Forum Discussion
Solved
SQL Advanced Threat Protection - Requirements Unclear
When configuring Defender for SQL, nothing suggests auditing is required for ATP to work.
However, when looking at audit section https://learn.microsoft.com/en-us/azure/azure-sql/database/auditing-overview?view=azuresql#remarks i one of the points says "After you've configured your auditing settings, you can turn on the new threat detection feature...
This seems to be a requirement for SQL on Machines, however, is it for Azure SQL workloads? (MI & DB)
- SQL auditing is not a requirement for MDC to protect your Azure SQL, it's a recommendation based on the MS benchmark to increase your posture score. MDC will work if SQL audit is enabled or not.
6 Replies
- Just wanted to chime in here.
There are 2 concepts: Microsoft Defender for SQL and Advanced Threat Protection.
As you mentioned, MD for SQL does not rely on Auditing. But, the Advanced Threat Protection does.
https://learn.microsoft.com/en-us/azure/azure-sql/database/azure-defender-for-sql?view=azuresql
https://learn.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview?view=azuresql- It seems like a recommendation rather than a requirements as per wording: "For a full investigation experience, it is recommended to enable auditing,"
The MS support member also ran a test where he disabled auditing and ran a brute-force attack, which was picked up by that ATP functionality.
Roberts951 once you turn on the Defender for Cloud for Azure SQL, MDC will automatically trigger a list of recommendations to apply for you Azure SQL based on Microsoft cloud security benchmark standard, see example below
- It doesn't specify that the auditing is a requirement for the APT functionality to be able to correlate and create alerts.
- SQL auditing is not a requirement for MDC to protect your Azure SQL, it's a recommendation based on the MS benchmark to increase your posture score. MDC will work if SQL audit is enabled or not.
