Detections
Analytics

Ensure notification email setting is enabled for Azure SQL Database Threat Detection Policy

LOW

Description

Azure SQL Database Threat Protection offers an email notification function that help ensuring administrators promptly receive alerts when security threats are triggered. Enabling this feature is a best practice that significantly enhances the database security. Without it, critical security events could go unnoticed, leading to potential data breaches and unauthorized access, Which may increase significant risks to the database overall security.

Remediation

In Azure Console -

  1. Open the Azure Portal and go to SQL Servers.
  2. Select the SQL Server you wish to edit.
  3. Under Security, select Microsoft Defender for Cloud.
  4. select 'Configure' option next to 'Enabled at the subscription-level'.
  5. Under ADVANCED THREAT PROTECTION SETTINGS, select Add your contact details to the subscription's email settings in Defender for Cloud.
    6/ Select Save.

In Terraform -

  1. In the azurerm_mssql_database resource, set email_addresses under threat_detection_policy block.

References:
https://learn.microsoft.com/en-us/sql/relational-databases/database-mail/database-mail?view=sql-server-ver16
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_database#threat_detection_policy

Policy Details

Rule Reference ID: AC_AZURE_0002
CSP: Azure
Remediation Available: Yes
Domain: Logging and Monitoring
Resource: azurerm_mssql_database
Resource Category: Database
Resource Type: SQL Server

Frameworks