Skip to main content

lacework-global-600

2.1.3 Ensure That Microsoft Defender for Databases Is Set To 'On' (Manual)

Profile Applicability

• Level 2

Description

Turning on Microsoft Defender for Databases enables threat detection for the instances running your database software. This provides threat intelligence, anomaly detection, and behavior analytics in the Azure Microsoft Defender for Cloud. Instead of being enabled on services like Platform as a Service (PaaS), this implementation will run within your instances as Infrastructure as a Service (IaaS) on the Operating Systems hosting your databases.

Rationale

Enabling Microsoft Defender for Azure SQL Databases allows your organization more granular control of the infrastructure running your database software. Instead of waiting on Microsoft release updates or other similar processes, you can manage them yourself. Threat detection is provided by the Microsoft Security Response Center (MSRC).

Impact

Running Defender on Infrastructure as a service (IaaS) may incur increased costs associated with running the service and the instance it is on. Similarly, you will need qualified personnel to maintain the operating system and software updates. If it is not maintained, security patches will not be applied and it may be open to vulnerabilities.

Audit

From Azure Portal

  1. Go to Microsoft Defender for Cloud
  2. Select Environment Settings blade
  3. Click on the subscription name
  4. Select the Defender plans blade
  5. Review the chosen pricing tier. For the Databases resource type the radial button should be set to On.

From Azure CLI

Ensure the output of the below commands is Standard

az security pricing show -n 'SqlServers'
az security pricing show -n 'SqlServerVirtualMachines'
az security pricing show -n 'OpenSourceRelationalDatabases'
az security pricing show -n 'CosmosDbs'

If the output of any of the above commands shows pricingTier with a value of Free, the setting is out of compliance.

From Azure PowerShell

Connect-AzAccount
Get-AzSecurityPricing |select-object Name,PricingTier |where-object {$_.Name -match 'Sql' -or $_.Name -match 'Cosmos' -or $_.Name -match 'OpenSource'}

Ensure the output shows Standard for each database type under the PricingTier column. Any that show Free are considered out of compliance.

Remediation

From Azure Portal

  1. Go to Microsoft Defender for Cloud
  2. Select Environment Settings blade
  3. Click on the subscription name
  4. Select the Defender plans blade
  5. On the line in the table for Azure SQL Databases Select On under Plan.
  6. Select Save

Review the chosen pricing tier. For the Azure Databases resource review the different plan information and choose one that fits the needs of your organization.

From Azure CLI

Run the following commands:

az security pricing create -n 'SqlServers' --tier 'Standard'
az security pricing create -n 'SqlServerVirtualMachines' --tier 'Standard'
az security pricing create -n 'OpenSourceRelationalDatabases' --tier 'Standard'
az security pricing create -n 'CosmosDbs' --tier 'Standard'

From Azure Powershell

Run the following commands:

Set-AzSecurityPricing -Name 'SqlServers' -PricingTier 'Standard'
Set-AzSecurityPricing -Name 'SqlServerVirtualMachines' -PricingTier 'Standard'
Set-AzSecurityPricing -Name 'OpenSourceRelationalDatabases' -PricingTier 'Standard'
Set-AzSecurityPricing -Name 'CosmosDbs' -PricingTier 'Standard'

References

https://docs.microsoft.com/en-us/azure/azure-sql/database/azure-defender-for-sql?view=azuresql
https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-enable-database-protections
https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-databases-usage
https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities
https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-1-enable-threat-detection-capabilities