Ensure that all types of threat detection are enabled for the Advanced Threat Protection service promoted by Advanced Data Security (ADS) – a unified set of security services for Microsoft Azure SQL servers that includes Data Discovery and Classification, Vulnerability Assessment and Advanced Threat Protection. Advanced Threat Protection is a security service responsible for the detection of suspicious database activity that indicates unusual and potentially harmful attempts to access or exploit your Azure SQL database. The service can be configured to trigger notification alerts for the following threats:
Vulnerability to SQL injection – an alert is triggered when an application generates a faulty SQL statement in your SQL database. This alert may indicate a possible vulnerability to SQL injection attacks. In this case, there are two reasons for the generation of a faulty SQL statement: a bug in the application code that constructs the faulty SQL statement, or a block of application code or stored procedures that do not sanitize user input when constructing the faulty SQL statement, which may be exploited for SQL Injection.
Potential SQL injection – an alert is triggered when an active exploit happens against an identified web application vulnerability to SQL injection. This alert is triggered when the attacker is trying to inject malicious SQL statements using the vulnerable application code or stored procedures.
Access from an unusual location – an alert is triggered when there is a change in the access pattern to the SQL server, where someone has logged on to the SQL server from an unusual geographical location. In most cases, this alert detects legitimate actions such as creating new applications or maintenance session made by developers, but in some cases, the alert detects malicious actions initiated by an external attacker.
Access from an unfamiliar principal – an alert is triggered when there is a change in the access pattern to the SQL server, where someone has logged on to the SQL server using an unusual principal (SQL user). In some cases, this alert detects a legitimate action, however, in other cases, the alert detects a malicious action performed by a former employee or an external attacker.
Access from a potentially harmful application – this type of alert is triggered when a potentially harmful application is used to access the SQL database. In most cases, the alert detects penetration testing in action but in some cases, the alert detects an attack using common attack tools.
Brute forcing SQL credentials – an alert is triggered when there is an atypically high number of failed logins with different access credentials. In some cases, the alert detects penetration testing in action, however, in most cases, the alert detects a brute force attack.
Cloud Conformity strongly recommends enabling notification alerts for all these types of threats.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Enabling all threat detection types protects against SQL database vulnerabilities, SQL injection attacks, and other potentially harmful activities such as atypical client logins.
Audit
To determine if "Advanced Threat Detection types" setting is set to "All", perform the following actions:
Remediation / Resolution
To enable all types of threat detection for your Microsoft Azure SQL database servers, perform the following actions:
References
- Azure Official Documentation
- Advanced data security for Azure SQL Database
- Azure SQL Database Advanced Threat Protection for single or pooled databases
- Advanced Threat Protection for Azure SQL Database
- CIS Microsoft Azure Foundations
- Azure Command Line Interface (CLI) Documentation
- SQL
- Get-AzSqlServer
- Get-AzureRmSqlServerThreatDetectionPolicy
- Set-AzureRmSqlServerThreatDetectionPolicy