question

HichemMABROUKI-6455 avatar image
0 Votes"
HichemMABROUKI-6455 asked Givary-MSFT commented

Microsoft Defender for SQL not protecting azure SQL database

Hello,
I have enabled Microsoft Defender for SQL on my azure SQL database.
I have executed some sql request to simulate sql injection attack like
select * from sys.databases where database_id like '' or 1=1;

the request was well executed and the result contain all databases

in security center, there is no alerte.

Did Windows Defender for SQL protect from SQL Injection

Best regards

Hichem

azure-security-center
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello Givary,
I sent an email to AzCommunity@microsoft.com with answers

Best regards

Hichem

0 Votes 0 ·

1 Answer

Givary-MSFT avatar image
0 Votes"
Givary-MSFT answered Givary-MSFT commented

@HichemMABROUKI-6455

Thank you for reaching out to us. As per my understand you are investigating alerts in Microsoft Defender for SQL - for Azure SQL database.

Would like to understand when did you onboard Azure SQL DB to Microsoft Defender for Cloud ?

Do you have this option enabled for SQL DB on Defender for Cloud ?
196464-image.png



Also do you see Azure SQL DB in the inventory list ?

Let me know if you have any further questions.




image.png (24.5 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@HichemMABROUKI-6455

Offline troubleshooting/update:

Not all SQL injection are detected.
So There are some SQL injection types are detected by Defender for SQL.

When Defender for Cloud detects a threat in any area of your environment, it generates a security alert. These alerts describe details of the affected resources, suggested remediation steps, and in some cases an option to trigger a logic app in response. Whether an alert is generated by Defender for Cloud, or received by Defender for Cloud from an integrated security product, you can export it.


Defender for Cloud's threat protection includes fusion kill-chain analysis, which automatically correlates alerts in your environment based on cyber kill-chain analysis, to help you better understand the full story of an attack campaign, where it started and what kind of impact it had on your resources. Sometimes it also takes time to reflect the alert in Microsoft defender for cloud.


https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference#:~:text=Alerts%20for%20Windows%20machines%20%20%20%20Alert,%20%20Medium%20%2015%20more%20rows%20


Let me know if you have any further questions.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·