Enable Microsoft Defender for SQL servers on machines

This Microsoft Defender plan detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.

You'll see alerts when there are suspicious database activities, potential vulnerabilities, or SQL injection attacks, and anomalous database access and query patterns.

Availability

Aspect Details
Release state: General availability (GA)
Pricing: Microsoft Defender for SQL servers on machines is billed as shown on the pricing page
Protected SQL versions: SQL Server (versions currently supported by Microsoft)
Clouds: Commercial clouds
Azure Government
Azure China 21Vianet

Set up Microsoft Defender for SQL servers on machines

To enable this plan:

Step 1. Install the agent extension

Step 2. Provision the Log Analytics agent on your SQL server's host:

Step 3. Enable the optional plan in Defender for Cloud's environment settings page:

Step 1. Install the agent extension

Step 2. Provision the Log Analytics agent on your SQL server's host:

  • SQL Server on Azure VM - If your SQL machine is hosted on an Azure VM, you can enable auto provisioning of the Log Analytics agent . Alternatively, you can follow the manual procedure for Onboard your Azure Stack Hub VMs.

  • SQL Server on Azure Arc-enabled servers - If your SQL Server is managed by Azure Arc enabled servers, you can deploy the Log Analytics agent using the Defender for Cloud recommendation “Log Analytics agent should be installed on your Windows-based Azure Arc machines (Preview)”.

  • SQL Server on-prem - If your SQL Server is hosted on an on-premises Windows machine without Azure Arc, you have two options for connecting it to Azure:

    • Deploy Azure Arc - You can connect any Windows machine to Defender for Cloud. However, Azure Arc provides deeper integration across all of your Azure environment. If you set up Azure Arc, you'll see the SQL Server – Azure Arc page in the portal and your security alerts will appear on a dedicated Security tab on that page. So the first and recommended option is to set up Azure Arc on the host and follow the instructions for SQL Server on Azure Arc, above.

    • Connect the Windows machine without Azure Arc - If you choose to connect a SQL Server running on a Windows machine without using Azure Arc, follow the instructions in Connect Windows machines to Azure Monitor.

Step 3. Enable the optional plan in Defender for Cloud's environment settings page:

  1. From Defender for Cloud's menu, open the Environment settings page.

    • If you're using Microsoft Defender for Cloud's default workspace (named “defaultworkspace-[your subscription ID]-[region]”), select the relevant subscription.

    • If you're using a non-default workspace, select the relevant workspace (enter the workspace's name in the filter if necessary).

  2. Set the option for Microsoft Defender for SQL servers on machines plan to on.

    Screenshot of Microsoft Defender for Cloud's 'Defender plans' page with optional plans.

    The plan will be enabled on all SQL servers connected to the selected workspace. The protection will be fully active after the first restart of the SQL Server instance.

    Tip

    To create a new workspace, follow the instructions in Create a Log Analytics workspace.

  3. Optionally, configure email notification for security alerts.

    You can set a list of recipients to receive an email notification when Defender for Cloud alerts are generated. The email contains a direct link to the alert in Microsoft Defender for Cloud with all the relevant details. For more information, see Set up email notifications for security alerts.

Microsoft Defender for SQL alerts

Alerts are generated by unusual and potentially harmful attempts to access or exploit SQL machines. These events can trigger alerts shown in the alerts reference page.

Explore and investigate security alerts

Microsoft Defender for SQL alerts are available in Defender for Cloud's alerts page, the machine's security page, the workload protections dashboard, or through the direct link in the alert emails.

  1. To view alerts, select Security alerts from Defender for Cloud's menu and select an alert.

  2. Alerts are designed to be self-contained, with detailed remediation steps and investigation information in each one. You can investigate further by using other Microsoft Defender for Cloud and Microsoft Sentinel capabilities for a broader view:

    • Enable SQL Server's auditing feature for further investigations. If you're a Microsoft Sentinel user, you can upload the SQL auditing logs from the Windows Security Log events to Sentinel and enjoy a rich investigation experience. Learn more about SQL Server Auditing.
    • To improve your security posture, use Defender for Cloud's recommendations for the host machine indicated in each alert. This will reduce the risks of future attacks.

    Learn more about managing and responding to alerts.

FAQ - Microsoft Defender for SQL servers on machines

If I enable this Microsoft Defender plan on my subscription, are all SQL servers on the subscription protected?

No. To defend a SQL Server deployment on an Azure virtual machine, or a SQL Server running on an Azure Arc-enabled machine, Defender for Cloud requires the following:

  • a Log Analytics agent on the machine
  • the relevant Log Analytics workspace to have the Microsoft Defender for SQL solution enabled

The subscription status, shown in the SQL server page in the Azure portal, reflects the default workspace status and applies to all connected machines. Only the SQL servers on hosts with a Log Analytics agent reporting to that workspace are protected by Defender for Cloud.

Next steps

For related material, see the following article: