Respond to Defender open-source database alerts

Microsoft Defender for Cloud detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases for the following services:

and for RDS instances on AWS (Preview):

  • Aurora PostgreSQL
  • Aurora MySQL
  • PostgreSQL
  • MySQL
  • MariaDB

To get alerts from the Microsoft Defender plan you'll first need to enable Defender for open-source relational databases on your Azure or AWS account.

Learn more about this Microsoft Defender plan in Overview of Microsoft Defender for open-source relational databases.

Prerequisites

Respond to alerts in Defender for Cloud

When Microsoft Defender for Cloud is enabled on your database, it detects anomalous activities and generates alerts. These alerts are available from multiple locations, including:

  • In the Azure portal:

    • Microsoft Defender for Cloud's security alerts page - Shows alerts for all resources protected by Defender for Cloud in the subscriptions you've got permissions to view.
    • The resource's Microsoft Defender for Cloud page - Shows alerts and recommendations for one specific resource.
  • In the inbox of whoever in your organization has been designated to receive email alerts.

Tip

A live tile on Microsoft Defender for Cloud's overview dashboard tracks the status of active threats to all your resources including databases. Select the security alerts tile to go to the Defender for Cloud security alerts page and get an overview of active threats detected on your databases.

For detailed steps and the recommended method to respond to security alerts, see Respond to a security alert.

Respond to email notifications of security alerts

Defender for Cloud sends email notifications when it detects anomalous database activities. The email includes details of the suspicious security event such as the nature of the anomalous activities, database name, server name, application name, and event time. The email also provides information on possible causes and recommended actions to investigate and mitigate any potential threats to the database.

  1. From the email, select the View the full alert link to launch the Azure portal and show the security alerts page, which provides an overview of active threats detected on the database.

    Defender for Cloud's email notification about a suspected brute force attack.

    View active threats at the subscription level from within the Defender for Cloud portal pages:

    Active threats on one or more subscriptions are shown in Microsoft Defender for Cloud.

  2. For additional details and recommended actions for investigating the current threat and remediating future threats, select a specific alert.

    Screenshot that shows the details of a specific alert.

Tip

For a detailed tutorial on how to handle your alerts, see Manage and respond to alerts.

Next step