question

NafilaAfrin-7897 avatar image
0 Votes"
NafilaAfrin-7897 asked vipulsparsh-MSFT commented

SQL Server-Azure Arc- Azure Defender is Off

Hi ,

I have my SQL server-Azure Arc machine and i have Azure Defender for SQL server enabled in pricing and Settings in Security Center. However, my sql server-Azure Arc machine shows OFF. Kindly help on how to enable the Azure defender ON

145275-sql-azure-defender.png


microsoft-sentinel
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered

@NafilaAfrin-7897 Thanks for reaching out Nafila.

Azure Arc enabled SQL servers needs to be onboarded by enabling SQL servers on machines option under pricing and settings for Azure defender.
Please sure that this is enabled :
145530-image.png


Is it is already enabled, it might take upto 24 hours to reflect the changes and assessments. Let me know if you still do not see that after that period.



Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.



image.png (7.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NafilaAfrin-7897 avatar image
0 Votes"
NafilaAfrin-7897 answered vipulsparsh-MSFT commented

Hi @vipulsparsh-MSFT ,

Thanks for the reply.

Do we need to enable Audit specification in MSSQL server to use the Azure Defender for SQL?

currently i didnt enable audit in MSSQL server. I have executed few SQL injection queries in MSSQL server for testing. However, in Security Center, i couldnt find any alert for SQL injection.

These are the steps i performed for Azure Defender for On-Prem MSSQL Server
1. Installed Azure Arc Agent in on-prem windows Machine which has MSSQL server installed.
2. Deployed Log Analytic Agent in on-prem windows Machine which has MSSQL server installed.
3. Installed SQL Server Extension in on-prem windows Machine which has MSSQL server installed.
4. Enabled Azure Defender For SQL Pricing Plan in Azure Defender.

In my Azure Portal, i can see my onboarded on-prem Azure arc sql server machine with Azure Defender ON. But am not receiving any security alerts even though i have executed SQL injection queries. Thats why asking whether we need to enable Audit specification in MSSQL server?


Thanks in Advance





· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@NafilaAfrin-7897 No, you do not need to enable Audit for using the Azure Defender. Can you send a screenshot of your step : 4 ? about enabling SQL in Azure Defender.

0 Votes 0 ·
NafilaAfrin-7897 avatar image
0 Votes"
NafilaAfrin-7897 answered vipulsparsh-MSFT commented

Hi @vipulsparsh-MSFT ,

Please find the attached screenshot below145683-defender.png



defender.png (25.0 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

It will start reporting soon.

0 Votes 0 ·
NafilaAfrin-7897 avatar image
0 Votes"
NafilaAfrin-7897 answered vipulsparsh-MSFT commented

Hi @vipulsparsh-MSFT ,

Its been 2 days, but its still not reporting. is there any simulation test we can do on MSSQL server to see whether the alert has been triggered on Security Center?

Thanks

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@NafilaAfrin-7897 Normally the first scan is done in 24 hours, so It should start showing the assessments. You can start a manual scan as well to trigger it : Follow this :
https://docs.microsoft.com/en-us/sql/sql-server/azure-arc/assess?view=sql-server-ver15

0 Votes 0 ·