Azure Sentinel SQL Solution Query Deep-Dive - Microsoft Tech Community
In May 2021 Azure Sentinel saw the launch of Azure Sentinel Solutions into public preview. This launch provided Azure Sentinel preview customers with access to over 32 solutions spanning Microsoft and other vendor data sources.
As part of this release Azure Defender and Microsoft Threat Intelligence Center (MSTIC) collaborated to contribute Detections and Hunting queries to the Azure Sentinel for Azure SQL solution. These detection and hunting queries are based on real world attack scenarios and provide a basis for detecting and investigating potential SQL exploitation attacks.
In this tech community post we will cover each of the Detection and Hunting queries included in the Azure Sentinel SQL solution. This post will cover what malicious activity these queries are designed to uncover, how to tailor them for your environment using their configurable parameters and provide some insight into how the query works.
Whilst the detection and hunting queries discussed in this Tech Community post will focus on Azure SQL, many of the techniques can be adapted to work with any relational database management system (RDMS).