AzPolicyAdvertizer

last sync: 2025-Jul-01 17:24:08 UTC

SQL servers with auditing to storage account destination should be configured with 90 days retention or higher

Azure BuiltIn Policy definition

Source Azure Portal
Display name SQL servers with auditing to storage account destination should be configured with 90 days retention or higher
Id 89099bee-89e0-4b26-a5f4-165451757743
Version 3.0.0
Details on versioning
Versioning Versions supported for Versioning: 1
3.0.0
Built-in Versioning [Preview]
Category SQL
Microsoft Learn
Description For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards.
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '3.*.*'
Assessment(s) Assessments count: 1
Assessment Id: 620671b8-6661-273a-38ac-4574967750ec
DisplayName: Audit retention for SQL servers should be set to at least 90 days
Description: SQL servers should be configured with an audit log retention period of at least 90 days.
This is to ensure that audit logs are available for a sufficient period of time for review and analysis in case of any security incidents.
If the retention period is less than 90 days, there may not be enough data available for a thorough investigation, potentially hindering the identification and resolution of security issues.
Therefore, we recommend setting the audit retention for SQL servers to a minimum of 90 days.

Remediation description: To configure auditing retention on your Azure SQL server or Azure Synapse server:
1.From the Azure portal, select the Azure SQL Server or Azure Synapse resource. 2.From the menu, select Auditing. 3.Select Storage details. 4.To set a new retention period of 90 days or higher, manually enter a value or move the slider for Retention (Days). 5.Select OK.
Categories: Data
Severity: Low
preview: True
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases THEN-ExistenceCondition (3)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Sql/servers/auditingSettings/isAzureMonitorTargetEnabled Microsoft.Sql servers/auditingSettings properties.isAzureMonitorTargetEnabled True False
Microsoft.Sql/servers/auditingSettings/retentionDays Microsoft.Sql servers/auditingSettings properties.retentionDays True True
Microsoft.Sql/servers/auditingSettings/storageEndpoint Microsoft.Sql servers/auditingSettings properties.storageEndpoint True False
Rule resource types IF (1)
Compliance
The following 32 compliance controls are associated with this Policy definition 'SQL servers with auditing to storage account destination should be configured with 90 days retention or higher' (89099bee-89e0-4b26-a5f4-165451757743)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v1.0 2.5 Azure_Security_Benchmark_v1.0_2.5 Azure Security Benchmark 2.5 Logging and Monitoring Configure security log storage retention Customer Within Azure Monitor, set your Log Analytics Workspace retention period according to your organization's compliance regulations. Use Azure Storage Accounts for long-term/archival storage. How to set log retention parameters for Log Analytics Workspaces: https://docs.microsoft.com/azure/azure-monitor/platform/manage-cost-storage#change-the-data-retention-period n/a link 1
Azure_Security_Benchmark_v3.0 LT-6 Azure_Security_Benchmark_v3.0_LT-6 Microsoft cloud security benchmark LT-6 Logging and Threat Detection Configure log storage retention Shared **Security Principle:** Plan your log retention strategy according to your compliance, regulation, and business requirements. Configure the log retention policy at the individual logging services to ensure the logs are archived appropriately. **Azure Guidance:** Logs such as Azure Activity Logs events are retained for 90 days then deleted. You should create a diagnostic setting and route the log entries to another location (such as Azure Monitor Log Analytics workspace, Event Hubs or Azure Storage) based on your needs. This strategy also applies to the other resource logs and resources managed by yourself such as logs in the operating systems and applications inside the VMs. You have the log retention option as below: - Use Azure Monitor