Logo of Trend Micro

Enable Email Alerts for SQL Threat Detection Service

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)

Ensure that the Advanced Threat Protection service is configured to have at least one email address where notification alerts will be sent when abnormal activities are detected on your Microsoft Azure SQL database servers. Advanced Threat Protection security service is managed by Advanced Data Security (ADS) – a unified security package that provides Data Discovery and Classification, Vulnerability Assessment and Advanced Threat Protection for Azure SQL servers.

Security

By default, the "Send alerts to" setting is not enabled and configured. By providing at least one email address to receive notification alerts ensure that any detection of anomalous activity is reported as soon as possible to the right person or service, making it more likely to mitigate any potential risk faster and more efficiently.

Audit

To determine if "Send alerts to" setting is enabled and configured, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select SQL server to list only the SQL database servers provisioned in your Azure account.

04 Click on the name of the SQL server that you want to examine.

05 In the navigation panel, under Security, select Advanced Data Security to access the ADS configuration settings for the selected database server.

06 On the ADS configuration page, under ADVANCED THREAT PROTECTION SETTINGS, check the Send alerts to box. If the Send alerts to box is empty, there is no email address configured to receive threat detection notification alerts for the selected Microsoft Azure SQL server.

07 Repeat steps no. 4 – 6 for each SQL database server provisioned in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure PowerShell

01 Run Get-AzSqlServer PowerShell command using custom query filters to list the names of all SQL database servers and the names of their associated resource groups, available in the current Azure subscription: 

Get-AzSqlServer | Select-Object ServerName,ResourceGroupName

02 The command output should return the requested SQL database server information: 

ServerName          ResourceGroupName
----------          -----------------
cc-ms-sql-server    cloud-shell-storage-westeurope
cc-prod-db-server   cloud-shell-storage-westeurope

03 Run Get-AzureRmSqlServerThreatDetectionPolicy PowerShell command using the name of the SQL server that you want to examine as identifier parameter and custom query filters to get the "Send alerts to" configuration setting status for the selected SQL database server: 

Get-AzureRmSqlServerThreatDetectionPolicy -ServerName "cc-ms-sql-server" -ResourceGroupName "cloud-shell-storage-westeurope" | Select-Object NotificationRecipientsEmails

04 The command output should return the requested setting configuration status: 

NotificationRecipientsEmails
----------------------------

If Get-AzureRmSqlServerThreatDetectionPolicy cmdlet output is not returning a value (i.e. one or more recipient email addresses) for the NotificationRecipientsEmails configuration attribute, as shown in the example above, there is no email address configured to receive threat detection notification alerts for the selected Microsoft Azure SQL database server.

05 Repeat step no. 3 and 4 for each SQL database server available in the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription created within your Microsoft Azure cloud account.

Remediation / Resolution

To enable threat detection email notification alerts for your Microsoft Azure SQL servers, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select SQL server to list only the SQL database servers available in your Azure account.

04 Click on the name of the SQL database server that you want to reconfigure.

05 In the navigation panel, under Security, select Advanced Data Security to access the ADS configuration settings for the selected database server.

06 On the Advanced Data Security configuration page, under ADVANCED THREAT PROTECTION SETTINGS, provide one or more email addresses (semicolon-separated) to which notification alerts will be sent upon detection of anomalous activity on the selected Microsoft Azure SQL server.

07 Click Save to apply the configuration changes.

08 Repeat steps no. 4 – 7 for each SQL database server available in the selected subscription.

09 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run Set-AzureRmSqlServerThreatDetectionPolicy PowerShell cmdlet using the name of the SQL server that you want to reconfigure and the name of the associated resource group as identifier parameters (see Audit section part I to identify the right resource) to enable sending notification alerts to the appropriate email recipient(s), defined for the -NotificationRecipientsEmails parameter, when security threats are detected for the selected Azure SQL database server (the command does not return an output): 

Set-AzureRmSqlServerThreatDetectionPolicy -ServerName "cc-ms-sql-server" -ResourceGroupName "cloud-shell-storage-westeurope" -NotificationRecipientsEmails "notifyme@cloudconformity.com"

02 Repeat step no. 1 for each SQL database server provisioned in the selected subscription.

03 Repeat step no. 1 and 2 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Jul 24, 2019

Related Sql rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable Email Alerts for SQL Threat Detection Service

Risk level: High