Control: Ensure That Microsoft Defender for Databases is set to 'On'
Description
Turning on Microsoft Defender for Databases enables threat detection for the instances running your database software. This provides threat intelligence, anomaly detection, and behavior analytics in the Azure Microsoft Defender for Cloud. Instead of being enabled on services like Platform as a Service (PaaS), this implementation will run within your instances as Infrastructure as a Service (IaaS) on the Operating Systems hosting your databases.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.securitycenter_azure_defender_on_for_databaseSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.securitycenter_azure_defender_on_for_database --shareSQL
This control uses a named query:
with defender_list as ( select json_object_agg(name, pricing_tier) as data, subscription_id from azure_security_center_subscription_pricing where name = any(ARRAY ['CosmosDbs', 'OpenSourceRelationalDatabases', 'SqlServerVirtualMachines', 'SqlServers']) group by subscription_id)select sub.id as resource, case when data ->> 'CosmosDbs' = 'Standard' and data ->> 'OpenSourceRelationalDatabases' = 'Standard' and data ->> 'SqlServerVirtualMachines' = 'Standard' and data ->> 'SqlServers' = 'Standard' then 'ok' else 'alarm' end as status, case when data ->> 'CosmosDbs' = 'Standard' and data ->> 'OpenSourceRelationalDatabases' = 'Standard' and data ->> 'SqlServerVirtualMachines' = 'Standard' and data ->> 'SqlServers' = 'Standard' then 'Azure Defender on for Databases.' else 'Azure Defender off for Databases.' end as reason , sub.display_name as subscriptionfrom azure_subscription as sub left join defender_list as l on l.subscription_id = sub.subscription_id;