Log Analytics workspace for a log retention period of up to 1 year or per your response team requirements. - Use Azure Storage, Data Explorer or Data Lake for long-term and archival storage for greater than 1 year and to meet your security compliance requirements. - Use Azure Event Hubs to forward logs to outside of Azure. Note: Azure Sentinel uses Log Analytics workspace as its backend for log storage. You should consider a long-term storage strategy if you plan to retain SIEM logs for longer time. **Implementation and additional context:** Change the data retention period in Log Analytics: https://docs.microsoft.com/azure/azure-monitor/platform/manage-cost-storage#change-the-data-retention-period How to configure retention policy for Azure Storage account logs: https://docs.microsoft.com/azure/storage/common/storage-monitor-storage-account#configure-logging Microsoft Defender for Cloud alerts and recommendations export: https://docs.microsoft.com/azure/security-center/continuous-export n/a link 1
CIS_Azure_1.1.0 4.3 CIS_Azure_1.1.0_4.3 CIS Microsoft Azure Foundations Benchmark recommendation 4.3 4 Database Services Ensure that 'Auditing' Retention is 'greater than 90 days' Shared The customer is responsible for implementing this recommendation. SQL Server Audit Retention should be configured to be greater than 90 days. link 5
CIS_Azure_1.3.0 4.1.3 CIS_Azure_1.3.0_4.1.3 CIS Microsoft Azure Foundations Benchmark recommendation 4.1.3 4 Database Services Ensure that 'Auditing' Retention is 'greater than 90 days' Shared The customer is responsible for implementing this recommendation. SQL Server Audit Retention should be configured to be greater than 90 days. link 5
CIS_Azure_1.4.0 4.1.3 CIS_Azure_1.4.0_4.1.3 CIS Microsoft Azure Foundations Benchmark recommendation 4.1.3 4 Database Services Ensure that 'Auditing' Retention is 'greater than 90 days' Shared The customer is responsible for implementing this recommendation. SQL Server Audit Retention should be configured to be greater than 90 days. link 5
CIS_Azure_2.0.0 4.1.6 CIS_Azure_2.0.0_4.1.6 CIS Microsoft Azure Foundations Benchmark recommendation 4.1.6 4.1 Ensure that 'Auditing' Retention is 'greater than 90 days' Shared n/a SQL Server Audit Retention should be configured to be greater than 90 days. Audit Logs can be used to check for anomalies and give insight into suspected breaches or misuse of information and access. link 5
CIS_Azure_Foundations_v2.1.0 4.1.6 CIS_Azure_Foundations_v2.1.0_4.1.6 CIS Azure Foundations v2.1.0 4.1.6 Database Services Ensure that 'Auditing' Retention is 'greater than 90 days' Shared n/a SQL Server Audit Retention should be configured to be greater than 90 days. 1
CIS_Azure_Foundations_v3.0.0 5.1.6 CIS_Azure_Foundations_v3.0.0_5.1.6 CIS Azure Foundations v3.0.0 5.1.6 5.1 Ensure that 'Auditing' Retention is 'greater than 90 days' Shared n/a Verify that SQL Server Audit Retention is set to greater than 90 days. This control is essential for ensuring that audit logs are retained long enough to support compliance, security investigations, and forensic analysis. 1
CIS_Controls_v8.1 4.1 CIS_Controls_v8.1_4.1 CIS Controls v8.1 4.1 Secure Configuration of Enterprise Assets and Software Establish and maintain a secure configuration process. Shared 1. Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). 2. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard. To ensure data integrity and safety of enterprise assets. 44
CIS_Controls_v8.1 8.3 CIS_Controls_v8.1_8.3 CIS Controls v8.1 8.3 Audit Log Management Ensure adequate audit log storage Shared Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management process. To ensure all important and required logs can be stored for retrieval as and when required. 21
CMMC_2.0_L2 AU.L2-3.3.1 CMMC_2.0_L2_AU.L2-3.3.1 404 not found n/a n/a 32
CMMC_2.0_L2 AU.L2-3.3.2 CMMC_2.0_L2_AU.L2-3.3.2 404 not found n/a n/a 32
EU_GDPR_2016_679_Art. 24 EU_GDPR_2016_679_Art._24 EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 Chapter 4 - Controller and processor Responsibility of the controller Shared n/a n/a 306
