last sync: 2024-May-24 18:03:04 UTC

SQL Auditing settings should have Action-Groups configured to capture critical activities

Azure BuiltIn Policy definition

Source Azure Portal
Display name SQL Auditing settings should have Action-Groups configured to capture critical activities
Id 7ff426e2-515f-405a-91c8-4f2333442eb5
Version 1.0.0
Details on versioning
Category SQL
Microsoft Learn
Description The AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough audit logging
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases THEN-ExistenceCondition (1)
Alias Namespace ResourceType DefaultPath Modifiable
Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*] Microsoft.Sql servers/auditingSettings properties.auditActionsAndGroups[*] true
Rule resource types IF (1)
The following 3 compliance controls are associated with this Policy definition 'SQL Auditing settings should have Action-Groups configured to capture critical activities' (7ff426e2-515f-405a-91c8-4f2333442eb5)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v1.0 2.3 Azure_Security_Benchmark_v1.0_2.3 Azure Security Benchmark 2.3 Logging and Monitoring Enable audit logging for Azure resources Customer Enable Diagnostic Settings on Azure resources for access to audit, security, and diagnostic logs. Activity logs, which are automatically available, include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. How to collect platform logs and metrics with Azure Monitor: Understand logging and different log types in Azure: n/a link 15
CIS_Azure_1.1.0 4.2 CIS_Azure_1.1.0_4.2 CIS Microsoft Azure Foundations Benchmark recommendation 4.2 4 Database Services Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly Shared The customer is responsible for implementing this recommendation. Configure the 'AuditActionGroups' property to appropriate groups to capture all the critical activities on the SQL Server and all the SQL databases hosted on the SQL server. link 5
RMiT_v1.0 11.18 RMiT_v1.0_11.18 RMiT 11.18 Security Operations Centre (SOC) Security Operations Centre (SOC) - 11.18 Shared n/a The SOC must be able to perform the following functions: (a) log collection and the implementation of an event correlation engine with parameter-driven use cases such as Security Information and Event Management (SIEM); (b) incident coordination and response; (c) vulnerability management; (d) threat hunting; (e) remediation functions including the ability to perform forensic artifact handling, malware and implant analysis; and (f) provision of situational awareness to detect adversaries and threats including threat intelligence analysis and operations, and monitoring indicators of compromise (IOC). This includes advanced behavioural analysis to detect signature-less and file-less malware and to identify anomalies that may pose security threats including at endpoints and network layers. link 14
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
[Deprecated]: Azure Security Benchmark v1 42a694ed-f65e-42b2-aa9e-8052e9740a92 Regulatory Compliance Deprecated BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn
RMIT Malaysia 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 Regulatory Compliance GA BuiltIn
History none
JSON compare n/a