Control: 4.2.1 Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers
Description
Enable "Microsoft Defender for SQL" on critical SQL Servers.
Microsoft Defender for SQL is a unified package for advanced SQL security capabilities. Microsoft Defender is available for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics. It includes functionality for discovering and classifying sensitive data, surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database. It provides a single go-to location for enabling and managing these capabilities.
Remediation
From Azure Console
- Go to
SQL servers - For each "critical" server instance (e.g. production SQL servers)
- Click on the
Security Centerblade - Click configure, next to 'Microsoft Defender for SQL:`
- Set
Microsoft defender for SQLis toggled toOn
From Powershell
Enable Advanced Data Security for a SQL Server:
Set-AzSqlServerThreatDetectionPolicy -ResourceGroupName <resource group name>-ServerName <server name> -EmailAdmins $True
Note:
- Enabling 'Microsoft Defender for SQL' from the Azure portal enables Threat Detection
- Using Powershell command Set-AzSqlServerThreatDetectionPolicy enables Microsoft Defender for SQL for a SQL server
Default Value
By default, Microsoft Defender for SQL is set to Off.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v150_4_2_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v150_4_2_1 --shareSQL
This control uses a named query:
sql_server_atp_enabled