Threat Protection for SQL IaaS VMs running on-premises using Azure Security Center

Published 08-19-2020 10:47 AM 4,814 Views

This blog post continues the series about Azure Security Center threat protection for SQL IaaS VMs. As you learnt in this blog post, Azure Security Center protects SQL servers hosted on either Azure VMs, Azure Arc and on-premises. This post will focus on SQL running on-premises and how to leverage ASC threat protection for SQL in this type of scenario.

 

SQL Server running on-premises

If your SQL server is installed in a Windows machine, located on-premises Windows and without Azure Arc, you really have two options for connecting it to Azure:

  1. Deploy Azure Arc
  2. Connect Windows machines to Azure Security Center without Azure Arc using Log Analytics agent.

Deploying Azure Arc

You can connect any Windows machine to Security Center, however, Azure Arc provides deeper integration across all your Azure environment. If you set up Azure Arc, you will see the SQL Server – Azure Arc page in the portal and your security alerts will appear on a dedicated Security tab on that page. The first and recommended option is to set up Azure Arc on the host. Please refer to this blog post for SQL VMs hosted on Azure Arc.

 

Connect Windows machines to Azure Security Center without Azure Arc

Security Center can monitor the security posture of non-Azure computers, but you need to first onboard these resources. If you choose to connect a SQL Server running on a Windows machine without using Azure Arc, you can use the option Add non-Azure servers from the Getting started blade or from the Compute blade as shown in ‘Image 1 & 2’.

 

Image 1: Add Non-Azure ServersImage 1: Add Non-Azure Servers

 

Image 2: Onboard servers to Security CenterImage 2: Onboard servers to Security Center

 

You will be redirected to Direct Agent page from where you can install appropriate Windows Agent.

 

TIP: You can connect any on-premises machine to Azure Security center by manually installing Log Analytics agent to extend the Security Center capabilities to servers running outside of Azure be it in on-premises or in other clouds. Just make sure the on-premises machine (In our scenario, SQL server) is connected to the relevant log analytics workspace. You can check this by navigating to Log Analytics workspace > Advanced settings > Connected sources > Choose either Windows/Linux server, as shown in ‘Image 3’.

 

Image 3: Confirmation of Connected SourcesImage 3: Confirmation of Connected Sources

 

Once you have the Log Analytics agent installed, Azure Security Center will start scanning the machines and flag prioritized list of recommendations accordingly, if not configured according to security best practices.

Note: for Step-by-Step instructions to onboard a non-azure computer, please refer to this article.

 

Validating SQL threat detection

When Azure Security Center identifies the pre-attack you should be able to view the alert in the Security alerts section as shown in 'Image 4'

 

Note: Make sure you have non-azure environment selected from the Filter.

 

Image 4: Security Alerts snapshotImage 4: Security Alerts snapshot

 

You can further investigate Azure Security Center alerts using the SIEM solutions you may have (On-Prem SIEM solution or Azure Sentinel the truly cloud native SIEM). Azure Sentinel has a built-in connector for getting ASC alerts. Refer to this article to understand Integration of Azure Security Center with Azure Sentinel.

If you have an existing SIEM solution, check this article to understand how you can use Azure Sentinel alongside your existing SIEM.

 

Conclusion

Alerts are designed to be self-contained, with detailed remediation steps and investigation information in each one. You can investigate further by using Azure Security Center and Azure Sentinel capabilities for a broader view:

  • Enable SQL Server's auditing feature for further investigations. If you are an Azure Sentinel user, you can upload the SQL auditing logs from the Windows Security Log events to Sentinel and enjoy a rich investigation experience. Learn more about SQL Server Auditing.
  • To improve your security posture, use Security Center's recommendations for the host machine indicated in each alert. This will reduce the risks of future attacks.

What are you waiting for? Go ahead, leverage Azure Security Center to protect your SQL IaaS VMs.

 

Special thanks to:

Yuri Diogenes, Senior PM, CxE Security – ASC Team for reviewing this post.

