Azure SQL Server Auditing Is Disabled

Audit logs can help you find suspicious events, unusual activity, and trends to analyze database events. Auditing the SQL Server, at the server-level, enables you to track all new and existing databases on the server. This policy identifies SQL servers do not have auditing enabled. As a best practice, enable auditing on each SQL server so that the database are audited, regardless of the database auditing settings.

Policy Details

Policy Subtype
Run, Build
Template Type

Build Rules

Azure SQL server auditing is disabled.
JSON Query:
$.resource.*.azurerm_sql_database size greater than 0 and ($.resource.*.azurerm_sql_database[*].*[*].threat_detection_policy anyNull or $.resource.*.azurerm_sql_database[*].*[*].threat_detection_policy[*].state anyEqual Disabled)
Recommended solution enabling SQL server auditing.
It is recommended to have Azure SQL server auditing enabled. Please make sure if your template have"threat_detection_policy" defined and it has "state" set to "enabled".
For example:
"threat_detection_policy": [ { "email_addresses": [ "" ], "retention_days": "100", "state": "Enabled" } ]

Run Rule Recommendation

  1. Log in to the Azure Portal.
  2. Select 'SQL servers', and select the SQL server instance you want to modify.
  3. Select 'Auditing', and set the status to 'On'.
  4. 'Save' your changes.


There are 3 standards that are applicable to this policy:
  • CIS v1.1 (Azure)
  • CCPA 2018

Recommended For You