Azure SQL Managed Instance must be able to generate audit records when access to objects occur.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-276263 | MSQL-00-015300 | SV-276263r1150070_rule | CCI-000172 | medium |
| Description | ||||
| Without tracking all or selected types of access to all or selected objects (tables, views, procedures, functions, etc.), it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. In an Azure SQL Managed Instance environment, types of access include, but are not necessarily limited to: SELECT INSERT UPDATE DELETE EXECUTE Satisfies: SRG-APP-000507-DB-000356, SRG-APP-000507-DB-000357 | ||||
| STIG | Date | |||
| Microsoft Azure SQL Managed Instance Security Technical Implementation Guide | 2025-10-07 | |||
Details
Check Text (C-276263r1150070_chk)
Review Azure SQL Managed Instance configuration to verify audit records are produced when successful accesses to objects occur.
Run this TSQL command to determine if SQL Auditing AuditActionGroups are configured:
SELECT a.name AS 'AuditName', s.name AS 'SpecName',
d.audit_action_name AS 'ActionName',
d.audited_result AS 'Result'
FROM sys.server_audit_specifications s
JOIN sys.server_audits a ON s.audit_guid = a.audit_guid
JOIN sys.server_audit_specification_details d ON s.server_specification_id = d.server_specification_id
WHERE a.is_state_enabled = 1
AND d.audit_action_name = 'SCHEMA_OBJECT_ACCESS_GROUP'
If no values are listed for AuditActionGroups, this is a finding.
Fix Text (F-80323r1150069_fix)
Deploy an Azure SQL Managed Instance audit. Refer to the supplemental file "AzureSQLMIAudit.sql" script.
Reference: https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/auditing-configure?view=azuresql-mi