Logo of Trend Micro

Enable Email Alerts for Administrators and Subscription Owners

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)

Ensure that "Also send email notification to admins and subscription owners" feature is enabled for your Microsoft Azure SQL servers within Advanced Threat Protection service configuration settings. Advanced Threat Protection security service is managed by Advanced Data Security (ADS) – a security suite that includes services such as Data Discovery and Classification, Vulnerability Assessment and Advanced Threat Protection.

Security

Once the feature is enabled, your Azure account administrators and subscription owners should also receive email notifications upon detection of abnormal SQL database activity. These email alerts provide information on suspicious security events including the nature of the activity, server name, database name, application name, and the time when the event was triggered. In addition, the email notification alert provides information on possible causes and recommended actions to investigate the security issues and threats found and mitigate them in a successful manner. Sending email alerts to Azure administrators and subscription owners ensures that any security issue is reported as soon as possible, making it possible to mitigate any potential risk faster and easier.

Audit

To determine if "Also send email notification to admins and subscription owners" feature is enabled, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select SQL server to list only the SQL database servers provisioned in your Azure account.

04 Click on the name of the SQL server that you want to examine.

05 In the navigation panel, under Security, select Advanced Data Security to access the ADS configuration settings for the selected database server.

06 On the Advanced Data Security configuration page, under ADVANCED THREAT PROTECTION SETTINGS, check the Also send email notification to admins and subscription owners checkbox. If the checkbox is not selected, the "Also send email notification to admins and subscription owners" feature is not enabled, therefore account administrators and subscription owners do not receive threat detection notification alerts for the selected SQL server.

07 Repeat steps no. 4 – 6 for each SQL database server available in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure PowerShell

01 Run Get-AzSqlServer PowerShell cmdlet using custom query filters to list the names of all SQL database servers, available within the current Azure subscription: 

Get-AzSqlServer | Select-Object ServerName,ResourceGroupName

02 The command output should return the requested SQL database server information: 

ServerName          ResourceGroupName
----------          -----------------
cc-prod-sql-server  cloud-shell-storage-westeurope
cc-test-db-server   cloud-shell-storage-westeurope
cc-project5-server  cloud-shell-storage-westeurope

03 Run Get-AzureRmSqlServerThreatDetectionPolicy PowerShell command using the name of the SQL server that you want to examine as identifier parameter and custom query filters to obtain the "Also send email notification to admins and subscription owners" feature status for the selected SQL database server: 

Get-AzureRmSqlServerThreatDetectionPolicy -ServerName "cc-prod-sql-server" -ResourceGroupName "cloud-shell-storage-westeurope" | Select-Object EmailAdmins

04 The command output should return the requested feature configuration status (True for enabled, False for disabled): 

EmailAdmins
-----------
False

If Get-AzureRmSqlServerThreatDetectionPolicy cmdlet output returns False for the EmailAdmins configuration attribute, the "Also send email notification to admins and subscription owners" feature is not enabled, therefore Azure account administrators and subscription owners do not receive threat detection email alerts for the selected SQL database server.

05 Repeat step no. 3 and 4 for each SQL database server provisioned in the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription created within your Microsoft Azure cloud account.

Remediation / Resolution

To enable Azure administrators and subscription owners to receive threat detection email notification alerts for their Microsoft Azure SQL servers, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select SQL server to list only the SQL database servers available in your Azure account.

04 Click on the name of the SQL database server that you want to reconfigure.

05 In the navigation panel, under Security, select Advanced Data Security to access the ADS configuration settings for the selected database server.

06 On the Advanced Data Security configuration page, under ADVANCED THREAT PROTECTION SETTINGS, select Also send email notification to admins and subscription owners checkbox to enable sending threat detection notification alerts for the selected SQL server to Azure cloud account administrators and subscription owners.

07 Click Save to apply the configuration changes.

08 Repeat steps no. 4 – 7 for each SQL database server available in the selected subscription.

09 Repeat steps no. 3 – 9 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run Set-AzureRmSqlServerThreatDetectionPolicy PowerShell command using the name of the SQL server that you want to reconfigure and the name of the associated resource group as identifier parameters (see Audit section part I to identify the right Azure resources) to enable sending notification alerts to Azure account administrators and subscription owners by setting the -EmailAdmins parameter to $True (the command does not produce an output): 

Set-AzureRmSqlServerThreatDetectionPolicy -ServerName "cc-prod-sql-server" -ResourceGroupName "cloud-shell-storage-westeurope" -EmailAdmins $True

02 Repeat step no. 1 for each SQL database server provisioned in the selected subscription.

03 Repeat step no. 1 and 2 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Jul 24, 2019

Related Sql rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable Email Alerts for Administrators and Subscription Owners

Risk level: Medium