In my last blog post, we took a look at the Vulnerability Assessment within the Advanced Data Security (ADS) offering for Azure SQL. In my final blog post of the series, we will take a deep dive into the Advanced Threat Protection features.
Advanced Threat Protection for Azure SQL Databases provides administrators with immediate visibility into potential threats such as suspicious database activities, potential vulnerabilities, SQL injection attacks, as well as anomalous database access and query patterns. Administrators will receive an alert within the Azure Security Center upon the detection of such activities which will include details on the activity and recommended actions on how to investigate and remediate the threat. This feature is available in all Azure SQL Database deployment options, including Managed Instance, Single, and Elastic Pool.
The following alerts can be triggered through the use of this feature
In general, these alerts can be triggered by legitimate activities such as new employees or applications, or even penetration testing. However, they can also detect potential threats that are occurring within the Azure SQL environment.
When an alert is triggered, an email notification is sent which provides information on the specific event that took place. This includes the nature of the event, the database name, server name, application name, the event time, as well as investigation and remediation steps.
While remediation steps are provided, these are not automated such as with real-time blocking and may require administrators to take some manual steps.
In order to enable Advanced Threat Protection, ADS must be enabled. Refer to my initial blog post in the series for detailed instructions on enabling ADS for your Azure SQL Database. Once enabled, you will have to provide additional information to configure the specific Advanced Threat Protection Settings.
This includes
While SQL Server and Database Auditing are not required, it is recommended in order to provide a full investigation experience.
You can also configure Advanced Threat Protection by leveraging Azure PowerShell cmdlets. Refer to Microsoft documentation for cmdlets and sample scripts.
An email will be sent upon occurrence of suspicious activity:
Click the “View alert” button which will bring you to the Azure portal and provide the full alert details.
The “General Information” section shows similar details to what is included in the email, along with some additional details.
This includes a high-level description of the event, the event time, severity, and other relevant details related to the attacked resource and the suspected attacker, such as the login name and client in the case of an alert related to an unknown login.
The “Geo and Threat Intelligence Information” section provides details on the source location of the attack.
The “Remediation Steps” section provides steps to investigate, recommendations, and steps to remediate.
This is where having the server and database auditing feature enabled comes in handy. An admin can choose to “View suspicious activity” which will bring them to the relevant audit records.
These alerts are also visible through the Azure portal as a notification in the overview section of your database, as well as at the Advanced Data Security section.
When accessing the alerts through either of these pages, you will be brought to a summary of alerts over the last week, with the ability to drill into specific alerts.
The Advanced Data Security offering for Azure SQL provides administrators with a full suite of security functionality to help protect their databases with a single pane of glass view through the Azure Portal.
This blog series highlighted each of the three key features
To learn about how Stealthbits can help with protecting your SQL databases, visit our website: https://www.stealthbits.com/stealthaudit-for-sql-product
Farrah Gamboa is a Director of Technical Product Management at Stealthbits – now part of Netwrix. She is responsible for building and delivering on the roadmap of Stealthbits products and solutions.
Since joining Stealthbits in 2012, Farrah has held multiple technical roles, including Scrum Master and Quality Assurance Manager. Farrah holds a Bachelor of Science degree in Industrial Engineering from Rutgers University
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.
Read more© 2022 Stealthbits Technologies, Inc.
This is excellent and easy to understand info and with Screenshot!
Thanks alot!