Forum Discussion
Roberts951
Sep 04, 2023Copper Contributor
SQL Advanced Threat Protection - Requirements Unclear
When configuring Defender for SQL, nothing suggests auditing is required for ATP to work.
However, when looking at audit section remarks, one of the points says "After you've configured your auditing settings, you can turn on the new threat detection feature...
This seems to be a requirement for SQL on Machines, however, is it for Azure SQL workloads? (MI & DB)
- SQL auditing is not a requirement for MDC to protect your Azure SQL, it's a recommendation based on the MS benchmark to increase your posture score. MDC will work if SQL audit is enabled or not.
- CruzAz
Microsoft
Just wanted to chime in here.
There are 2 concepts: Microsoft Defender for SQL and Advanced Threat Protection.
As you mentioned, MD for SQL does not rely on Auditing. But, the Advanced Threat Protection does.
https://learn.microsoft.com/en-us/azure/azure-sql/database/azure-defender-for-sql?view=azuresql
https://learn.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview?view=azuresql- Roberts951Copper ContributorIt seems like a recommendation rather than a requirements as per wording: "For a full investigation experience, it is recommended to enable auditing,"
The MS support member also ran a test where he disabled auditing and ran a brute-force attack, which was picked up by that ATP functionality.
Roberts951 once you turn on the Defender for Cloud for Azure SQL, MDC will automatically trigger a list of recommendations to apply for you Azure SQL based on Microsoft cloud security benchmark standard, see example below
- Roberts951Copper ContributorIt doesn't specify that the auditing is a requirement for the APT functionality to be able to correlate and create alerts.
- SQL auditing is not a requirement for MDC to protect your Azure SQL, it's a recommendation based on the MS benchmark to increase your posture score. MDC will work if SQL audit is enabled or not.