SQL Database Threat Detection

SQL Threat Detection detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.

Overview

SQL Threat Detection provides a new layer of security, which enables customers to detect and respond to potential threats as they occur by providing security alerts on anomalous activities. Users will receive an alert upon suspicious database activities, potential vulnerabilities, and SQL injection attacks, as well as anomalous database access patterns. SQL Threat Detection alerts provide details of suspicious activity and recommend action on how to investigate and mitigate the threat. Users can explore the suspicious events using SQL Database Auditing to determine if they result from an attempt to access, breach, or exploit data in the database. Threat Detection makes it simple to address potential threats to the database without the need to be a security expert or manage advanced security monitoring systems.

For example, SQL injection is one of the common Web application security issues on the Internet, used to attack data-driven applications. Attackers take advantage of application vulnerabilities to inject malicious SQL statements into application entry fields, breaching or modifying data in the database.

SQL Threat Detection integrates alerts with Azure Security Center, and, each protected SQL Database server will be billed at the same price as Azure Security Center Standard tier, at $15/node/month, where each protected SQL Database server is counted as one node. We invite you to try it out for 60 days for free.

Set up threat detection for your database in the Azure portal

  1. Launch the Azure portal at https://portal.azure.com.
  2. Navigate to the configuration blade of the SQL Database you want to monitor. In the Settings blade, select Auditing & Threat Detection. Navigation pane
  3. In the Auditing & Threat Detection configuration blade turn ON Auditing, which will display the threat detection settings.

    Navigation pane

  4. Turn ON Threat detection.
  5. Configure the list of emails that will receive security alerts upon detection of anomalous database activities.
  6. Click Save in the Auditing & Threat detection blade to save the new or updated auditing and threat detection settings.

    Navigation pane

Set up threat detection using PowerShell

For a script example, see Configure auditing and threat detection using PowerShell.

Explore anomalous database activities upon detection of a suspicious event

  1. You will receive an email notification upon detection of anomalous database activities.
    The email will provide information on the suspicious security event including the nature of the anomalous activities, database name, server name, application name, and the event time. In addition, the email will provide information on possible causes and recommended actions to investigate and mitigate the potential threat to the database.

    Navigation pane

  2. The email alert includes a direct link to the SQL Audit log. Clicking on this link launches the Azure portal and opens the SQL Audit records around the time of the suspicious event. Click on an audit record to view more details on the suspicious database activities, making it easier to find the SQL statements that were executed (who accessed, what they did and when) and determine if the event was legitimate or malicious (e.g. application vulnerability to SQL injection was exploited, someone breached sensitive data, etc.).
    Navigation pane

Explore threat detection alerts for your database in the Azure portal

SQL Database Threat Detection integrates its alerts with Azure Security Center. A live SQL security tile within the database blade in the Azure portal tracks the status of active threats.

Navigation pane

  1. Clicking on the SQL security tile launches the Azure Security Center alerts blade and provides an overview of active SQL threats detected on the database.

    Navigation pane

  2. Clicking on a specific alert provides additional details and actions for investigating this threat and remediating future threats.

    Navigation pane

Next steps