Rule ID
SV-276267r1150098_rule
Version
V1R1
CCIs
Automated mechanisms for centralized reviews and analyses include Security Information and Event Management products.
Review the system documentation to determine whether a centralized repository of audit data is required by the data owner or organization. If this is not required, this finding is Not Applicable. Run the following query to return a listing of active Server Audits not used for auditing Microsoft Support activities: SELECT audit_guid, name, type_desc, is_operator_audit, is_state_enabled FROM sys.server_audits A WHERE type_desc = 'EXTERNAL MONITOR' AND is_operator_audit = 0 AND is_state_enabled = 1 If no audits are returned, this is a finding. Determine whether the Azure SQL Managed Instance is configured to forward SQL Security Audit Events to a centralized repository such as Log Analytics. 1. Connect to the Azure portal and navigate to the Azure SQL Managed Instance resource. 2. In the left navigation pane, expand "Monitoring". 3. Click "Diagnostic settings". If no diagnostic settings are defined, this is a finding. Locate the diagnostic setting for SQL Security Audit Events by repeating the following steps for each setting defined: 1. Click "Edit settings" on the right. 2. Under "Logs", verify the "SQL Security Audit Event" category is flagged. 3. Under "Destination details", verify "Send to Log Analytics workspace" is flagged. If no Diagnostic setting meets both of these requirements, this is a finding.
Configure Azure SQL Managed Instance to implement the capability to centrally review and analyze audit records from multiple components within the system. One option is to use Log Analytics to query data in the Azure Monitor Logs store. Reference: https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/auditing-configure?#set-up-auditing-for-your-server-to-event-hubs-or-azure-monitor-logs https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-overview?tabs=simple