Information
SQL Server Audit Retention should be configured to be greater than 90 days.
Rationale:
Audit Logs can be used to check for anomalies and give insight into suspected breaches or misuse of information and access.
Solution
Remediate from Azure Portal
Go to SQL servers.
For each SQL server, under Security, click Auditing.
If Storage is checked, expand Advanced properties.
Set Retention (days) to a value greater than 90, or 0 for unlimited retention.
Click Save.
Remediate from PowerShell
For each Server, set retention policy to more than 90 days
Log Analytics Example
Set-AzSqlServerAudit -ResourceGroupName <resource group name> -ServerName <SQL Server name> -RetentionInDays <Number of Days to retain the audit logs, should be more than 90 days> -LogAnalyticsTargetState Enabled -WorkspaceResourceId '/subscriptions/<subscription ID>/resourceGroups/insights-integration/providers/Microsoft.OperationalInsights/workspaces/<workspace name>
Event Hub Example
Set-AzSqlServerAudit -ResourceGroupName '<resource group name>' -ServerName '<SQL Server name>' -EventHubTargetState Enabled -EventHubName
'<Event Hub name>' -EventHubAuthorizationRuleResourceId '<Event Hub Authorization Rule Resource ID>'
Blob Storage Example
Set-AzSqlServerAudit -ResourceGroupName '<resource group name>' -ServerName '<SQL Server name>' -BlobStorageTargetState Enabled
-StorageAccountResourceId '/subscriptions/<subscription_ID>/resourceGroups/<Resource_Group>/providers/Microsoft.Stora
ge/storageAccounts/<Storage Account name>'
Default Value:
By default, SQL Server audit storage is disabled.