Ensure SQL Database Threat Detection is Enabled and that Email to Account Admins is also Enabled

Azure SQL Database Threat Detection is a security intelligence feature built into the Azure SQL Database service. Working around the clock to learn, profile and detect anomalous database activities, Azure SQL Database Threat Detection identifies potential threats to the database. Security officers or other designated administrators can get an immediate notification about suspicious database activities as they occur. Each notification provides details of the suspicious activity and recommends how to further investigate and mitigate the threat.

Risk Level: Low
Cloud Entity: Azure SQL Database
CloudGuard Rule ID: D9.AZU.MON.03
Covered by Spectral: Yes
Category: Database

GSL LOGIC

SQLDB should have threatDetection.state='Enabled' and threatDetection.emailToAccountAdmins='Enabled'

REMEDIATION

From Portal

  1. Go to 'SQL Databases' from Azure Management console and choose your SQL DB
  2. Under 'Security', select 'Microsoft Defender for Cloud' on the navigation menu
  3. Click on 'Microsoft Defender for SQL' button
  4. Now click on 'Configure' under 'Microsoft Defender for SQL' Heading
  5. Under 'ADVANCED THREAT PROTECTION SETTINGS', select Add your contact details to the subscription's email settings in Defender for Cloud
  6. Provide the list of emails to receive notifications upon detection of anomalous database activities in the Additional email addresses (separated by commas) text box
  7. Click Save.
    From TF
    Set the arguments under 'threat_detection_policy' as below:
resource "azurerm_sql_database" "example" {
	..
	threat_detection_policy {
		..
		state = "Enabled"
		email_account_admins = "Enabled"
		email_addresses = ListOfEmailAddresses
		..
	}
	..
}

From Command Line
Run

az sql db threat-policy update --resource-group RESOURCEGROUP --server SERVERNAME --name SQLDATABASENAME --state Enabled --email-addresses [email protected] --email-account-admins Enabled

References

  1. https://docs.microsoft.com/en-us/azure/azure-sql/database/threat-detection-configure?view=azuresql
  2. https://docs.microsoft.com/en-us/cli/azure/sql/db/threat-policy?view=azure-cli-latest#az-sql-db-threat-policy-update
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_database#threat_detection_policy

Azure SQL Database

Azure SQL Database is the intelligent, fully managed relational cloud database service that provides the broadest SQL Server engine compatibility, so you can migrate your SQL Server databases without changing your apps. Accelerate app development and make maintenance easy and productive using the SQL tools you love to use. Take advantage of built-in intelligence that learns app patterns and adapts to maximize performance, reliability, and data protection.

Compliance Frameworks

  • Azure CIS Foundations v. 1.0.0
  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure ITSG-33
  • Azure NIST 800-53 Rev 5