Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The Defender for SQL on Machines plan in Microsoft Defender for Cloud protects your IaaS SQL Servers hosted on VMs in Azure, multiclouds, and on-premises machines.
- Learn about SQL Server on Virtual Machines. -To use the plan, on-premises SQL servers must be onboarded to Defender for Cloud as Azure Arc VMs. Learn more about SQL Server enabled by Azure Arc.
- For multicloud SQL Server machines, AWS accounts and GCP projects must be connected to Defender for cloud.
Defender for SQL Servers on Machines identifies and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate threats to your databases.
- Vulnerability assessment: Defender for Cloud uses vulnerability assessment to discover, track, and assist you in the remediation of potential database vulnerabilities. Assessment scans provide an overview of your SQL machines' security state and provide details of any security findings.
- Threat protection: Defender for Cloud populates with alerts when it detects suspicious database activities, potentially harmful attempts to access or exploit SQL machines, SQL injection attacks, anomalous database access, and query patterns. Review SQL alerts.
Azure Monitoring Agent
The Defender for SQL Servers on Machines plan in Microsoft Defender for Cloud uses the Azure Monitoring Agent (AMA) to prevent attacks and detect misconfigurations.
Note
The Log Analytics agent (also known as the Microsoft Monitoring Agent (MMA)) is set to retire. Use of the MMA for the Defender for SQL Servers on Machines plan was phased out in August 2024. AMA replaces MMA for the Defender for SQL Servers on Machines plan.
Autoprovisioning of AMA for SQL
A SQL Server-targeted AMA autoprovisioning processes is enabled by default when you enable the Defender for SQL Servers on Machines plan.
- You can turn autoprovisioning on and off as needed.
- You can also deploy the agent yourself by using a number of methods. Learn about deployment options.)
Migrating to the AMA
If you're still using MMA for the Defender for SQL Servers on Machines plan, follow the migration steps to deploy AMA autoprovisioning.
You can run both the Log Analytics and Azure Monitor Agents on the same machine, but you should be aware of these considerations:
- Certain recommendations or alerts are reported by both agents and will appear twice in Defender for Cloud.
- Each machine is billed once in Defender for Cloud, but make sure you track billing of other services connected to the Log Analytics and Azure Monitor, such as the Log Analytics workspace data ingestion.
- Both agents affect performance on the machine.
Customizing the Log Analytics workspace
The AMA requires Log Analytics workspace solutions. These solutions are automatically installed when you autoprovision the Azure Monitor Agent with the default workspace.
When you install the AMA with autoprovisioning, you can define the destination workspace of the installed extensions.
By default, the destination is the default workspace that Defender for Cloud creates for each region in the subscription: defaultWorkspace-<subscriptionId>-<regionShortName>. Defender for Cloud automatically configures the data collection rules, workspace solution, and other extensions for that workspace.
If you configure a custom Log Analytics workspace:
- Defender for Cloud only configures the data collection rules and other extensions for the custom workspace. You have to configure the workspace solution on the custom workspace.
- Machines with the MMA that reports to a Log Analytics workspace with the security solution are billed even when the Defender for Servers plan isn't enabled. Machines with the AMA are billed only when the plan is enabled on the subscription.