Rule ID
SV-276262r1149695_rule
Version
V1R1
CCIs
For completeness of forensic analysis, it is necessary to track who logs on to Azure SQL Managed Instance. Concurrent connections by the same user from multiple workstations may be valid use of the system; or such connections may be due to improper circumvention of the requirement to use the CAC for authentication; or they may indicate unauthorized account sharing; or they may be because an account has been compromised. If the fact of multiple, concurrent logons by a given user can be reliably reconstructed from the log entries for other events (logons/connections; voluntary and involuntary disconnections), it is not mandatory to create additional log entries specifically for this.
Review Azure SQL Managed Instance configuration to verify that audit records are produced when concurrent logons/connections by the same user from different workstations occur. To determine if an audit is configured, execute the following script: SELECT name AS 'Audit Name', status_desc AS 'Audit Status', audit_file_path AS 'Current Audit File' FROM sys.dm_server_audit_status If no records are returned, this is a finding. Run this TSQL command to determine if SQL Auditing AuditActionGroups are configured: SELECT DISTINCT sd.audit_action_name FROM sys.server_audit_specification_details sd JOIN sys.server_audit_specifications s ON s.server_specification_id = sd.server_specification_id WHERE s.is_state_enabled = 1 AND sd.audit_action_name = 'SUCCESSFUL_LOGIN_GROUP' If no values exist for AuditActionGroup, this is a finding.
Deploy an Azure SQL Managed Instance audit. Refer to the supplemental file "AzureSQLMIAudit.sql" script. Reference: https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/auditing-configure?view=azuresql-mi