Threat Detection detects anomalous database activities indicating potential security threats to the database. Threat Detection is in preview and is supported for SQL Data Warehouse.
Threat Detection provides a new layer of security, which enables customers to detect and respond to potential threats as they occur by providing security alerts on anomalous activities. Users can explore the suspicious events using Azure SQL Data Warehouse Auditing to determine if they result from an attempt to access, breach or exploit data in the data warehouse. Threat Detection makes it simple to address potential threats to the data warehouse without the need to be a security expert or manage advanced security monitoring systems.
For example, Threat Detection detects certain anomalous database activities indicating potential SQL injection attempts. SQL injection is one of the common Web application security issues on the Internet, used to attack data-driven applications. Attackers take advantage of application vulnerabilities to inject malicious SQL statements into application entry fields, for breaching or modifying data in the database.
Set up threat detection for your database
- Launch the Azure Portal at https://portal.azure.com.
Navigate to the configuration blade of the SQL Data Warehouse you want to monitor. In the Settings blade, select Auditing & Threat Detection.
In the Auditing & Threat Detection configuration blade turn ON auditing, which will display the Threat detection settings.
- Turn ON Threat detection.
- Configure the list of emails that will receive security alerts upon detection of anomalous data warehouse activities.
Click Save in the Auditing & Threat detection configuration blade to save the new or updated auditing and threat detection policy.
Explore anomalous data warehouse activities upon detection of a suspicious event
You will receive an email notification upon detection of anomalous database activities.
The email will provide information on the suspicious security event including the nature of the anomalous activities, database name, server name and the event time. In addition, it will provide information on possible causes and recommended actions to investigate and mitigate the potential threat to the database.
In the email, click on the Azure SQL Auditing Log link, which will launch the Azure Classic Portal and show the relevant Auditing records around the time of the suspicious event.
Click on the audit records to view more details on the suspicious database activities such as SQL statement, failure reason and client IP.
In the Auditing Records blade, click Open in Excel to open a pre-configured excel template to import and run deeper analysis of the audit log around the time of the suspicious event.
Note: In Excel 2010 or later, Power Query and the Fast Combine setting is required
To configure the Fast Combine setting - In the POWER QUERY ribbon tab, select Options to display the Options dialog. Select the Privacy section and choose the second option - 'Ignore the Privacy Levels and potentially improve performance':
To load SQL audit logs, ensure that the parameters in the settings tab are set correctly and then select the 'Data' ribbon and click the 'Refresh All' button.
- The results appear in the SQL Audit Logs sheet which enables you to run deeper analysis of the anomalous activities that were detected, and mitigate the impact of the security event in your application.