Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable All Types of Threat Detection on SQL Servers

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: Sql-007

Ensure that all types of threat detection are enabled for the Advanced Threat Protection service promoted by Advanced Data Security (ADS) – a unified set of security services for Microsoft Azure SQL servers that includes Data Discovery and Classification, Vulnerability Assessment and Advanced Threat Protection. Advanced Threat Protection is a security service responsible for the detection of suspicious database activity that indicates unusual and potentially harmful attempts to access or exploit your Azure SQL database. The service can be configured to trigger notification alerts for the following threats:

Vulnerability to SQL injection – an alert is triggered when an application generates a faulty SQL statement in your SQL database. This alert may indicate a possible vulnerability to SQL injection attacks. In this case, there are two reasons for the generation of a faulty SQL statement: a bug in the application code that constructs the faulty SQL statement, or a block of application code or stored procedures that do not sanitize user input when constructing the faulty SQL statement, which may be exploited for SQL Injection.

Potential SQL injection – an alert is triggered when an active exploit happens against an identified web application vulnerability to SQL injection. This alert is triggered when the attacker is trying to inject malicious SQL statements using the vulnerable application code or stored procedures.

Access from an unusual location – an alert is triggered when there is a change in the access pattern to the SQL server, where someone has logged on to the SQL server from an unusual geographical location. In most cases, this alert detects legitimate actions such as creating new applications or maintenance session made by developers, but in some cases, the alert detects malicious actions initiated by an external attacker.

Access from an unfamiliar principal – an alert is triggered when there is a change in the access pattern to the SQL server, where someone has logged on to the SQL server using an unusual principal (SQL user). In some cases, this alert detects a legitimate action, however, in other cases, the alert detects a malicious action performed by a former employee or an external attacker.

Access from a potentially harmful application – this type of alert is triggered when a potentially harmful application is used to access the SQL database. In most cases, the alert detects penetration testing in action but in some cases, the alert detects an attack using common attack tools.

Brute forcing SQL credentials – an alert is triggered when there is an atypically high number of failed logins with different access credentials. In some cases, the alert detects penetration testing in action, however, in most cases, the alert detects a brute force attack.

Cloud Conformity strongly recommends enabling notification alerts for all these types of threats.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Enabling all threat detection types protects against SQL database vulnerabilities, SQL injection attacks, and other potentially harmful activities such as atypical client logins.


Audit

To determine if "Advanced Threat Detection types" setting is set to "All", perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select SQL server to list only the SQL database servers provisioned in your Azure account.

04 Click on the name of the SQL server that you want to examine.

05 In the navigation panel, under Security, select Advanced Data Security to access the ADS configuration settings for the selected database server.

06 On the ADS configuration page, under ADVANCED THREAT PROTECTION SETTINGS, check the Advanced Threat Protection types setting status. If the configuration status is set to None or Custom, the Advanced Threat Protection service does not send notification alerts for all types of threats detected for the selected SQL database server.

07 Repeat steps no. 4 – 6 for each SQL database server available in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure PowerShell

01 Run Get-AzSqlServer PowerShell cmdlet using custom query filters to list the names of all SQL database servers and the names of their associated resource groups, available in the current Azure subscription:

Get-AzSqlServer | Select-Object ServerName,ResourceGroupName

02 The command output should return the requested SQL database server information:

ServerName             ResourceGroupName
----------             -----------------
cc-project5-server     cloud-shell-storage-westeurope
cc-az-sql-db-server    cloud-shell-storage-westeurope

03 Run Get-AzureRmSqlServerThreatDetectionPolicy PowerShell command using the name of the SQL server that you want to examine as identifier parameter and custom query filters to describe the "Advanced Threat Detection types" setting configuration status for the selected database server:

Get-AzureRmSqlServerThreatDetectionPolicy -ServerName "cc-project5-server" -ResourceGroupName "cloud-shell-storage-westeurope" | Select-Object ExcludedDetectionTypes

04 The command output should return the requested configuration setting status:

ExcludedDetectionTypes
----------------------
{Access_Anomaly, Data_Exfiltration, Unsafe_Action}

If the Get-AzureRmSqlServerThreatDetectionPolicy cmdlet output does not return an empty object, i.e. {}, for ExcludedDetectionTypes configuration attribute, the "Advanced Threat Detection types" setting is not set to "All" and the Advanced Threat Protection service does not send notification alerts for all types of threats detected for the selected SQL server.

05 Repeat step no. 3 and 4 for each SQL database server available in the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable all types of threat detection for your Microsoft Azure SQL database servers, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select SQL server to list only the SQL database servers available in your Azure account.

04 Click on the name of the SQL database server that you want to reconfigure.

05 In the navigation panel, under Security, select Advanced Data Security to access the ADS configuration settings for the selected database server.

06 On the ADS configuration page, under ADVANCED THREAT PROTECTION SETTINGS, click Advanced Threat Protection types to access "Advanced Threat Detection types" setting configuration.

07 On the Advanced Threat Protection types panel, select All to send email alerts for all types of vulnerabilities detected by the Advanced Threat Protection security service, then click OK to apply the changes.

08 On the Advanced Data Security page, click Save to save the Advanced Threat Protection configuration changes.

09 Repeat steps no. 4 – 8 for each SQL database server provisioned in the selected subscription.

10 Repeat steps no. 3 – 9 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run Set-AzureRmSqlServerThreatDetectionPolicy PowerShell cmdlet using the name of the SQL server that you want to reconfigure and the name of the associated resource group as identifier parameters (see Audit section part I to identify the right Azure SQL resource) to enable sending notification alerts for all types of threats detected by the Advanced Threat Protection security service for the selected Microsoft Azure SQL database server (the command does not produce an output):

Set-AzureRmSqlServerThreatDetectionPolicy -ServerName "cc-project5-server" -ResourceGroupName "cloud-shell-storage-westeurope" -ExcludedDetectionType "None"

02 Repeat step no. 1 for each SQL database server provisioned in the selected subscription.

03 Repeat step no. 1 and 2 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Jun 12, 2019