Description:
Enable "Microsoft Defender for SQL" on critical SQL Servers.
Rationale:
Microsoft Defender for SQL is a unified package for advanced SQL security capabilities. Microsoft Defender is available for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics. It includes functionality for discovering and classifying sensitive data, surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database. It provides a single go-to location for enabling and managing these capabilities.
Impact:
Microsoft Defender for SQL is a paid feature and will incur additional cost for each SQL
server.
Audit:
From Azure Portal
1. Go to SQL servers For each production SQL server instance:
2. Click Microsoft Defender for Cloud
3. Ensure that Enablement Status is Enabled
From PowerShell
Get the list of all SQL Servers
Get-AzSqlServer
For each Server
Get-AzSqlServerAdvancedThreatProtectionSetting -ResourceGroupName <resource
group name> -ServerName <server name>
Ensure that ThreatDetectionState is set to Enabled.
Remediation:
From Azure Portal
1. Go to SQL servers For each production SQL server instance:
2. Click Microsoft Defender for Cloud
3. Click Enable Microsoft Defender for SQL
From PowerShell
Enable Advanced Data Security for a SQL Server:
Set-AzSqlServerThreatDetectionPolicy -ResourceGroupName <resource group name>
-ServerName <server name> -EmailAdmins $True
Note:
• Enabling 'Microsoft Defender for SQL' from the Azure portal enables Threat Detection
• Using Powershell command Set-AzSqlServerThreatDetectionPolicy enables Microsoft Defender for SQL for a SQL server
Default Value:
By default, Microsoft Defender for SQL is set to Off.
References:
1. https://docs.microsoft.com/en-us/azure/azure-sql/database/azure-defender-forsql?view=azuresql