResourceGroupName <resource group name> -ServerName <server name> -RetentionInDays <Number of Days to retain the audit logs, should be 90 days minimum>

Azure Resource Manager

{
  "properties": {
    "retentionDays": 90
  }
}

Example Configuration

{
  "type": "Microsoft.Sql/servers/auditingSettings",
  "apiVersion": "2021-05-01-preview",
  "properties": {
    "retentionDays": 90
  }
  # other required fields here
}

Terraform

Example Configuration

resource "azurerm_sql_server" "example" {
  extended_auditing_policy {
      retention_in_days    = 90
  }
  # other required fields here
}