Azure SQL 資料庫的進階威脅防護Advanced Threat Protection for Azure SQL Database

進階威脅防護Azure SQL DatabaseSQL 資料倉儲偵測到不尋常且有危害的意圖存取或攻擊資料庫異常活動。Advanced Threat Protection for Azure SQL Database and SQL Data Warehouse detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.

進階的威脅防護屬於進階資料安全性(ADS) 供應項目,也就是 SQL 的進階安全性功能的整合的套件。Advanced Threat Protection is part of the Advanced data security (ADS) offering, which is a unified package for advanced SQL security capabilities. 進階的威脅防護可存取及管理透過中央 SQL 廣告入口網站。Advanced Threat Protection can be accessed and managed via the central SQL ADS portal.

注意

本主題適用於 Azure SQL 伺服器,以及在 Azure SQL Server 上建立的 SQL Database 和 SQL 資料倉儲資料庫。This topic applies to Azure SQL server, and to both SQL Database and SQL Data Warehouse databases that are created on the Azure SQL server. 為了簡單起見,參考 SQL Database 和 SQL 資料倉儲時都會使用 SQL Database。For simplicity, SQL Database is used when referring to both SQL Database and SQL Data Warehouse.

什麼是進階威脅防護What is Advanced Threat Protection

進階的威脅防護提供新的一層安全性,可讓客戶偵測並回應潛在威脅,在發生異常活動時會提供安全性警示。Advanced Threat Protection provides a new layer of security, which enables customers to detect and respond to potential threats as they occur by providing security alerts on anomalous activities. 一旦有可疑活動、潛在弱點、SQL 插入式攻擊以及異常的資料庫存取和查詢模式發生時,使用者就會收到警示。Users receive an alert upon suspicious database activities, potential vulnerabilities, and SQL injection attacks, as well as anomalous database access and queries patterns. 進階的威脅防護整合了警示與Azure 資訊安全中心,這包含可疑活動的詳細資料,以及如何調查與降低威脅的建議。Advanced Threat Protection integrates alerts with Azure Security Center, which include details of suspicious activity and recommend action on how to investigate and mitigate the threat. 進階的威脅防護輕鬆解決資料庫而不需要是安全性專家或管理進階的安全性監視系統的潛在威脅。Advanced Threat Protection makes it simple to address potential threats to the database without the need to be a security expert or manage advanced security monitoring systems.

如需完整的調查體驗,建議您啟用 SQL Database 稽核,這會將資料庫事件寫入您 Azure 儲存體帳戶中的稽核記錄。For a full investigation experience, it is recommended to enable SQL Database Auditing, which writes database events to an audit log in your Azure storage account.

進階威脅防護警示Advanced Threat Protection alerts

Azure SQL Database 的進階的威脅防護會偵測到異常活動時會不尋常且有危害意圖存取或攻擊資料庫,並觸發下列警示:Advanced Threat Protection for Azure SQL Database detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases and it can trigger the following alerts:

  • SQL 插入式攻擊的弱點:應用程式在資料庫中產生錯誤的 SQL 陳述式時,會觸發此警示。Vulnerability to SQL injection: This alert is triggered when an application generates a faulty SQL statement in the database. 此警示表示 SQL 插入式攻擊的可能弱點。This alert may indicate a possible vulnerability to SQL injection attacks. 錯誤的陳述式之所以產生,有兩項可能的原因:There are two possible reasons for the generation of a faulty statement:

    • 應用程式的程式碼中有缺失,而建構了錯誤的 SQL 陳述式A defect in application code that constructs the faulty SQL statement
    • 應用程式的程式碼或預存程序在建構錯誤的 SQL 陳述式時未處理使用者輸入,這可能會遭到 SQL 插入式攻擊的侵害Application code or stored procedures don't sanitize user input when constructing the faulty SQL statement, which may be exploited for SQL Injection
  • 潛在的 SQL 插入式攻擊:若有主動攻擊是藉由 SQL 插入中已識別到的已知應用程式弱點來發動時,就會觸發此警示。Potential SQL injection: This alert is triggered when an active exploit happens against an identified application vulnerability to SQL injection. 這表示有攻擊者嘗試使用有弱點的應用程式程式碼或預存程序插入惡意 SQL 陳述式。This means the attacker is trying to inject malicious SQL statements using the vulnerable application code or stored procedures.

  • 從不尋常的位置存取:有人從不尋常的地理位置登入 SQL Server,而使 SQL Server 的存取模式有所變更時,會觸發此警示。Access from unusual location: This alert is triggered when there is a change in the access pattern to SQL server, where someone has logged on to the SQL server from an unusual geographical location. 在某些情況下,警示會偵測到合法的動作 (新的應用程式或開發人員維護)。In some cases, the alert detects a legitimate action (a new application or developer maintenance). 在其他情況下,警示則是偵測惡意動作 (離職員工、外部攻擊者)。In other cases, the alert detects a malicious action (former employee, external attacker).

