Azure - MySQL Flexible Server Audit Connection Logs

Description

This playbook provides instructions and scripts to enable auditing for Azure MySQL servers, ensuring security best practices and compliance with industry standards.

Auditing helps track database activities, identify potential breaches, and fulfill regulatory requirements. This guide includes both automated remediation and manual remediation instructions.

Severity Level

Medium, The playbook categorizes this task with a severity level of 2, indicating a moderate level of importance.

When to use?

Use this playbook when you need to enable auditing on Azure MySQL Flexible Servers to monitor database access, detect suspicious activity, and meet compliance or internal security requirements.

Prerequisites

1. Python v3.9 and above + following packages installed.
azure-core
azure-identity
azure-mgmt-subscription
azure-mgmt-resource
azure-mgmt-rdbms

Playbook steps:

1. Clone the Repository

				
					git clone --branch main --single-branch https://github.com/tamnoon-io/Tamnoon-Public-Playbooks.git

2. Move to Azure Folder

				
					cd TamnoonPlaybooks/Azure

3. User can login using “az login” or else user may get redirected to azure login screen for getting authenticated once the script execution starts.
4. Get the Subscription id, Resource Group Name, MySQL Flexible server(s) name, Regions
5. Execute the automation from the /Azure directory

i. Using CLI parameters :

				
					python3 -m Automations.DBServer \
mysql-server \
enable_auditing \
--assetIds mysql-server-name \
--dryRun \

ii.

				
					--actionParams '{"storage-account-name": "storageaccount", "resource-group-name": "resourcegroup", "subscription-id": "subscription-id"}'

iii. Using YAML file: a yaml file is a text file with a “yml” or “yaml” extension whose content is in the format:

				
					subscription: subscription-id  
resourceGroups:    
  - sample-resource-group  
assetIds:    
  - postgresql-flexible-server-name  
actionParams:  
  storage-account-name: storageaccount  
  resource-group-name: resourcegroup

iv. subscription-id: subscription-id’

v. Run the execution:

				
					python3 -m Automations.DBServer \
mysql-server \
enable_auditing \

vi. –file path-to-yml-file

vii. Using JSON file: a json file is a text file with a “json” extension whose content is in the format:

				
					{
  "subscription": "subscription-id",
  "resourceGroups": ["sample-resource-group"],
  "assetIds": ["postgresql-flexible-server-name"],
  "actionParams": {
    "storage-account-name": "storageaccount",
    "resource-group-name": "resourcegroup",
    "subscription-id": "subscription-id"
  }
}

viii. Run the execution:

				
					python3 -m Automations.DBServer \
mysql-server \
enable_auditing \

ix. –file path-to-json-file

subscription - (Required)

Subscription ID. Automation will find MySQL Flexible servers in only specified Subscription

resourceGroups - (Optional)

list of Resource Group names. When given, automation will find MySQL Flexible servers in only specified Resource Groups. Otherwise default value is ‘all’, i.e., automation will find MySQL Flexible servers in all Resource Groups available in the Subscription.

assetIds - (Required)

comma separated list of MySQL Flexible Servers.

regions - (Optional)

regions of MySQL Flexible Servers. When given, automation will find MySQL Flexible servers that have location same as any of the given regions. Otherwise default value is ‘all’, i.e., automation will find MySQL Flexible servers regardless of its location.

actionParams - (Required)

1. storage-account-name – (Required) – name of storage account sink where diagnostic logs should be archived

2. resource-group-name – (Optional) – name of resource group that has this storage account. If not specified, default will be same resource group that has corresponding MySQL Flexible Server.

3. subscription-id – (Optional) – subscription-id of storage account. If not specified, default will be same subscription that has corresponding MySQL Flexible Server.

1. rollBack – (Required) – Boolean flag to sign if this is a rollback call (required the existing of state file)

2. lastExecutionResultPath (Required) – The path for the last execution that we want to roll-back from.

Frequently Asked Questions

Does enabling auditing affect performance?

Minimal performance impact is expected. Azure handles logging asynchronously in most cases.

Can I export logs to a SIEM tool?

Yes, logs can be sent to Azure Monitor, Log Analytics, Event Hubs, or Storage Accounts—integrating with third-party SIEMs.

Is auditing supported in Flexible Server as well?

Yes, though the setup steps may vary slightly. Refer to Flexible Server logging docs.

How long are audit logs retained in Azure?

Retention depends on your diagnostic settings. When sending logs to a Log Analytics workspace, you can configure retention from 30 days up to 2 years. If using a Storage Account, logs are retained as long as the blobs exist unless lifecycle policies are set.

Can I enable auditing for multiple MySQL servers at once?

Yes. You can script this using Azure PowerShell or Azure CLI to loop through a list of servers and apply diagnostic settings. This is especially useful in large environments or when managing via infrastructure-as-code.

What types of events are included in MySQL audit logs?

Azure MySQL audit logs typically capture connections, queries, logins, failed attempts, and admin actions. These logs help monitor for suspicious behavior, troubleshoot performance, and ensure compliance.

Platform

Agentic Prioritization

Tami

Agentic Investigation

Integrations

Agentic Remediation

Reporting and Compliance

CNAPP Copilot

CDR Copilot

Expert Supervision

Agentic Cloud Security

Expert-supervised Security

Tool-agnostic Security

Cloud Detection and Response

Full-cycle Remediation

CNAPP Migration

Crown Jewels

Misconfigurations in the Wild: How We Untangled 103 Hard-Coded Secrets

Full CNAPP Demos