Ensure SQL Database Threat Detection is Enabled and that Email to Account Admins is also Enabled
Azure SQL Database Threat Detection is a security intelligence feature built into the Azure SQL Database service. Working around the clock to learn, profile and detect anomalous database activities, Azure SQL Database Threat Detection identifies potential threats to the database. Security officers or other designated administrators can get an immediate notification about suspicious database activities as they occur. Each notification provides details of the suspicious activity and recommends how to further investigate and mitigate the threat.
Risk Level: Low
Cloud Entity: Azure SQL Database
CloudGuard Rule ID: D9.AZU.MON.03
Covered by Spectral: Yes
Category: Database
GSL LOGIC
SQLDB should have threatDetection.state='Enabled' and threatDetection.emailToAccountAdmins='Enabled'
REMEDIATION
From Portal
- Go to 'SQL Databases' from Azure Management console and choose your SQL DB
- Under 'Security', select 'Microsoft Defender for Cloud' on the navigation menu
- Click on 'Microsoft Defender for SQL' button
- Now click on 'Configure' under 'Microsoft Defender for SQL' Heading
- Under 'ADVANCED THREAT PROTECTION SETTINGS', select Add your contact details to the subscription's email settings in Defender for Cloud
- Provide the list of emails to receive notifications upon detection of anomalous database activities in the Additional email addresses (separated by commas) text box
- Click Save.
From TF
Set the arguments under 'threat_detection_policy' as below:
resource "azurerm_sql_database" "example" {
..
threat_detection_policy {
..
state = "Enabled"
email_account_admins = "Enabled"
email_addresses = ListOfEmailAddresses
..
}
..
}
From Command Line
Run
az sql db threat-policy update --resource-group RESOURCEGROUP --server SERVERNAME --name SQLDATABASENAME --state Enabled --email-addresses [email protected] --email-account-admins Enabled
References
- https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-configure?view=azuresql
- https://docs.microsoft.com/en-us/cli/azure/sql/db/threat-policy?view=azure-cli-latest#az-sql-db-threat-policy-update
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_database#threat_detection_policy
Azure SQL Database
Azure SQL Database is the intelligent, fully managed relational cloud database service that provides the broadest SQL Server engine compatibility, so you can migrate your SQL Server databases without changing your apps. Accelerate app development and make maintenance easy and productive using the SQL tools you love to use. Take advantage of built-in intelligence that learns app patterns and adapts to maximize performance, reliability, and data protection.
Compliance Frameworks
- Azure CIS Foundations v. 1.0.0
- Azure CloudGuard Best Practices
- Azure HITRUST v9.5.0
- Azure ITSG-33
- Azure NIST 800-53 Rev 5
Updated over 1 year ago