Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers

HIGH

Description

Description:

Enable "Microsoft Defender for SQL" on critical SQL Servers.

Rationale:

Microsoft Defender for SQL is a unified package for advanced SQL security capabilities. Microsoft Defender is available for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics. It includes functionality for discovering and classifying sensitive data, surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database. It provides a single go-to location for enabling and managing these capabilities.

Microsoft Defender for SQL is a paid feature and will incur additional cost for each SQL server.

Remediation

From Azure Portal

  1. Go to 'SQL servers'
  2. For each "critical" server instance (e.g. production SQL servers)
  3. Click on the 'Security Center' blade
  4. Click configure, next to 'Microsoft Defender for SQL:'
  5. Set 'Microsoft defender for SQL' is toggled to 'On'

From Powershell

Enable 'Advanced Data Security' for a SQL Server:

Set-AzSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True

Note:

  • Enabling 'Microsoft Defender for SQL' from the Azure portal enables 'Threat Detection'
  • Using Powershell command 'Set-AzSqlServerThreatDetectionPolicy' enables 'Microsoft Defender for SQL' for a SQL server