Description:
Turning on Microsoft Defender for Databases enables threat detection for the instances running your database software. This provides threat intelligence, anomaly detection, and behavior analytics in the Azure Microsoft Defender for Cloud. Instead of being enabled on services like Platform as a Service (PaaS), this implementation will run within your instances as Infrastructure as a Service (IaaS) on the Operating Systems hosting your databases
Rationale:
Enabling Microsoft Defender for Azure SQL Databases allows your organization more granular control of the infrastructure running your database software. Instead of waiting on Microsoft release updates or other similar processes, you can manage them yourself. Threat detection is provided by the Microsoft Security Response Center (MSRC)
.
Impact:
Running Defender on Infrastructure as a service (IaaS) may incur increased costs associated with running the service and the instance it is on. Similarly, you will need qualified personnel to maintain the operating system and software updates. If it is not maintained, security patches will not be applied and it may be open to vulnerabilities.
Audit:
From Azure Portal
1. Go to Microsoft Defender for Cloud
2. Select Environment Settings
3. Click on the subscription name
4. Select Defender plans
5. Ensure Databases Status is set to On
6. Review the chosen pricing tier
From Azure CLI
Ensure the output of the below commands is Standard
az security pricing show -n 'SqlServers'
az security pricing show -n 'SqlServerVirtualMachines'
az security pricing show -n 'OpenSourceRelationalDatabases'
az security pricing show -n 'CosmosDbs'
If the output of any of the above commands shows pricingTier with a value of Free,
the setting is out of compliance.
From PowerShell
Connect-AzAccount
Get-AzSecurityPricing |select-object Name,PricingTier |where-object {$_.Name
-match 'Sql' -or $_.Name -match 'Cosmos' -or $_.Name -match 'OpenSource'}
Ensure the output shows Standard for each database type under the PricingTier
column. Any that show Free are considered out of compliance.
Remediation:
From Azure Portal
1. Go to Microsoft Defender for Cloud
2. Select Environment Settings
3. Click on the subscription name
4. Select Defender plans
5. Set Databases Status to On
6. Select Save
Review the chosen pricing tier. For the Azure Databases resource review the different plan information and choose one that fits the needs of your organization.
From Azure CLI
Run the following commands:
az security pricing create -n 'SqlServers' --tier 'Standard'
az security pricing create -n 'SqlServerVirtualMachines' --tier 'Standard'
az security pricing create -n 'OpenSourceRelationalDatabases' --tier
'Standard'
az security pricing create -n 'CosmosDbs' --tier 'Standard'
From Azure PowerShell
Run the following commands:
Set-AzSecurityPricing -Name 'SqlServers' -PricingTier 'Standard'
Set-AzSecurityPricing -Name 'SqlServerVirtualMachines' -PricingTier
'Standard'
Set-AzSecurityPricing -Name 'OpenSourceRelationalDatabases' -PricingTier
'Standard'
Set-AzSecurityPricing -Name 'CosmosDbs' -PricingTier 'Standard'
Default Value:
By default, Microsoft Defender Plans are off.
References:
1. https://docs.microsoft.com/en-us/azure/azure-sql/database/azure-defender-forsql?view=azuresql
2. https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-enabledatabase-protections
3. https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-fordatabases-usage
4. https://docs.microsoft.com/en-us/azure/security-center/security-center-detectioncapabilities
5. https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list