  • 從不尋常的 Azure 資料中心存取:有人從不尋常的 Azure 資料中心登入 SQL Server (在近期曾在此伺服器上發現此資料中心),而使 SQL Server 的存取模式有所變更時,會觸發此警示。Access from unusual Azure data center: This alert is triggered when there is a change in the access pattern to SQL server, where someone has logged on to the SQL server from an unusual Azure data center that was seen on this server during the recent period. 在某些情況下,警示會偵測到合法的動作 (您在 Azure、Power BI、Azure SQL 查詢編輯器中使用新的應用程式)。In some cases, the alert detects a legitimate action (your new application in Azure, Power BI, Azure SQL Query Editor). 在其他情況下,警示則是偵測來自 Azure 資源/服務的惡意動作 (離職員工、外部攻擊者)。In other cases, the alert detects a malicious action from an Azure resource/service (former employee, external attacker).

  • 從不熟悉的主體存取:有人使用不尋常的主體 (SQL 使用者) 登入 SQL Server,而使 SQL Server 的存取模式有所變更時,會觸發此警示。Access from unfamiliar principal: This alert is triggered when there is a change in the access pattern to SQL server, where someone has logged on to the SQL server using an unusual principal (SQL user). 在某些情況下,警示會偵測到合法的動作 (新的應用程式、開發人員維護)。In some cases, the alert detects a legitimate action (new application, developer maintenance). 在其他情況下,警示則是偵測惡意動作 (離職員工、外部攻擊者)。In other cases, the alert detects a malicious action (former employee, external attacker).

  • 從可能有害的應用程式存取:使用可能有害的應用程式用存取資料庫時,會觸發此警示。Access from a potentially harmful application: This alert is triggered when a potentially harmful application is used to access the database. 在某些情況下,警示會偵測到執行中的滲透測試。In some cases, the alert detects penetration testing in action. 在其他情況下,警示則是偵測使用常見攻擊工具的攻擊。In other cases, the alert detects an attack using common attack tools.

  • 暴力 SQL 認證:有使用不同認證的異常大量登入失敗時,會觸發此警示。Brute force SQL credentials: This alert is triggered when there is an abnormal high number of failed logins with different credentials. 在某些情況下,警示會偵測到執行中的滲透測試。In some cases, the alert detects penetration testing in action. 在其他情況下,警示則是偵測暴力攻擊。In other cases, the alert detects brute force attack.

偵測到可疑事件時探索異常資料庫活動Explore anomalous database activities upon detection of a suspicious event

偵測到異常資料庫活動時,您會收到電子郵件通知。You receive an email notification upon detection of anomalous database activities. 電子郵件會提供可疑安全性事件的相關資訊,包括異常活動的性質、資料庫名稱、伺服器名稱、應用程式名稱和事件時間。The email provides information on the suspicious security event including the nature of the anomalous activities, database name, server name, application name, and the event time. 此外,該電子郵件還會提供可能原因和建議動作的相關資訊,以協助您調查和減輕資料庫的潛在威脅。In addition, the email provides information on possible causes and recommended actions to investigate and mitigate the potential threat to the database.

異常活動報告

  1. 按一下電子郵件中的 [檢視最近的 SQL 警示] 連結來啟動 Azure 入口網站,並顯示 Azure 資訊安全中心警示頁面,其中會概述在 SQL 資料庫上偵測到的作用中威脅。Click the View recent SQL alerts link in the email to launch the Azure portal and show the Azure Security Center alerts page, which provides an overview of active threats detected on the SQL database.

    活動威脅

  2. 按一下特定警示可取得其他詳細資料和調查此威脅的建議,並對未來的威脅採取補救措施。Click a specific alert to get additional details and actions for investigating this threat and remediating future threats.

    例如,SQL 插入式攻擊是網際網路上最常見的 Web 應用程式安全性問題之一,用於攻擊資料導向應用程式。For example, SQL injection is one of the most common Web application security issues on the Internet that is used to attack data-driven applications. 攻擊者利用應用程式弱點將惡意的 SQL 陳述式插入應用程式輸入欄位,破壞或修改資料庫中的資料。Attackers take advantage of application vulnerabilities to inject malicious SQL statements into application entry fields, breaching or modifying data in the database. 針對 SQL 插入式攻擊,警示的詳細資料會包括已遭利用且有弱點的 SQL 陳述式。For SQL Injection alerts, the alert’s details include the vulnerable SQL statement that was exploited.

    特定警示

探索您的資料庫,在 Azure 入口網站中的進階威脅防護警示Explore Advanced Threat Protection alerts for your database in the Azure portal

進階的威脅防護整合自有的警示與Azure 資訊安全中心Advanced Threat Protection integrates its alerts with Azure security center. 動態 SQL 的進階威脅防護磚內的資料庫和 SQL 廣告刀鋒視窗,在 Azure 入口網站中的追蹤作用中威脅的狀態。Live SQL Advanced Threat Protection tiles within the database and SQL ADS blades in the Azure portal track the status of active threats.

按一下 進階威脅防護警示來啟動 Azure 資訊安全中心警示頁面,並取得資料庫或資料倉儲上偵測到的作用中 SQL 威脅的概觀。Click Advanced Threat Protection alert to launch the Azure Security Center alerts page and get an overview of active SQL threats detected on the database or data warehouse.

進階的威脅防護警示

進階威脅保護警示 2

後續步驟Next steps