Control: Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers

powerpipe control run azure_compliance.control.sql_server_atp_enabled

powerpipe login
powerpipe control run azure_compliance.control.sql_server_atp_enabled --share

select
  s.id as resource,
  case
    when security -> 'properties' ->> 'state' = 'Disabled' then 'alarm'
    else 'ok'
  end as status,
  case
    when security -> 'properties' ->> 'state' = 'Disabled' then s.name || ' Azure defender disabled.'
    else s.name || ' Azure defender enabled.'
  end as reason
  
  , s.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_sql_server s
  cross join lateral jsonb_array_elements(server_security_alert_policy) security
  left join azure_subscription sub on sub.subscription_id = s.subscription_id;