More Info:

Auditing retention period should be greater than defined days. Default 90 days.

Risk Level

Low

Address

Security

Compliance Standards

ISO27001, CISAZURE, CBP, HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the short auditing retention period for SQL servers in Azure, follow these steps:
  1. Log in to the Azure Portal and go to the SQL Server that you want to remediate.
  2. Click on the “Auditing” option in the left-hand menu.
  3. In the “Auditing” section, click on “Diagnostic settings”.
  4. Click on the “Add diagnostic setting” button.
  5. In the “Add diagnostic setting” window, give a name for the new diagnostic setting.
  6. Under “Destination details”, select “Log Analytics” or “Event Hub” as the destination.
  7. If you choose “Log Analytics”, select the Log Analytics workspace that you want to use.
  8. Under “Categories”, select the “SQLSecurityAuditEvents” category.
  9. Under “Retention (days)”, set the retention period to the desired number of days.
  10. Click on the “Save” button to save the diagnostic setting.
Once the diagnostic setting is saved, the SQL server will start sending the audit logs to the destination you selected. The audit logs will be retained for the number of days you specified in the retention period.

To remediate the short auditing retention period for SQL servers in AZURE using AZURE CLI, follow these steps:
  1. Open the AZURE CLI and log in to your AZURE account.
  2. Use the following command to check the current retention period for auditing logs in your SQL server: 
    az sql server audit-policy show --resource-group <resource-group-name> --server <sql-server-name> --name "Default"
    Replace <resource-group-name> with the name of the resource group in which your SQL server is located, and <sql-server-name> with the name of your SQL server.
  3. If the retention period is less than the required period, use the following command to update the audit policy: 
    az sql server audit-policy update --resource-group <resource-group-name> --server <sql-server-name> --name "Default" --state Enabled --retention-days <retention-days>
    Replace <resource-group-name> with the name of the resource group in which your SQL server is located, <sql-server-name> with the name of your SQL server, and <retention-days> with the required retention period in days.
  4. After executing the command, verify the updated retention period using the command in step 2.
By following these steps, you can remediate the short auditing retention period for SQL servers in AZURE using AZURE CLI.
To remediate the short auditing retention period for SQL Servers in Azure using Python, you can follow the below steps:
  1. Import the necessary libraries:
import os
from azure.identity import DefaultAzureCredential
from azure.mgmt.sql import SqlManagementClient
  1. Set the credentials and subscription ID:
credential = DefaultAzureCredential()
subscription_id = 'your_subscription_id'
  1. Create an instance of the SqlManagementClient:
sql_client = SqlManagementClient(credential, subscription_id)
  1. Get the list of SQL servers in the subscription:
servers = sql_client.servers.list()
  1. For each server, check the auditing retention period and update it if it is less than the desired value:
for server in servers:
    audit_policy = sql_client.server_audit_policies.get(server.resource_group, server.name, "default")
    if audit_policy.retention_days < 90:
        audit_policy.retention_days = 90
        sql_client.server_audit_policies.create_or_update(server.resource_group, server.name, "default", audit_policy)
In the above code, we are checking the retention period for the default audit policy of each SQL server. If the retention period is less than 90 days, we are updating it to 90 days.Note: This code assumes that you have the necessary permissions to access and modify the audit policies of the SQL servers in your Azure subscription.