EU_GDPR_2016_679_Art. 25 EU_GDPR_2016_679_Art._25 EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 Chapter 4 - Controller and processor Data protection by design and by default Shared n/a n/a 306
EU_GDPR_2016_679_Art. 28 EU_GDPR_2016_679_Art._28 EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 Chapter 4 - Controller and processor Processor Shared n/a n/a 306
EU_GDPR_2016_679_Art. 32 EU_GDPR_2016_679_Art._32 EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 Chapter 4 - Controller and processor Security of processing Shared n/a n/a 306
FedRAMP_High_R4 AU-11 FedRAMP_High_R4_AU-11 FedRAMP High AU-11 Audit And Accountability Audit Record Retention Shared n/a The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. Supplemental Guidance: Organizations retain audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention. Related controls: AU-4, AU-5, AU-9, MP-6. References: None. link 4
FedRAMP_Moderate_R4 AU-11 FedRAMP_Moderate_R4_AU-11 FedRAMP Moderate AU-11 Audit And Accountability Audit Record Retention Shared n/a The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. Supplemental Guidance: Organizations retain audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention. Related controls: AU-4, AU-5, AU-9, MP-6. References: None. link 4
K_ISMS_P_2018 2.10.1 K_ISMS_P_2018_2.10.1 K ISMS P 2018 2.10.1 2.10 Establish Procedures for Managing the Security of System Operations Shared n/a Establish and implement operating procedures for managing the security of system operations such as designating system administrators, updating policies, changing rulesets, monitoring events, managing policy implementations or exceptions. 455
K_ISMS_P_2018 2.10.2 K_ISMS_P_2018_2.10.2 K ISMS P 2018 2.10.2 2.10 Establish Protective Measures for Administrator Privileges and Security Configurations Shared n/a Establish and implement protective measures with regard to administrator privileges and security configurations to ensure that important information and personal information are not exposed as a result of unauthorized access by service type or misconfigurations. 431
K_ISMS_P_2018 2.9.4 K_ISMS_P_2018_2.9.4 K ISMS P 2018 2.9.4 2.9 Maintain Logs and Establish Log Management Procedures Shared n/a Maintain log records for servers, applications, security systems, and networks. Define log types, access permissions, retention periods, and storage methods to ensure secure retention and prevent forgery, alteration, theft, and loss. 61
K_ISMS_P_2018 3.4.3 K_ISMS_P_2018_3.4.3 K ISMS P 2018 3.4.3 3.4 Implement Measure to Protect the Personal Information of Dormant Users Shared n/a Implement measures to protect the personal information of dormant users including notification of relevant matters, or disposal of storage of personal information. 31
New_Zealand_ISM 23.5.11.C.01 New_Zealand_ISM_23.5.11.C.01 New_Zealand_ISM_23.5.11.C.01 23. Public Cloud Security 23.5.11.C.01 Logging requirements n/a Agencies MUST ensure that logs associated with public cloud services are collected, protected, and that their integrity can be confirmed in accordance with the agency’s documented logging requirements. 19
NIST_SP_800-171_R2_3 .3.1 NIST_SP_800-171_R2_3.3.1 NIST SP 800-171 R2 3.3.1 Audit and Accountability Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity Shared Microsoft and the customer share responsibilities for implementing this requirement. An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloud-based architectures. Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making. [SP 800-92] provides guidance on security log management. link 48
NIST_SP_800-171_R2_3 .3.2 NIST_SP_800-171_R2_3.3.2 NIST SP 800-171 R2 3.3.2 Audit and Accountability Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP). link 34
NIST_SP_800-53_R4 AU-11 NIST_SP_800-53_R4_AU-11 NIST SP 800-53 Rev. 4 AU-11 Audit And Accountability Audit Record Retention Shared n/a The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. Supplemental Guidance: Organizations retain audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention. Related controls: AU-4, AU-5, AU-9, MP-6. References: None. link 4
