Ensure that the "AuditActionGroup" property is properly configured within the auditing policy implemented at the Microsoft Azure SQL server level, in order to capture all critical activity triggered on your SQL database servers and on all the SQL databases hosted on those servers. Prior to running this rule by the Cloud Conformity engine, SQL database auditing needs to be enabled for all Microsoft Azure SQL servers.
To capture critical actions performed on your Azure SQL databases, auditing should be configured to enable the "AuditActionGroup" property with the appropriate configuration. To ensure comprehensive audit logging for your SQL servers and SQL databases hosted on these servers, the "AuditActionGroup" should contain the following action groups: SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP – which indicates a principal logged in successfully to a contained database, FAILED_DATABASE_AUTHENTICATION_GROUP – indicates that a principal tried to log on to a contained database and failed (events in this class are triggered by new connections or by connections that are reused from a connection pool), and BATCH_COMPLETED_GROUP – which indicates that the Transact-SQL batch has been completed.
To determine if "AuditActionGroup" is enabled and properly configured at the Azure SQL database server level, perform the following actions:Note: Getting "AuditActionGroup" property configuration status using Microsoft Azure Management Console (Azure Portal) is not currently supported.
Remediation / Resolution
To enable the "AuditActionGroup" property with the required configuration for your Microsoft Azure SQL database servers, perform the following actions:Note: Configuring action groups for the "AuditActionGroup" property using Microsoft Azure Management Console (Azure Portal) is not currently supported.
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
Configure "AuditActionGroup" for SQL Server Auditing
Risk level: Medium