Configure Azure Defender for SQL Server on Azure Arc-enabled servers

You can enable Azure Defender for your SQL Server instances on-premises by following these steps.

Prerequisites

Create a Log Analytics workspace

  1. Search for Log Analytics workspaces resource type and add a new one through the creation blade.

    Create new workspace

    Note

    You can use a Log Analytics workspace in any region so if you already have one, you can use it. But we recommend creating it in the same region where your Server - Azure Arc resource is created.

  2. Go to the overview page of the Log Analytics workspace resource and select Windows, Linux, and other sources. Copy the workspace ID and primary key for later use.

    Log analytics workspace blade

Install Microsoft Monitoring Agent (MMA)

The next step is needed only if you have not yet configured MMA on the remote machine.

  1. Select the Server - Azure Arc resource for the virtual or physical server where the SQL Server instance is installed and add the extension Microsoft Monitoring Agent - Azure Arc using the Extensions feature. When asked to configure the Log Analytics workspace, use the workspace ID and primary you saved in the previous step.

    Install MMA

  2. After validation succeeds, click Create to start the MMA Arc Extension deployment workflow. When the deployment completes, the status updates to Succeeded.

  3. For more information, see Extension management with Azure Arc.

Enable Azure Defender

Next, you need to enable Azure Defender for SQL Server instance.

  1. Go to Security Center and open the Pricing & settings page from the sidebar.

  2. Select the workspace that you have configured for the MMA extension in the previous step

  3. Select Azure Defender On. Make sure the option for SQL servers on machines is turned on.

    Upgrade workspace

Note

The first scan to generate the vulnerability assessment happens within 24 hours after enabling Azure Defender for SQL. After that, auto scans are be performed every week on Sunday.

Explore

Explore security anomalies and threats in Azure Security Center.

  1. Open your SQL Server – Azure Arc resource and select Security in the left menu. to see the recommendations and alerts for that instance.

    Select security heading

  2. Click on any of the recommendations to see the vulnerability details in Security Center .

    Vulnerability report

  3. Click on any security alert for full details and further explore the attack in Azure Sentinel. The following diagram is an example of the brute force alert.

    Brute force alert

  4. Click on Take action to mitigate the alert.

    Alert mitigation

Note

The general Security Center link at the top of the page does not use the preview portal URL so your SQL Server - Azure Arc resources are not be visible there. Follow the links for the individual recommendations or alerts.

Next steps