Review the system documentation to determine whether a centralized repository of audit data is required by the data owner or organization. If this is not required, this finding is Not Applicable. Run the following query to return a listing of active Server Audits not used for auditing Microsoft Support activities: SELECT audit_guid, name, type_desc, is_operator_audit, is_state_enabled FROM sys.server_audits A WHERE type_desc = 'EXTERNAL MONITOR' AND is_operator_audit = 0 AND is_state_enabled = 1 If no audits are returned, this is a finding. Determine whether the Azure SQL Managed Instance is configured to forward SQL Security Audit Events to a centralized repository such as Log Analytics. 1. Connect to the Azure portal and navigate to the Azure SQL Managed Instance resource. 2. In the left navigation pane, expand "Monitoring". 3. Click "Diagnostic settings". If no diagnostic settings are defined, this is a finding. Locate the diagnostic setting for SQL Security Audit Events by repeating the following steps for each setting defined: 1. Click "Edit settings" on the right. 2. Under "Logs", verify the "SQL Security Audit Event" category is flagged. 3. Under "Destination details", verify "Send to Log Analytics workspace" is flagged. If no Diagnostic setting meets both of these requirements, this is a finding.