Ensure that the "AuditActionGroup" property is properly configured within the auditing policy implemented at the Microsoft Azure SQL server level, in order to capture all critical activity triggered on your SQL database servers and on all the SQL databases hosted on those servers. Prior to running this rule by the Cloud Conformity engine, SQL database auditing needs to be enabled for all Microsoft Azure SQL servers.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
To capture critical actions performed on your Azure SQL databases, auditing should be configured to enable the "AuditActionGroup" property with the appropriate configuration. To ensure comprehensive audit logging for your SQL servers and SQL databases hosted on these servers, the "AuditActionGroup" should contain the following action groups: SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP – which indicates a principal logged in successfully to a contained database, FAILED_DATABASE_AUTHENTICATION_GROUP – indicates that a principal tried to log on to a contained database and failed (events in this class are triggered by new connections or by connections that are reused from a connection pool), and BATCH_COMPLETED_GROUP – which indicates that the Transact-SQL batch has been completed.
Audit
To determine if "AuditActionGroup" is enabled and properly configured at the Azure SQL database server level, perform the following actions:
Note: Getting "AuditActionGroup" property configuration status using Microsoft Azure Management Console (Azure Portal) is not currently supported.Remediation / Resolution
To enable the "AuditActionGroup" property with the required configuration for your Microsoft Azure SQL database servers, perform the following actions:
Note: Configuring action groups for the "AuditActionGroup" property using Microsoft Azure Management Console (Azure Portal) is not currently supported.References
- Azure Official Documentation
- Get started with SQL database auditing
- SQL Server Audit Action Groups and Actions
- SQL:BatchCompleted Event Class
- CIS Microsoft Azure Foundations
- Azure Command Line Interface (CLI) Documentation
- SQL
- Get-AzSqlServer
- Get-AzSqlServerAudit
- Set-AzSqlServerAudit
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Configure "AuditActionGroup" for SQL Server Auditing
Risk Level: Medium