lacework-global-600
2.1.3 Ensure That Microsoft Defender for Databases Is Set To 'On' (Manual)
Profile Applicability
• Level 2
Description
Turning on Microsoft Defender for Databases enables threat detection for the instances running your database software. This provides threat intelligence, anomaly detection, and behavior analytics in the Azure Microsoft Defender for Cloud. Instead of being enabled on services like Platform as a Service (PaaS), this implementation will run within your instances as Infrastructure as a Service (IaaS) on the Operating Systems hosting your databases.
Rationale
Enabling Microsoft Defender for Azure SQL Databases allows your organization more granular control of the infrastructure running your database software. Instead of waiting on Microsoft release updates or other similar processes, you can manage them yourself. Threat detection is provided by the Microsoft Security Response Center (MSRC).
Impact
Running Defender on Infrastructure as a service (IaaS) may incur increased costs associated with running the service and the instance it is on. Similarly, you will need qualified personnel to maintain the operating system and software updates. If it is not maintained, security patches will not be applied and it may be open to vulnerabilities.
Audit
From Azure Portal
- Go to
Microsoft Defender for Cloud - Select
Environment Settingsblade - Click on the subscription name
- Select the
Defender plansblade - Review the chosen pricing tier. For the
Databasesresource type the radial button should be set toOn.
From Azure CLI
Ensure the output of the below commands is Standard
az security pricing show -n 'SqlServers'
az security pricing show -n 'SqlServerVirtualMachines'
az security pricing show -n 'OpenSourceRelationalDatabases'
az security pricing show -n 'CosmosDbs'
If the output of any of the above commands shows pricingTier with a value of Free, the setting is out of compliance.
From Azure PowerShell
Connect-AzAccount
Get-AzSecurityPricing |select-object Name,PricingTier |where-object {$_.Name -match 'Sql' -or $_.Name -match 'Cosmos' -or $_.Name -match 'OpenSource'}
Ensure the output shows Standard for each database type under the PricingTier column. Any that show Free are considered out of compliance.
Remediation
From Azure Portal
- Go to
Microsoft Defender for Cloud - Select
Environment Settingsblade - Click on the subscription name
- Select the
Defender plansblade - On the line in the table for
Azure SQL DatabasesSelectOnunderPlan. - Select
Save
Review the chosen pricing tier. For the Azure Databases resource review the different plan information and choose one that fits the needs of your organization.
From Azure CLI
Run the following commands:
az security pricing create -n 'SqlServers' --tier 'Standard'
az security pricing create -n 'SqlServerVirtualMachines' --tier 'Standard'
az security pricing create -n 'OpenSourceRelationalDatabases' --tier 'Standard'
az security pricing create -n 'CosmosDbs' --tier 'Standard'
From Azure Powershell
Run the following commands:
Set-AzSecurityPricing -Name 'SqlServers' -PricingTier 'Standard'
Set-AzSecurityPricing -Name 'SqlServerVirtualMachines' -PricingTier 'Standard'
Set-AzSecurityPricing -Name 'OpenSourceRelationalDatabases' -PricingTier 'Standard'
Set-AzSecurityPricing -Name 'CosmosDbs' -PricingTier 'Standard'
References
https://docs.microsoft.com/en-us/azure/azure-sql/database/azure-defender-for-sql?view=azuresql
https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-enable-database-protections
https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-databases-usage
https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities
https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-1-enable-threat-detection-capabilities