%3CLINGO-SUB%20id%3D%22lingo-sub-1599415%22%20slang%3D%22en-US%22%3EThreat%20Protection%20for%20SQL%20IaaS%20VMs%20running%20on-premises%20using%20Azure%20Security%20Center%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1599415%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20blog%20post%20continues%20the%20series%20about%20Azure%20Security%20Center%20threat%20protection%20for%20SQL%20IaaS%20VMs.%20As%20you%20learnt%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-security-center%2Fthreat-protection-for-sql-iaas-vms-using-azure-security-center%2Fba-p%2F1536529%22%20target%3D%22_blank%22%3Ein%20this%20blog%20post%3C%2FA%3E%2C%20Azure%20Security%20Center%20protects%20SQL%20servers%20hosted%20on%20either%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-security-center%2Fthreat-protection-for-sql-iaas-vms-using-azure-security-center%2Fba-p%2F1536529%22%20target%3D%22_blank%22%3EAzure%20VMs%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-security-center%2Fthreat-protection-for-sql-iaas-vms-hosted-on-azure-arc-using%2Fba-p%2F1577251%22%20target%3D%22_blank%22%3EAzure%20Arc%3C%2FA%3E%20and%20on-premises.%20This%20post%20will%20focus%20on%20SQL%20running%20on-premises%20and%20how%20to%20leverage%20ASC%20threat%20protection%20for%20SQL%20in%20this%20type%20of%20scenario.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH4%20id%3D%22toc-hId--592301485%22%20id%3D%22toc-hId--592301514%22%3E%3CSTRONG%3ESQL%20Server%20running%20on-premises%3C%2FSTRONG%3E%3C%2FH4%3E%0A%3CP%3EIf%20your%20SQL%20server%20is%20installed%20in%20a%20Windows%20machine%2C%20located%20on-premises%20Windows%20and%20without%20Azure%20Arc%2C%20you%20really%20have%20two%20options%20for%20connecting%20it%20to%20Azure%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EDeploy%20Azure%20Arc%3C%2FLI%3E%0A%3CLI%3EConnect%20Windows%20machines%20to%20Azure%20Security%20Center%20without%20Azure%20Arc%20using%20Log%20Analytics%20agent.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSTRONG%3EDeploying%20Azure%20Arc%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EYou%20can%20connect%20any%20Windows%20machine%20to%20Security%20Center%2C%20however%2C%20Azure%20Arc%20provides%20deeper%20integration%20across%26nbsp%3B%3CEM%3Eall%3C%2FEM%3E%20your%20Azure%20environment.%20If%20you%20set%20up%20Azure%20Arc%2C%20you%20will%20see%20the%26nbsp%3B%3CSTRONG%3ESQL%20Server%20%E2%80%93%20Azure%20Arc%3C%2FSTRONG%3E%26nbsp%3Bpage%20in%20the%20portal%20and%20your%20security%20alerts%20will%20appear%20on%20a%20dedicated%26nbsp%3B%3CSTRONG%3ESecurity%3C%2FSTRONG%3E%26nbsp%3Btab%20on%20that%20page.%20The%20first%20and%20recommended%20option%20is%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-arc%2Fservers%2Fonboard-portal%23install-and-validate-the-agent-on-windows%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eset%20up%20Azure%20Arc%20on%20the%20host%3C%2FA%3E.%20Please%20refer%20to%20this%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-security-center%2Fthreat-protection-for-sql-iaas-vms-hosted-on-azure-arc-using%2Fba-p%2F1577251%22%20target%3D%22_blank%22%3Eblog%20post%3C%2FA%3E%20for%20SQL%20VMs%20hosted%20on%20Azure%20Arc.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EConnect%20Windows%20machines%20to%20Azure%20Security%20Center%20without%20Azure%20Arc%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ESecurity%20Center%20can%20monitor%20the%20security%20posture%20of%20non-Azure%20computers%2C%20but%20you%20need%20to%20first%20onboard%20these%20resources.%20If%20you%20choose%20to%20connect%20a%20SQL%20Server%20running%20on%20a%20Windows%20machine%20without%20using%20Azure%20Arc%2C%20you%20can%20use%20the%20option%20%3CEM%3EAdd%20non-Azure%20servers%3C%2FEM%3E%20from%20the%26nbsp%3B%3CSTRONG%3EGetting%20started%3C%2FSTRONG%3E%26nbsp%3Bblade%20or%20from%20the%26nbsp%3B%3CSTRONG%3ECompute%3C%2FSTRONG%3E%26nbsp%3Bblade%20as%20shown%20in%20%3CEM%3E%E2%80%98Image%201%20%26amp%3B%202%E2%80%99%3C%2FEM%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image%201.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213336iED7C8D6C0D8043CC%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22image%201.jpg%22%20alt%3D%22Image%201%3A%20Add%20Non-Azure%20Servers%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EImage%201%3A%20Add%20Non-Azure%20Servers%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Image%202.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213337i15C392A5B22345DD%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Image%202.jpg%22%20alt%3D%22Image%202%3A%20Onboard%20servers%20to%20Security%20Center%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EImage%202%3A%20Onboard%20servers%20to%20Security%20Center%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20will%20be%20redirected%20to%20Direct%20Agent%20page%20from%20where%20you%20can%20install%20appropriate%20Windows%20Agent.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ETIP%3A%3C%2FSTRONG%3E%20You%20can%20connect%20any%20on-premises%20machine%20to%20Azure%20Security%20center%20by%20manually%20installing%20Log%20Analytics%20agent%20to%20extend%20the%20Security%20Center%20capabilities%20to%20servers%20running%20outside%20of%20Azure%20be%20it%20in%20on-premises%20or%20in%20other%20clouds.%20Just%20make%20sure%20the%20on-premises%20machine%20(In%20our%20scenario%2C%20SQL%20server)%20is%20connected%20to%20the%20relevant%20log%20analytics%20workspace.