question

GarryBargsley-1243 avatar image
0 Votes"
GarryBargsley-1243 asked tomerr commented

SqlThreatDetection_Audit on all Azure SQL Virtual Machines

I recently began seeing failures in my SQL Error logs relating to SQL Audits. We do not utilize SQL Audits in our environment so I began investigating.

I found that an audit named SqlThreatDetection_Audit was created and enabled on all of my IAAS SQL Servers. This is not a behavior I was expecting and I am trying to find the source of this change.

Starting on 07/01/2020 was the firsts creation of the Audit that I find on my servers. It has continued until today as the most recent was added.

17512-image.png


And here is the error that started the investigation.
17502-image.png



My research shows this might be related to something in Azure Security Center. However, no one in our Security, Networking or Infrastructure team has enabled anything that they feel would impact or cause this Audit to be enabled.

sql-server-generalazure-security-centerazure-sql-virtual-machines
image.png (379.4 KiB)
image.png (193.8 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Did any of the replies below help answer your question?
Please 'Accept as answer' if it did, so that it can help others in the community.

0 Votes 0 ·
Cathyji-msft avatar image
1 Vote"
Cathyji-msft answered

Hi GarryBargsley-1243,

You can set ‘Threat detection’ to OFF on SQL Servers. SQL Threat Detection provides a new layer of security, which enables customers to detect and respond to potential threats as they occur by providing security alerts on anomalous activities. Users will receive an alert upon suspicious database activities, potential vulnerabilities, and SQL injection attacks, as well as anomalous database access patterns. SQL Threat Detection alerts provide details of suspicious activity and recommend action on how to investigate and mitigate the threat.

Best regards,
Cathy

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GarryBargsley-1243 avatar image
0 Votes"
GarryBargsley-1243 answered

I do not see this option in the Azure Portal for my IAAS SQL Servers. So I am still not clear on how this is getting enabled on my Azure VM's running SQL. I do have the SQLIaasExtension enabled and all servers registered under the Azure SQL category.

However, I need to see where to turn this off on my Azure VM's since I keep getting errors.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

tomerr avatar image
1 Vote"
tomerr answered Cathyji-msft edited

This is enabled from Azure Security Blade Pricing Tier:

18810-image.png



image.png (161.6 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

For the errors, they will disappear when you'll restart your sql servers

0 Votes 0 ·

Thank you very much for your reply. I am so glad to hear that you have resolved your issue. In order to close this thread, please kindly mark helpful replies or your own reply as answers. By doing so, it will benefit all community members who are having this similar issue.  Your contribution is highly appreciated.

1 Vote 1 ·
tomerr avatar image
0 Votes"
tomerr answered

@Cathyji-msft , I am from MS responding to the customer.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GarryBargsley-1243 avatar image
0 Votes"
GarryBargsley-1243 answered tomerr commented

Thanks for pointing me to the Security Center. However, only two of my subscriptions has the Standard Tier Pricing and the SQL servers on machines option enabled and shows 5 servers. The other subscription has the setting disabled.

But I have 75 servers with this audit enabled.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The Pricing settings does it best to show all eligible servers. However, It sometimes difficult as it depends on SQL Server installation/etc. We will improve the experience soon.
As mitigation, you can view the status of all the machines connected to your Log Analytics workspace by going to the logs->"SQL Advanced Threat Protection"->SqlAtpStatus


105521-screenshot-2021-06-14-190147.png


0 Votes 0 ·
JamesHamil-MSFT avatar image
0 Votes"
JamesHamil-MSFT answered

Hi, are there any updates with this case? If not, please select the appropriate response as "Answered." Otherwise please let us know how we can assist you.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.