Introduction to Microsoft Defender for SQL
Microsoft Defender for SQL includes two Microsoft Defender plans that extend Microsoft Defender for Cloud's data security package to secure your databases and their data wherever they're located. Microsoft Defender for SQL includes functionalities for discovering and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your databases.
|Release state:||Microsoft Defender for Azure SQL database servers - Generally available (GA)
Microsoft Defender for SQL servers on machines - Generally available (GA)
|Pricing:||The two plans that form Microsoft Defender for SQL are billed as shown on the pricing page|
|Protected SQL versions:||SQL on Azure virtual machines
SQL Server on Azure Arc-enabled servers
On-premises SQL servers on Windows machines without Azure Arc
Azure SQL single databases and elastic pools
Azure SQL Managed Instance
Azure Synapse Analytics (formerly SQL DW) dedicated SQL pool
Azure China 21Vianet (Partial: Subset of alerts and vulnerability assessment for SQL servers. Behavioral threat protections aren't available.)
What does Microsoft Defender for SQL protect?
Microsoft Defender for SQL comprises two separate Microsoft Defender plans:
Microsoft Defender for Azure SQL database servers protects:
Microsoft Defender for SQL servers on machines extends the protections for your Azure-native SQL Servers to fully support hybrid environments and protect SQL servers (all supported version) hosted in Azure, other cloud environments, and even on-premises machines:
When you enable either of these plans, all supported resources that exist within the subscription are protected. Future resources created on the same subscription will also be protected.
Microsoft Defender for SQL database currently works for read-write replicas only.
What are the benefits of Microsoft Defender for SQL?
These two plans include functionality for identifying and mitigating potential database vulnerabilities and detecting anomalous activities that could indicate threats to your databases.
A vulnerability assessment service discovers, tracks, and helps you remediate potential database vulnerabilities. Assessment scans provide an overview of your SQL machines' security state, and details of any security findings.
- Learn more about vulnerability assessment for Azure SQL Database.
- Learn more about vulnerability assessment for Azure SQL servers on machines.
An advanced threat protection service continuously monitors your SQL servers for threats such as SQL injection, brute-force attacks, and privilege abuse. This service provides action-oriented security alerts in Microsoft Defender for Cloud with details of the suspicious activity, guidance on how to mitigate to the threats, and options for continuing your investigations with Microsoft Sentinel. Learn more about advanced threat protection.
View the list of security alerts for SQL servers in the alerts reference page.
Is there a performance impact from deploying Microsoft Defender for SQL on machines?
The focus of Microsoft Defender for SQL on machines is obviously security. But we also care about your business and so we've prioritized performance to ensure the minimal impact on your SQL servers.
The service has a split architecture to balance data uploading and speed with performance:
- Some of our detectors, including an extended events trace named
SQLAdvancedThreatProtectionTraffic, run on the machine for real-time speed advantages.
- Other detectors run in the cloud to spare the machine from heavy computational loads.
Lab tests of our solution, comparing it against benchmark loads, showed CPU usage averaging 3% for peak slices. An analysis of the telemetry for our current users shows a negligible impact on CPU and memory usage.
Of course, performance always varies between environments, machines, and loads. The statements and numbers above are provided as a general guideline, not a guarantee for any individual deployment.
What kind of alerts does Microsoft Defender for SQL provide?
Threat intelligence enriched security alerts are triggered when there's:
- Potential SQL injection attacks - including vulnerabilities detected when applications generate a faulty SQL statement in the database
- Anomalous database access and query patterns - for example, an abnormally high number of failed sign-in attempts with different credentials (a brute force attempt)
- Suspicious database activity - for example, a legitimate user accessing an SQL Server from a breached computer which communicated with a crypto-mining C&C server
Alerts include details of the incident that triggered them, as well as recommendations on how to investigate and remediate threats.
In this article, you learned about Microsoft Defender for SQL. To use the services that have been described:
- Use Microsoft Defender for SQL servers on machines to scan your SQL servers for vulnerabilities
- For a presentation of Microsoft Defender for SQL, see how Microsoft Defender for SQL can protect SQL servers anywhere
Submit and view feedback for