| title | Protect Azure Arc-enabled SQL Server with Configure Microsoft Defender for Cloud |
|---|---|
| titleSuffix | Azure Arc-enabled SQL Server |
| description | Protect Azure Arc-enabled SQL Server with Microsoft Defender for Cloud |
| author | anosov1960 |
| ms.author | sashan |
| ms.reviewer | mikeray, randolphwest |
| ms.date | 09/12/2022 |
| ms.prod | sql |
| ms.topic | conceptual |
You can configure your instance connected to Azure with Microsoft Defender for Cloud by following these steps.
-
Your Windows-based SQL Server instance is connected to Azure. Follow the instructions to onboard your SQL Server instance to Azure Arc-enabled SQL Server.
[!NOTE] Microsoft Defender for Cloud is only supported for SQL Server instances on Windows machines. This will not work for SQL Server on Linux machines.
-
Your user account is assigned one of the Security Center Roles (RBAC)
-
Search for Log Analytics workspaces resource type and add a new one through the creation pane.
[!NOTE] You can use a Log Analytics workspace in any region so if you already have one, you can use it. But we recommend creating it in the same region where your Azure Arc-enabled SQL Server resource is created.
-
Go to Agents management > Log Analytics agent instructions and copy Workspace ID and Primary key for later use.
The next step is needed only if you haven't yet configured MMA on the remote machine.
-
Go to Azure Arc > Servers and open the Azure Arc-enabled server resource for the machine where the SQL Server instance is installed.
-
Open the Extensions blade and click + Add.
-
Select Log Analytics Agent - Azure Arc and click Next.
-
Set the Workspace ID and Workspace key using the values you saved in the previous step.
-
After validation succeeds, select Create to install the agent. When the deployment completes, the status updates to Succeeded.
For more information, see Extension management with Azure Arc.
-
Go to Azure Arc > SQL Servers and open the Azure Arc-enabled SQL server resource for the instance that you want to protect.
-
Click on the Microsoft Defender for Cloud tile and then on Enable Microsoft Defender for Cloud.
-
Follow the steps documented in Enable Microsoft Defender for SQL servers on machines.
Note
The first scan to generate the vulnerability assessment happens within 24 hours after enabling Microsoft Defender for Cloud. After that, auto scans are be performed every week on Sunday.
Explore security anomalies and threats in Azure Security Center.
-
Open your SQL Server – Azure Arc resource and select Security in the left menu. to see the recommendations and alerts for that instance.
:::image type="content" source="media/configure-advanced-data-security/security-heading-sql-server-arc.png" alt-text="Screenshot showing how to select security heading.":::
-
Select any of the recommendations to see the vulnerability details in Security Center.
:::image type="content" source="media/configure-advanced-data-security/vulnerabilities-report.png" alt-text="Screenshot showing the Vulnerability report.":::
-
Select any security alert for full details and further explore the attack in Azure Sentinel. The following diagram is an example of the brute force alert.
:::image type="content" source="media/configure-advanced-data-security/brute-force-alert.png" alt-text="Screenshot showing a brute force alert.":::
-
Select Take action to mitigate the alert.
:::image type="content" source="media/configure-advanced-data-security/brute-force-alert-mitigation.png" alt-text="Screenshot showing alert mitigation.":::
Note
The general Security Center link at the top of the page does not use the preview portal URL so your SQL Server - Azure Arc resources are not be visible there. Follow the links for the individual recommendations or alerts.
- You can further investigate the security alerts and attacks using Azure Sentinel. For details, see on-board Azure Sentinel.