Introduction to Azure Defender for SQL
Azure Defender for SQL includes two Azure Defender plans that extend Azure Security Center's data security package to secure your databases and their data wherever they're located.
|Release state:||Azure Defender for Azure SQL database servers - Generally available (GA)
Azure Defender for SQL servers on machines - Generally available (GA)
|Pricing:||The two plans that form Azure Defender for SQL are billed as shown on Security Center pricing|
|Protected SQL versions:||SQL on Azure virtual machines
Azure Arc enabled SQL servers
On-premises SQL servers on Windows machines without Azure Arc
Azure SQL single databases and elastic pools
Azure SQL Managed Instance
Azure Synapse Analytics (formerly SQL DW) dedicated SQL pool
|Clouds:|| Commercial clouds
China Gov (Partial: Subset of alerts and vulnerability assessment for SQL servers. Behavioral threat protections aren't available.)
What does Azure Defender for SQL protect?
Azure Defender for SQL comprises two separate Azure Defender plans:
Azure Defender for Azure SQL database servers protects:
Azure Defender for SQL servers on machines extends the protections for your Azure-native SQL Servers to fully support hybrid environments and protect SQL servers (all supported version) hosted in Azure, other cloud environments, and even on-premises machines:
What are the benefits of Azure Defender for SQL?
These two plans include functionality for identifying and mitigating potential database vulnerabilities and detecting anomalous activities that could indicate threats to your databases:
Vulnerability assessment - The scanning service to discover, track, and help you remediate potential database vulnerabilities. Assessment scans provide an overview of your SQL machines' security state, and details of any security findings.
Advanced threat protection - The detection service that continuously monitors your SQL servers for threats such as SQL injection, brute-force attacks, and privilege abuse. This service provides action-oriented security alerts in Azure Security Center with details of the suspicious activity, guidance on how to mitigate to the threats, and options for continuing your investigations with Azure Sentinel.
View the list of security alerts for SQL servers in the alerts reference page.
What kind of alerts does Azure Defender for SQL provide?
Threat intelligence enriched security alerts are triggered when there's:
- Potential SQL injection attacks - including vulnerabilities detected when applications generate a faulty SQL statement in the database
- Anomalous database access and query patterns - for example, an abnormally high number of failed sign-in attempts with different credentials (a brute force attempt)
- Suspicious database activity - for example, a legitimate user accessing an SQL Server from a breached computer which communicated with a crypto-mining C&C server
Alerts include details of the incident that triggered them, as well as recommendations on how to investigate and remediate threats.
In this article, you learned about Azure Defender for SQL. To use the services that have been described:
- Use Azure Defender for SQL servers on machines to scan your SQL servers for vulnerabilities