Configure Microsoft Defender for SQL Servers on machines to the Standard tier#
Security · Microsoft Defender for Cloud · Rule · 2022_09 · Critical
Enable Microsoft Defender for SQL servers on machines.
Description#
SQL databases are used to store critical and strategic assets for your company and should be carefully secured. Microsoft Defender for SQL Servers on machines represents a single go-to location to manage security capabilities.
Enabling Defender for SQL automatically enables vulnerability Assessment for your SQL databases hosted in a VM. It discovers, tracks, and provides guidance to remediate potential database vulnerabilities.
Enabling at subscription level doesn't protect all your SQL servers. A Log Analytics agent must be deployed on the machine and the Log Analytics workspace must have Defender for SQL enabled.
Recommendation#
Consider using Microsoft Defender for SQL Servers on machines to protect your SQL servers running on VMs.
Examples#
Configure with Azure template#
To enable Defender for SQL servers on machines:
- Set the
Standard
pricing tier for Microsoft Defender for SQL servers on machines.
For example:
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2022-03-01",
"name": "SqlServerVirtualMachines",
"properties": {
"pricingTier": "Standard"
}
}
Configure with Bicep#
To enable Defender for SQL servers on machines:
- Set the
Standard
pricing tier for Microsoft Defender for SQL servers on machines.
For example:
resource defenderForSQLOnVM 'Microsoft.Security/pricings@2022-03-01' = {
name: 'SqlServerVirtualMachines'
properties: {
pricingTier: 'Standard'
}
}
Configure with Azure CLI#
Configure with Azure PowerShell#
Set-AzSecurityPricing -Name 'SqlServerVirtualMachines' -PricingTier 'Standard'
Notes#
This rule applies when analyzing resources deployed (in-flight) to Azure.
Links#
- Monitor Azure resources in Microsoft Defender for Cloud
- Introduction to Microsoft Defender for SQL Servers on machines
- Security considerations for SQL Server on Azure Virtual Machines
- Azure Security Benchmark - Data protection