Azure SQL Server Managed Instance must alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-276268	SRG-APP-000795-DB-000130	MSQL-00-018700	SV-276268r1149713_rule	2025-10-07	1

Description
Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls. The common language runtime (CLR) component of the .NET Framework for Microsoft Windows in SQL allows the user to write stored procedures, triggers, user-defined types, user-defined functions, user-defined aggregates, and streaming table-valued functions, using any .NET Framework language, including Microsoft Visual Basic .NET and Microsoft Visual C#. CLR packing assemblies can access resources protected by .NET Code Access Security when it runs managed code. Specifying UNSAFE enables the code in the assembly complete freedom to perform operations in the SQL process space that can potentially compromise the robustness of SQL. UNSAFE assemblies can also potentially subvert the security system of either SQL or the common language runtime.

Description

Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls. The common language runtime (CLR) component of the .NET Framework for Microsoft Windows in SQL allows the user to write stored procedures, triggers, user-defined types, user-defined functions, user-defined aggregates, and streaming table-valued functions, using any .NET Framework language, including Microsoft Visual Basic .NET and Microsoft Visual C#. CLR packing assemblies can access resources protected by .NET Code Access Security when it runs managed code. Specifying UNSAFE enables the code in the assembly complete freedom to perform operations in the SQL process space that can potentially compromise the robustness of SQL. UNSAFE assemblies can also potentially subvert the security system of either SQL or the common language runtime.

ℹ️ Check
Verify the database management system (DBMS) is configured to alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information. If the DBMS is not configured to alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information, this is a finding.

✔️ Fix
Configure the DBMS to alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.