SqlThreatDetection_Audit on all Azure SQL Virtual Machines

Garry Bargsley 1 Reputation point
2020-08-13T14:04:41.373+00:00

I recently began seeing failures in my SQL Error logs relating to SQL Audits. We do not utilize SQL Audits in our environment so I began investigating.

I found that an audit named SqlThreatDetection_Audit was created and enabled on all of my IAAS SQL Servers. This is not a behavior I was expecting and I am trying to find the source of this change.

Starting on 07/01/2020 was the firsts creation of the Audit that I find on my servers. It has continued until today as the most recent was added.

17512-image.png

And here is the error that started the investigation.
17502-image.png

My research shows this might be related to something in Azure Security Center. However, no one in our Security, Networking or Infrastructure team has enabled anything that they feel would impact or cause this Audit to be enabled.

SQL Server on Azure Virtual Machines
SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
12,748 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,201 questions

7 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. CathyJi-MSFT 21,096 Reputation points Microsoft Vendor
    2020-08-14T09:25:36.11+00:00

    Hi GarryBargsley-1243,

    You can set ‘Threat detection’ to OFF on SQL Servers. SQL Threat Detection provides a new layer of security, which enables customers to detect and respond to potential threats as they occur by providing security alerts on anomalous activities. Users will receive an alert upon suspicious database activities, potential vulnerabilities, and SQL injection attacks, as well as anomalous database access patterns. SQL Threat Detection alerts provide details of suspicious activity and recommend action on how to investigate and mitigate the threat.

    Best regards,
    Cathy

    2 people found this answer helpful.
    0 comments
  2. tomerr 11 Reputation points Microsoft Employee
    2020-08-19T18:41:53.637+00:00

    This is enabled from Azure Security Blade Pricing Tier:

    18810-image.png

    2 people found this answer helpful.
  3. Garry Bargsley 1 Reputation point
    2020-08-17T15:04:18.147+00:00

    I do not see this option in the Azure Portal for my IAAS SQL Servers. So I am still not clear on how this is getting enabled on my Azure VM's running SQL. I do have the SQLIaasExtension enabled and all servers registered under the Azure SQL category.

    However, I need to see where to turn this off on my Azure VM's since I keep getting errors.

    0 comments
  4. tomerr 11 Reputation points Microsoft Employee
    2020-08-20T14:46:40.657+00:00

    @CathyJi-MSFT , I am from MS responding to the customer.

    0 comments
  5. Garry Bargsley 1 Reputation point
    2020-08-21T14:53:44.957+00:00

    Thanks for pointing me to the Security Center. However, only two of my subscriptions has the Standard Tier Pricing and the SQL servers on machines option enabled and shows 5 servers. The other subscription has the setting disabled.

    But I have 75 servers with this audit enabled.