Azure SQL Managed Instance must implement the capability to centrally review and analyze audit records from multiple components within the system using a service such as Azure Log Analytics.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-276267	SRG-APP-000745-DB-000120	MSQL-00-018600	SV-276267r1150098_rule	2025-10-07	1

Description
Automated mechanisms for centralized reviews and analyses include Security Information and Event Management products.

ℹ️ Check
Review the system documentation to determine whether a centralized repository of audit data is required by the data owner or organization. If this is not required, this finding is Not Applicable. Run the following query to return a listing of active Server Audits not used for auditing Microsoft Support activities: SELECT audit_guid, name, type_desc, is_operator_audit, is_state_enabled FROM sys.server_audits A WHERE type_desc = 'EXTERNAL MONITOR' AND is_operator_audit = 0 AND is_state_enabled = 1 If no audits are returned, this is a finding. Determine whether the Azure SQL Managed Instance is configured to forward SQL Security Audit Events to a centralized repository such as Log Analytics. 1. Connect to the Azure portal and navigate to the Azure SQL Managed Instance resource. 2. In the left navigation pane, expand "Monitoring". 3. Click "Diagnostic settings". If no diagnostic settings are defined, this is a finding. Locate the diagnostic setting for SQL Security Audit Events by repeating the following steps for each setting defined: 1. Click "Edit settings" on the right. 2. Under "Logs", verify the "SQL Security Audit Event" category is flagged. 3. Under "Destination details", verify "Send to Log Analytics workspace" is flagged. If no Diagnostic setting meets both of these requirements, this is a finding.

ℹ️ Check

Review the system documentation to determine whether a centralized repository of audit data is required by the data owner or organization. If this is not required, this finding is Not Applicable. Run the following query to return a listing of active Server Audits not used for auditing Microsoft Support activities: SELECT audit_guid, name, type_desc, is_operator_audit, is_state_enabled FROM sys.server_audits A WHERE type_desc = 'EXTERNAL MONITOR' AND is_operator_audit = 0 AND is_state_enabled = 1 If no audits are returned, this is a finding. Determine whether the Azure SQL Managed Instance is configured to forward SQL Security Audit Events to a centralized repository such as Log Analytics. 1. Connect to the Azure portal and navigate to the Azure SQL Managed Instance resource. 2. In the left navigation pane, expand "Monitoring". 3. Click "Diagnostic settings". If no diagnostic settings are defined, this is a finding. Locate the diagnostic setting for SQL Security Audit Events by repeating the following steps for each setting defined: 1. Click "Edit settings" on the right. 2. Under "Logs", verify the "SQL Security Audit Event" category is flagged. 3. Under "Destination details", verify "Send to Log Analytics workspace" is flagged. If no Diagnostic setting meets both of these requirements, this is a finding.

✔️ Fix
Configure Azure SQL Managed Instance to implement the capability to centrally review and analyze audit records from multiple components within the system. One option is to use Log Analytics to query data in the Azure Monitor Logs store. Reference: https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/auditing-configure?#set-up-auditing-for-your-server-to-event-hubs-or-azure-monitor-logs https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-overview?tabs=simple

✔️ Fix

Configure Azure SQL Managed Instance to implement the capability to centrally review and analyze audit records from multiple components within the system. One option is to use Log Analytics to query data in the Azure Monitor Logs store. Reference: https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/auditing-configure?#set-up-auditing-for-your-server-to-event-hubs-or-azure-monitor-logs https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-overview?tabs=simple