NIST_SP_800-53_R5 AU-11 NIST_SP_800-53_R5_AU-11 NIST SP 800-53 Rev. 5 AU-11 Audit and Accountability Audit Record Retention Shared n/a Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. link 4
NZ_ISM_v3.5 AC-18 NZ_ISM_v3.5_AC-18 NZISM Security Benchmark AC-18 Access Control and Passwords 16.6.9 Events to be logged Customer n/a The events to be logged are key elements in the monitoring of the security posture of systems and contributing to reviews, audits, investigations and incident management. link 17
op.exp.7 Incident management op.exp.7 Incident management 404 not found n/a n/a 103
RBI_ITF_NBFC_v2017 3.1.g RBI_ITF_NBFC_v2017_3.1.g RBI IT Framework 3.1.g Information and Cyber Security Trails-3.1 n/a The IS Policy must provide for a IS framework with the following basic tenets: Trails- NBFCs shall ensure that audit trails exist for IT assets satisfying its business requirements including regulatory and legal requirements, facilitating audit, serving as forensic evidence when required and assisting in dispute resolution. If an employee, for instance, attempts to access an unauthorized section, this improper activity should be recorded in the audit trail. link 33
SWIFT_CSCF_v2021 6.3 SWIFT_CSCF_v2021_6.3 SWIFT CSCF v2021 6.3 Detect Anomalous Activity to Systems or Transaction Records Database Integrity n/a Ensure the integrity of the database records for the SWIFT messaging interface and act upon results link 12
U.10.3 - Users U.10.3 - Users 404 not found n/a n/a 33
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Deprecated]: Azure Security Benchmark v1 42a694ed-f65e-42b2-aa9e-8052e9740a92 Regulatory Compliance Deprecated BuiltIn true
[Deprecated]: New Zealand ISM Restricted v3.5 93d2179e-3068-c82f-2428-d614ae836a04 Regulatory Compliance Deprecated BuiltIn unknown
[Preview]: CMMC 2.0 Level 2 4e50fd13-098b-3206-61d6-d1d78205cb45 Regulatory Compliance Preview BuiltIn true
[Preview]: Control the use of Microsoft SQL in a Virtual Enclave 0fbe78a5-1722-4f1b-83a5-89c14151fa60 VirtualEnclaves Preview BuiltIn true
[Preview]: Motion Picture Association of America (MPAA) 92646f03-e39d-47a9-9e24-58d60ef49af8 Regulatory Compliance Preview BuiltIn unknown
[Preview]: Reserve Bank of India - IT Framework for NBFC 7f89f09c-48c1-f28d-1bd5-84f3fb22f86c Regulatory Compliance Preview BuiltIn unknown
[Preview]: SWIFT CSP-CSCF v2021 abf84fac-f817-a70c-14b5-47eec767458a Regulatory Compliance Preview BuiltIn unknown
CIS Azure Foundations v2.1.0 fe7782e4-6ff3-4e39-8d8a-64b6f7b82c85 Regulatory Compliance GA BuiltIn unknown
CIS Azure Foundations v3.0.0 470a962c-86a0-433b-803a-3c176b5ce79c Regulatory Compliance GA BuiltIn unknown
CIS Controls v8.1 046796ef-e8a7-4398-bbe9-cce970b1a3ae Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn true
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn true
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn unknown
EU General Data Protection Regulation (GDPR) 2016/679 7326812a-86a4-40c8-af7c-8945de9c4913 Regulatory Compliance GA BuiltIn unknown
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn true
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn true
K ISMS P 2018 e0782c37-30da-4a78-9f92-50bfe7aa2553 Regulatory Compliance GA BuiltIn unknown
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn true
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn unknown
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn true
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn true
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn true
NL BIO Cloud Theme 6ce73208-883e-490f-a2ac-44aac3b3687f Regulatory Compliance GA BuiltIn unknown
NL BIO Cloud Theme V2 d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee Regulatory Compliance GA BuiltIn unknown
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-03-24 14:32:48 change Major (2.1.0 > 3.0.0)
2021-03-09 14:37:41 change Minor (2.0.1 > 2.1.0)
2021-02-10 14:43:58 change Patch (2.0.0 > 2.0.1)
2020-12-11 15:42:52 change Major (1.0.0 > 2.0.0)
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC