Azure SQL Managed Instance must store audit records in an immutable blob storage container for an organizationally defined period of time.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-276265	SRG-APP-000515-DB-000318	MSQL-00-015900	SV-276265r1149704_rule	2025-10-07	1

Description
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. When configured and enabled, Azure SQL Managed Instance only supports writing audit records to a container within an Azure Blob Storage Account. To mitigate the risk associated with maintaining a single copy of this audit data, the blob container used to store the audit data generated by this Azure SQL Managed Instance must be protected by an immutable policy. This policy must be configured to lock blobs for an organizationally defined period of time.

Description

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. When configured and enabled, Azure SQL Managed Instance only supports writing audit records to a container within an Azure Blob Storage Account. To mitigate the risk associated with maintaining a single copy of this audit data, the blob container used to store the audit data generated by this Azure SQL Managed Instance must be protected by an immutable policy. This policy must be configured to lock blobs for an organizationally defined period of time.

ℹ️ Check
Execute the following TSQL script to return a listing of SQL Audits defined on this Azure SQL Managed Instance: SELECT name, log_file_path AS storage_container FROM sys.server_file_audits If no audit is defined, this finding is Not Applicable. Note: The "storage_container" value includes both the Azure Storage Account name and the blob container. This value uses the format https://<Azure Storage Account Name>.blob.core.usgovcloudapi.net//. Review the system documentation to determine the period of time required for retaining audit data generated by this Azure SQL Managed Instance. If the period of time is not documented, authorized, and approved, this is a finding. Using the query results from above, review the immutable blob policy for each audit's container. 1. Log in to the Azure Portal. 2. In the search box at the top, type "Storage Accounts" and select the search result. 3. Locate and click the name of the Azure Storage Account utilized by the Azure SQL Managed Instance. 4. In the left column, select "Containers". 5. Select the appropriate container from the list provided. 6. In the left column, select "Access policy" under "Immutable blob storage". 7. Click the ellipsis on the right for the "Time-based retention" policy. 8. Note the "Update retention period to" value. If the container does not have a "Time-based retention policy" defined, this is a finding. If the "Time-based retention policy" for the container is not configured for the documented number of days, this is a finding.

ℹ️ Check

Execute the following TSQL script to return a listing of SQL Audits defined on this Azure SQL Managed Instance: SELECT name, log_file_path AS storage_container FROM sys.server_file_audits If no audit is defined, this finding is Not Applicable. Note: The "storage_container" value includes both the Azure Storage Account name and the blob container. This value uses the format https://<Azure Storage Account Name>.blob.core.usgovcloudapi.net//. Review the system documentation to determine the period of time required for retaining audit data generated by this Azure SQL Managed Instance. If the period of time is not documented, authorized, and approved, this is a finding. Using the query results from above, review the immutable blob policy for each audit's container. 1. Log in to the Azure Portal. 2. In the search box at the top, type "Storage Accounts" and select the search result. 3. Locate and click the name of the Azure Storage Account utilized by the Azure SQL Managed Instance. 4. In the left column, select "Containers". 5. Select the appropriate container from the list provided. 6. In the left column, select "Access policy" under "Immutable blob storage". 7. Click the ellipsis on the right for the "Time-based retention" policy. 8. Note the "Update retention period to" value. If the container does not have a "Time-based retention policy" defined, this is a finding. If the "Time-based retention policy" for the container is not configured for the documented number of days, this is a finding.

✔️ Fix
Use the following script to query the Azure Storage Account(s) for any SQL Audits configured: SELECT name, log_file_path AS storage_container FROM sys.server_file_audits Note: The "storage_container" value includes both the Azure Storage Account name and the blob container. This value uses the format https://<Azure Storage Account Name>.blob.core.usgovcloudapi.net//. For each of the Azure Storage Accounts discovered above, enable an immutable blob storage policy for the blob container to which audit data is written. 1. Log in to the Azure Portal. 2. In the search box at the top, type "Storage Accounts" and select the search result. 3. Locate and click the name of the Azure Storage Account utilized by the Azure SQL Managed Instance. 4. In the left column, select "Containers". 5. Select the appropriate container from the list provided. 6. In the left column, select "Access policy" under "Immutable blob storage". 7. Click "Add Policy". 8. In the right blade, select the Policy Type "Time-based retention". 9. Enter the documented retention period under "Set retention period for". 10. Click "Save". 11. Click the ellipsis to the right of the newly created policy. 12. Select "Lock Policy". 13. Type "yes" to complete locking the policy.

✔️ Fix

Use the following script to query the Azure Storage Account(s) for any SQL Audits configured: SELECT name, log_file_path AS storage_container FROM sys.server_file_audits Note: The "storage_container" value includes both the Azure Storage Account name and the blob container. This value uses the format https://<Azure Storage Account Name>.blob.core.usgovcloudapi.net//. For each of the Azure Storage Accounts discovered above, enable an immutable blob storage policy for the blob container to which audit data is written. 1. Log in to the Azure Portal. 2. In the search box at the top, type "Storage Accounts" and select the search result. 3. Locate and click the name of the Azure Storage Account utilized by the Azure SQL Managed Instance. 4. In the left column, select "Containers". 5. Select the appropriate container from the list provided. 6. In the left column, select "Access policy" under "Immutable blob storage". 7. Click "Add Policy". 8. In the right blade, select the Policy Type "Time-based retention". 9. Enter the documented retention period under "Set retention period for". 10. Click "Save". 11. Click the ellipsis to the right of the newly created policy. 12. Select "Lock Policy". 13. Type "yes" to complete locking the policy.