Ensure SQL Server Threat Detection Retention is set to a value greater than 90 days for Azure SQL Database

MEDIUM

Description

If the SQL Server Threat Detection Retention is set to less than 90 days for Azure SQL Database, it means that security logs and alerts will be automatically deleted after a short period. This makes it harder to review past security incidents, identify patterns of potential threats, and learn from previous attacks. It reduces the ability to effectively audit and analyze security events.

Remediation

In Azure Console -

Open the Azure Portal and go to SQL servers.
Choose the SQL server you wish to edit.
Under Backups, under Retention policies, add retention policies.
Select save.

In Terraform -

In the azurerm_mssql_database resource, set retention_days greater than 90 days.

References:
https://learn.microsoft.com/en-us/sql/relational-databases/database-mail/database-mail?view=sql-server-ver16
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_database#retention_days

Policy Details

Rule Reference ID: AC_AZURE_0001

CSP: Azure

Remediation Available: Yes

Domain: Logging and Monitoring

Resource: azurerm_mssql_database

Resource Category: Database

Resource Type: SQL Server

Frameworks

GDPR
HIPAA
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0