SQL Database Threat Detection

SQL Threat Detection detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.


SQL Threat Detection provides a new layer of security, which enables customers to detect and respond to potential threats as they occur by providing security alerts on anomalous activities. Users receive an alert upon suspicious database activities, potential vulnerabilities, and SQL injection attacks, as well as anomalous database access patterns. SQL Threat Detection alerts provide details of suspicious activity and recommend action on how to investigate and mitigate the threat. Users can explore the suspicious events using SQL Database Auditing to determine if they result from an attempt to access, breach, or exploit data in the database. Threat Detection makes it simple to address potential threats to the database without the need to be a security expert or manage advanced security monitoring systems.

For example, SQL injection is one of the common Web application security issues on the Internet, used to attack data-driven applications. Attackers take advantage of application vulnerabilities to inject malicious SQL statements into application entry fields, breaching or modifying data in the database.

SQL Threat Detection integrates alerts with Azure Security Center, and, each protected SQL Database server is billed at the same price as Azure Security Center Standard tier, at $15/node/month, where each protected SQL Database server is counted as one node.

Set up threat detection for your database in the Azure portal

  1. Launch the Azure portal at https://portal.azure.com.
  2. Navigate to the configuration page of the SQL Database you want to monitor. In the Settings page, select Auditing & Threat Detection. Navigation pane
  3. In the Auditing & Threat Detection configuration page, turn ON Auditing, which display the threat detection settings.

    Navigation pane

  4. Turn ON Threat detection.
  5. Configure the list of emails to receive security alerts upon detection of anomalous database activities.
  6. Click Save in the Auditing & Threat detection page to save the new or updated auditing and threat detection settings.

    Navigation pane

Set up threat detection using PowerShell

For a script example, see Configure auditing and threat detection using PowerShell.

Explore anomalous database activities upon detection of a suspicious event

  1. You receive an email notification upon detection of anomalous database activities.
    The email provides information on the suspicious security event including the nature of the anomalous activities, database name, server name, application name, and the event time. In addition, the email provides information on possible causes and recommended actions to investigate and mitigate the potential threat to the database.

    Navigation pane

  2. The email alert includes a direct link to the SQL Audit log. Clicking on this link launches the Azure portal and opens the SQL Audit records around the time of the suspicious event. Click on an audit record to view more information on the suspicious database activities, making it easier to find the SQL statements that were executed (who accessed, what they did and when) and determine if the event was legitimate or malicious (e.g. application vulnerability to SQL injection was exploited, someone breached sensitive data, etc.).
    Navigation pane

Explore threat detection alerts for your database in the Azure portal

SQL Database Threat Detection integrates its alerts with Azure Security Center. A live SQL security tile within the database page in the Azure portal tracks the status of active threats.

Navigation pane

  1. Clicking on the SQL security tile launches the Azure Security Center alerts page and provides an overview of active SQL threats detected on the database.

    Navigation pane

  2. Clicking on a specific alert provides additional details and actions for investigating this threat and remediating future threats.

    Navigation pane

Next steps