Description

Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in Microsoft Defender for Cloud.

Rationale

Enabling Microsoft Defender for SQL servers on machines allows for greater defense-in-depth, functionality for discovering and classifying sensitive data, surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database.

Impact

Turning on Microsoft Defender for SQL servers on machines incurs an additional cost per resource.

Audit

From Azure Portal

Go to Microsoft Defender for Cloud.
Under Management, select Environment Settings.
Click on the subscription name.
Select the Defender plans blade.
Click Select types > in the row for Databases.
Ensure the toggle switch next to SQL servers on machines is set to On.

From Azure CLI

Ensure Defender for SQL is licensed with the following command:

az security pricing show -n SqlServerVirtualMachines

Ensure the PricingTier is set to Standard.

From PowerShell

Run the following command:

Get-AzSecurityPricing -Name 'SqlServerVirtualMachines' | Select-Object Name,PricingTier

Ensure the PricingTier is set to Standard.

From Azure Policy

If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure.

Policy ID: 6581d072-105e-4418-827f-bd446d56421b - Name: Azure Defender for SQL servers on machines should be enabled
Policy ID: abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9 - Name: Azure Defender for SQL should be enabled for unprotected Azure SQL servers

Default Value

By default, Microsoft Defender plan is off.

Rationale​

Impact​

Audit​

From Azure Portal​

From Azure CLI​

From PowerShell​

From Azure Policy​

Default Value​

References​