Description:

Enable "Azure Defender for SQL" on critical SQL Servers. Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled', provide the list of emails to receive security alerts upon detection of anomalous database activities in the Send alerts to text box.

Rationale:

Azure Defender for SQL is a unified package for advanced SQL security capabilities. Azure Defender is available for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics. It includes functionality for discovering and classifying sensitive data, surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database. It provides a single go-to location for enabling and managing these capabilities.

Impact:

Azure Defender for SQL is a paid feature and will incur additional cost for each SQL server.

Default Value:

By default, Azure Defender for SQL is set to Off.

Audit:

From Azure Console

  1. Go to SQL servers

  2. For each server instance

  3. Click on Azure Defender for SQL

  4. Ensure that Azure Defender for SQL is set to On

Using Azure PowerShell

Get the list of all SQL Servers

Get-AzSqlServer

For each Server ensure that ThreatDetection State is set to be enabled.

Get-AzSqlServerThreatDetectionPolicy -ResourceGroupName <resource group name>
-ServerName <server name>


Remediation:

From Azure Console

  1. Go to SQL servers

  2. For each server instance

  3. Click on Azure Defender for SQL

  4. Set Azure Defender for SQL to On

Using Azure PowerShell

Enable Advanced Data Security for a SQL Server:

1Set-AzSqlServerThreatDetectionPolicy -ResourceGroupName <resource group name> 2-ServerName <server name> -EmailAdmins $True 

Note:

  • Enabling 'Azure Defender for SQL' from the Azure portal enables Threat Detection

  • Using Powershell command Set-AzSqlServerThreatDetectionPolicy enables

  • Azure Defender for SQL for a SQL server.

References:

  1. https://docs.microsoft.com/en-us/azure/azure-sql/database/azure-defender-for- sql

  2. https://docs.microsoft.com/cs-cz/powershell/module/azurerm.sql/get- azurermsqlserverthreatdetectionpolicy?view=azurermps-5.2.0

  3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-data-protection#dp-3-monitor-for-unauthorized-transfer-of-sensitive-data