%20You%20can%20check%20this%20by%20navigating%20to%20Log%20Analytics%20workspace%20%26gt%3B%20Advanced%20settings%20%26gt%3B%20Connected%20sources%20%26gt%3B%20Choose%20either%20Windows%2FLinux%20server%2C%20as%20shown%20in%20%3CEM%3E%E2%80%98Image%203%E2%80%99%3C%2FEM%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image%203.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213338iAEE126CFF6906650%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22image%203.png%22%20alt%3D%22Image%203%3A%20Confirmation%20of%20Connected%20Sources%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EImage%203%3A%20Confirmation%20of%20Connected%20Sources%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnce%20you%20have%20the%20Log%20Analytics%20agent%20installed%2C%20Azure%20Security%20Center%20will%20start%20scanning%20the%20machines%20and%20flag%20prioritized%20list%20of%20recommendations%20accordingly%2C%20if%20not%20configured%20according%20to%20security%20best%20practices.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENote%3A%3C%2FSTRONG%3E%20for%20Step-by-Step%20instructions%20to%20onboard%20a%20non-azure%20computer%2C%20please%20refer%20to%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-onboarding%23onboard-non-azure-computers%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ethis%3C%2FA%3E%20article.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EValidating%20SQL%20threat%20detection%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EWhen%20Azure%20Security%20Center%20identifies%20the%20pre-attack%20you%20should%20be%20able%20to%20view%20the%20alert%20in%20the%20Security%20alerts%20section%20as%20shown%20in%20%3CEM%3E'Image%204'%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENote%3A%3C%2FSTRONG%3E%20Make%20sure%20you%20have%20non-azure%20environment%20selected%20from%20the%20Filter.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image%204.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213339iA9A55BBE50C3C333%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22image%204.png%22%20alt%3D%22Image%204%3A%20Security%20Alerts%20snapshot%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EImage%204%3A%20Security%20Alerts%20snapshot%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20further%20investigate%20Azure%20Security%20Center%20alerts%20using%20the%20SIEM%20solutions%20you%20may%20have%20(On-Prem%20SIEM%20solution%20or%20Azure%20Sentinel%20the%20truly%20cloud%20native%20SIEM).%26nbsp%3BAzure%20Sentinel%20has%20a%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-azure-security-center%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ebuilt-in%20connector%20for%20getting%20ASC%20alerts%3C%2FA%3E.%26nbsp%3BRefer%20to%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fintegrating-azure-security-center-with-azure-sentinel%2Fba-p%2F482847%22%20target%3D%22_blank%22%3Ethis%3C%2FA%3E%20article%20to%20understand%20Integration%20of%20Azure%20Security%20Center%20with%20Azure%20Sentinel.%3C%2FP%3E%0A%3CP%3EIf%20you%20have%20an%20existing%20SIEM%20solution%2C%20check%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Ftry-azure-sentinel-alongside-your-existing-siem%2Fba-p%2F912965%22%20target%3D%22_blank%22%3Ethis%3C%2FA%3E%20article%20to%20understand%20how%20you%20can%20use%20Azure%20Sentinel%20alongside%20your%20existing%20SIEM.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EConclusion%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EAlerts%20are%20designed%20to%20be%20self-contained%2C%20with%20detailed%20remediation%20steps%20and%20investigation%20information%20in%20each%20one.%20You%20can%20investigate%20further%20by%20using%20Azure%20Security%20Center%20and%20Azure%20Sentinel%20capabilities%20for%20a%20broader%20view%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EEnable%20SQL%20Server's%20auditing%20feature%20for%20further%20investigations.%20If%20you%20are%20an%20Azure%20Sentinel%20user%2C%20you%20can%20upload%20the%20SQL%20auditing%20logs%20from%20the%20Windows%20Security%20Log%20events%20to%20Sentinel%20and%20enjoy%20a%20rich%20investigation%20experience.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Frelational-databases%2Fsecurity%2Fauditing%2Fcreate-a-server-audit-and-server-audit-specification%3Fview%3Dsql-server-ver15%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ELearn%20more%20about%20SQL%20Server%20Auditing%3C%2FA%3E.%3C%2FLI%3E%0A%3CLI%3ETo%20improve%20your%20security%20posture%2C%20use%20Security%20Center's%20recommendations%20for%20the%20host%20machine%20indicated%20in%20each%20alert.%20This%20will%20reduce%20the%20risks%20of%20future%20attacks.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EWhat%20are%20you%20waiting%20for%3F%20Go%20ahead%2C%20leverage%20%3CSTRONG%3EAzure%20Security%20Center%3C%2FSTRONG%3E%20to%20protect%20your%20SQL%20IaaS%20VMs.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESpecial%20thanks%20to%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EYuri%20Diogenes%2C%20Senior%20PM%2C%20CxE%20Security%20%E2%80%93%20ASC%20Team%20for%20reviewing%20this%20post.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1599415%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAds%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EASC%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Security%20Center%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESQL%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESQL%20ATP%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Version history
Last update:
‎Aug 20 2020 11:26 AM