Azure Defender for SQL servers on machines

This Azure Defender plan detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.

You'll see alerts when there are suspicious database activities, potential vulnerabilities, or SQL injection attacks, and anomalous database access and query patterns.


Aspect Details
Release state: Preview
Pricing: Azure Defender for SQL servers on machines is billed as shown on the pricing page
Protected SQL versions: Azure SQL Server (all versions covered by Microsoft support)
Clouds: Yes Commercial clouds
Yes US Gov
No China Gov, Other Gov

Set up Azure Defender for SQL servers on machines

To enable this plan:

  • Provision the Log Analytics agent on your SQL server's host. This provides the connection to Azure.

  • Enable the optional plan in Security Center's pricing and settings page.

Both of these are described below.

Step 1. Provision the Log Analytics agent on your SQL server's host:

  • SQL Server on Azure VM - If your SQL machine is hosted on an Azure VM, you can auto provision the Log Analytics agent. Alternatively, you can follow the manual procedure for Onboard your Azure Stack VMs.

  • SQL Server on Azure Arc - If your SQL Server is managed by Azure Arc enabled servers, you can deploy the Log Analytics agent using the Security Center recommendation “Log Analytics agent should be installed on your Windows-based Azure Arc machines (Preview)”. Alternatively, you can follow the installation methods described in the Azure Arc documentation.

  • SQL Server on-prem - If your SQL Server is hosted on an on-premises Windows machine without Azure Arc, you have two options for connecting it to Azure:

    • Deploy Azure Arc - You can connect any Windows machine to Security Center. However, Azure Arc provides deeper integration across all of your Azure environment. If you set up Azure Arc, you'll see the SQL Server – Azure Arc page in the portal and your security alerts will appear on a dedicated Security tab on that page. So the first and recommended option is to set up Azure Arc on the host and follow the instructions for SQL Server on Azure Arc, above.

    • Connect the Windows machine without Azure Arc - If you choose to connect a SQL Server running on a Windows machine without using Azure Arc, follow the instructions in Connect Windows machines to Azure Monitor.

Step 2. Enable the optional plan in Security Center's pricing and settings page:

  1. From Security Center's menu, open the Pricing & settings page.

    • If you're using Azure Security Center's default workspace (named “defaultworkspace-[your subscription id]-[region]”), select the relevant subscription.

    • If you're using a non-default workspace, select the relevant workspace (enter the workspace's name in the filter if necessary):

      Finding your non-default workspace by title

  2. Set the option for Azure Defender for SQL servers on machines (Preview) plan to on.

    Security Center pricing page with optional plans

    The plan will be enabled on all SQL servers connected to the selected workspace. The protection will be fully active after the first restart of the SQL Server instance.


    To create a new workspace, follow the instructions in Create a Log Analytics workspace.

  3. Optionally, configure email notification for security alerts. You can set a list of recipients to receive an email notification when Security Center alerts are generated. The email contains a direct link to the alert in Azure Security Center with all the relevant details. For more information, see Set up email notifications for security alerts.

Explore vulnerability assessment reports

The vulnerability assessment service scans your databases once a week. The scans run on the same day of the week on which you enabled the service.

The vulnerability assessment dashboard provides an overview of your assessment results across all your databases, along with a summary of healthy and unhealthy databases, and an overall summary of failing checks according to risk distribution.

You can view the vulnerability assessment results directly from Security Center.

  1. From Security Center's sidebar, open the Recommendations page and select the recommendation Vulnerabilities on your SQL servers on machines should be remediated (Preview). For more information, see Security Center Recommendations.

    Vulnerability Assessment findings on your SQL servers on machines should be remediated (Preview)

    The detailed view for this recommendation appears.

    Detailed view for the recommendation

  2. For more details, drill down:

    • For an overview of scanned resources (databases) and the list of security checks that were tested, select the server of interest.

    • For an overview of the vulnerabilities grouped by a specific SQL database, select the database of interest.

    In each view, the security checks are sorted by Severity. Click a specific security check to see a details pane with a Description, how to Remediate it, and other related information such as Impact or Benchmark.

Azure Defender for SQL alerts

Alerts are generated by unusual and potentially harmful attempts to access or exploit SQL machines. These events can trigger alerts shown in the Alerts for SQL Database and Azure Synapse Analytics (formerly SQL Data Warehouse) section of the alerts reference page.

Explore and investigate security alerts

Azure Defender alerts are available in Security Center's alerts page, the resource's security tab, the Azure Defender dashboard, or through the direct link in the alert emails.

  1. To view alerts, select Security alerts from Security Center's menu and select an alert.

  2. Alerts are designed to be self-contained, with detailed remediation steps and investigation information in each one. You can investigate further by using other Azure Security Center and Azure Sentinel capabilities for a broader view:

    • Enable SQL Server's auditing feature for further investigations. If you're an Azure Sentinel user, you can upload the SQL auditing logs from the Windows Security Log events to Sentinel and enjoy a rich investigation experience. Learn more about SQL Server Auditing.
    • To improve your security posture, use Security Center's recommendations for the host machine indicated in each alert. This will reduce the risks of future attacks.

    Learn more about managing and responding to alerts.

Next steps

For related material, see the following article: