lacework-global-622
4.2.1 Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers (Automated)
Profile Applicability
• Level 2
Description
Enable "Microsoft Defender for SQL" on critical SQL Servers.
Rationale
Microsoft Defender for SQL is a unified package for advanced SQL security capabilities. Microsoft Defender is available for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics. It includes functionality for discovering and classifying sensitive data, surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database. It provides a single go-to location for enabling and managing these capabilities.
Impact
Microsoft Defender for SQL is a paid feature and will incur additional cost for each SQL server.
Audit
From Azure Portal
- Go to
SQL servers
- For each "critical" server instance (e.g. production SQL servers)
- Click on the
Security Center
blade - Click configure, next to
Microsoft Defender for SQL:
- Ensure that
Microsoft defender for SQL
is toggled toOn
From Azure CLI
Get the list of all SQL Servers
Get-AzSqlServer
For each Server
Get-AzSqlServerAdvancedThreatProtectionSetting -ResourceGroupName <resource group name> -ServerName <server name>
Ensure that ThreatDetectionState
is set to Enabled
.
Remediation
From Azure Portal
- Go to
SQL servers
- For each "critical" server instance (e.g. production SQL servers)
- Click on the
Security Center
blade - Click configure, next to 'Microsoft Defender for SQL:`
- Set
Microsoft defender for SQL
is toggled toOn
From Azure Powershell
Enable Advanced Data Security
for a SQL Server:
Set-AzSqlServerThreatDetectionPolicy -ResourceGroupName <resource group name> -ServerName <server name> -EmailAdmins $True
Note:
- Enabling 'Microsoft Defender for SQL' from the Azure portal enables
Threat Detection
- Using Powershell command
Set-AzSqlServerThreatDetectionPolicy
enablesMicrosoft Defender for SQL
for a SQL server
References
https://docs.microsoft.com/en-us/azure/azure-sql/database/azure-defender-for-sql?view=azuresql
https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverthreatdetectionpolicy?view=azurermps-6.13.0&viewFallbackFrom=azurermps-5.2.0
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-2-monitor-anomalies-and-threats-targeting-sensitive-data
Additional Information
- The feature 'Microsoft Defender for SQL' can be enabled only on SQL server and the same settings will be inherently applied to the SQL databases hosted on the SQL server.