Enable Microsoft Defender for SQL servers on machines
Defender for SQL protects your IaaS SQL Servers by identifying and mitigating potential database vulnerabilities and detecting anomalous activities that could indicate threats to your databases.
Defender for Cloud populates with alerts when it detects suspicious database activities, potentially harmful attempts to access or exploit SQL machines, SQL injection attacks, anomalous database access, and query patterns. The alerts created by these types of events appear on the alerts reference page.
Defender for Cloud uses vulnerability assessment to discover, track, and assist you in the remediation of potential database vulnerabilities. Assessment scans provide an overview of your SQL machines' security state and provide details of any security findings.
Learn more about vulnerability assessment for Azure SQL servers on machines.
Defender for SQL servers on machines protects your SQL servers hosted in Azure, multicloud, and even on-premises machines.
Learn more about SQL Server on Virtual Machines.
For on-premises SQL servers, you can learn more about SQL Server enabled by Azure Arc and how to install Log Analytics agent on Windows computers without Azure Arc.
For multicloud SQL servers:
Connect your GCP project to Microsoft Defender for Cloud
Note
You must enable database protection for your multicloud SQL servers through the AWS connector or the GCP connector.
Availability
| Aspect | Details |
|---|---|
| Release state: | General availability (GA) |
| Pricing: | Microsoft Defender for SQL servers on machines is billed as shown on the pricing page |
| Protected SQL versions: | SQL Server version: 2012, 2014, 2016, 2017, 2019, 2022 - SQL on Azure virtual machines - SQL Server on Azure Arc-enabled servers |
| Clouds: | 
Commercial clouds
Azure Government
Microsoft Azure operated by 21Vianet (Advanced Threat Protection Only) |
Set up Microsoft Defender for SQL servers on machines
The Defender for SQL server on machines plan requires Microsoft Monitoring Agent (MMA) or Azure Monitoring Agent (AMA) to prevent attacks and detect misconfigurations. The plan’s autoprovisioning process is automatically enabled with the plan and is responsible for the configuration of all of the agent components required for the plan to function. This includes installation and configuration of MMA/AMA, workspace configuration, and the installation of the plan’s VM extension/solution.
Microsoft Monitoring Agent (MMA) is set to be retired in August 2024. Defender for Cloud updated its strategy and released a SQL Server-targeted Azure Monitoring Agent (AMA) autoprovisioning process to replace the Microsoft Monitoring Agent (MMA) process which is set to be deprecated. Learn more about the AMA for SQL server on machines autoprovisioning process and how to migrate to it.
Note
Customers who are currently using the Log Analytics agent/Azure Monitor agent processes will be asked to migrate to the AMA for SQL server on machines autoprovisioning process.
To enable the plan on a subscription:
Sign in to the Azure portal.
Search for and select Microsoft Defender for Cloud.
In the Defender for Cloud menu, select Environment settings.
Select the relevant subscription.
On the Defender plans page, locate the Databases plan and select Select types.
In the Resource types selection window, toggle the SQL servers on machines plan to On.
Select Continue.
Select Save.
(Optional) Configure advanced autoprovisioning settings:
Navigate to the Environment settings page.
Select Settings & monitoring.
- For customers using the new autoprovisioning process, select Edit configuration for the Azure Monitoring Agent for SQL server on machines component.
- For customers using the previous autoprovisioning process, select Edit configuration for the Log Analytics agent/Azure Monitor agent component.
To enable the plan on a SQL VM/Arc-enabled SQL Server:
Sign in to the Azure portal.
Navigate to your SQL VM/Arc-enabled SQL Server.
In the SQL VM/Arc-enabled SQL Server menu, under Security, select Microsoft Defender for Cloud.
In the Microsoft Defender for SQL server on machines section, select Enable.
Explore and investigate security alerts
There are several ways to view Microsoft Defender for SQL alerts in Microsoft Defender for Cloud:
The Alerts page.
The machine's security page.
Through the direct link provided in the alert's email.
To view alerts:
Sign in to the Azure portal.
Search for and select Microsoft Defender for Cloud.
Select Security alerts.
Select an alert.
Alerts are designed to be self-contained, with detailed remediation steps and investigation information in each one. You can investigate further by using other Microsoft Defender for Cloud and Microsoft Sentinel capabilities for a broader view:
Enable SQL Server's auditing feature for further investigations. If you're a Microsoft Sentinel user, you can upload the SQL auditing logs from the Windows Security Log events to Sentinel and enjoy a rich investigation experience. Learn more about SQL Server Auditing.
To improve your security posture, use Defender for Cloud's recommendations for the host machine indicated in each alert to reduce the risks of future attacks.
Learn more about managing and responding to alerts.
Next steps
For related information, see these resources:
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for