Section 11 – Manage security operations – Configure and manage threat protection – Defender for SQL and Threat Model Tool

  • Configure Azure Defender for SQL
  • Use the Microsoft Threat Modeling Tool

Configure Azure Defender for SQL


Release state:Microsoft Defender for Azure SQL database servers – Generally available (GA)
Microsoft Defender for SQL servers on machines – Generally available (GA)
Pricing:The two plans that form Microsoft Defender for SQL are billed as shown on the pricing page
Protected SQL versions:SQL on Azure virtual machines
SQL Server on Azure Arc-enabled servers
On-premises SQL servers on Windows machines without Azure Arc
Azure SQL single databases and elastic pools
Azure SQL Managed Instance
Azure Synapse Analytics (formerly SQL DW) dedicated SQL pool
Clouds: Commercial clouds
 Azure Government
 Azure China 21Vianet (Partial: Subset of alerts and vulnerability assessment for SQL servers. Behavioral threat protections aren’t available.)


Microsoft Defender for SQL on Azure€13.511/Instance/month2
Microsoft Defender for SQL outside Azure€9.863/vCore/month3

2 Microsoft Defender for SQL on Azure price applies to SQL servers on Azure SQL Database, Azure SQL Managed Instance and Azure Virtual Machines.

3 Microsoft Defender for SQL outside Azure price applies on Azure Arc enabled SQL Servers, which extends Azure services to SQL Server instances hosted outside of Azure in the customer’s datacenter, on the edge or in a multi-cloud environment.

What does it do?

Microsoft Defender for SQL comprises two separate Microsoft Defender plans:

When you enable either of these plans, all supported resources that exist within the subscription are protected. Future resources created on the same subscription will also be protected.

What about the benefits??

These two plans include functionality for identifying and mitigating potential database vulnerabilities and detecting anomalous activities that could indicate threats to your databases.

A vulnerability assessment service discovers, tracks, and helps you remediate potential database vulnerabilities. Assessment scans provide an overview of your SQL machines’ security state, and details of any security findings.

An advanced threat protection service continuously monitors your SQL servers for threats such as SQL injection, brute-force attacks, and privilege abuse. This service provides action-oriented security alerts in Microsoft Defender for Cloud with details of the suspicious activity, guidance on how to mitigate to the threats, and options for continuing your investigations with Microsoft Sentinel. Learn more about advanced threat protection.

Alerts in Microsoft Defender for SQL?

Threat intelligence enriched security alerts are triggered when there’s:

  • Potential SQL injection attacks – including vulnerabilities detected when applications generate a faulty SQL statement in the database
  • Anomalous database access and query patterns – for example, an abnormally high number of failed sign-in attempts with different credentials (a brute force attempt)
  • Suspicious database activity – for example, a legitimate user accessing an SQL Server from a breached computer which communicated with a crypto-mining C&C server

Alerts include details of the incident that triggered them, as well as recommendations on how to investigate and remediate threats.

How to enable?

Microsoft has consolidated all Defender product to the same page under Defender for Cloud and Defender plans.

When you are creating and SQL, you can find Defender under the provisioning steps.

The plan consolidates all database resource types. The “Select types” control provides pricing information and quantity for each resource type, as well as the ability to exclude certain types.

When you open SQL-database, you will find the following options

From server settings you will find settings for assessment scanning

And for threat protection

Under Configure threat detection types you can enable or disable detections

And under audit, you can enable auditing for SQL and for Microsoft support operations

But there is also free features

Like Ledger which is still in preview.

Azure SQL Ledger

With Ledger you can verify the integrity of your data and detect possible tampering.

Ledger helps protect data from any attacker or high-privileged user, including database administrators (DBAs), system administrators, and cloud administrators. As with a traditional ledger, the feature preserves historical data. If a row is updated in the database, its previous value is maintained and protected in a history table. Ledger provides a chronicle of all changes made to the database over time.

Diagram of the ledger table architecture.

Each transaction that the database receives is cryptographically hashed (SHA-256). The hash function uses the value of the transaction, along with the hash of the previous transaction, as input to the hash function. (The value includes hashes of the rows contained in the transaction.) The function cryptographically links all transactions together, like a blockchain.

Ledger functionality is introduced to tables in Azure SQL Database in two forms:

You create and database with the Ledger with the following instructions.

Identity management

There is also on option to use system or user assigned managed identities, which is still is preview.

Here are some of the benefits of using Managed identities:

  • You don’t need to manage credentials. Credentials are not even accessible to you.
  • You can use managed identities to authenticate to any resource that supports Azure Active Directory authentication including your own applications.
  • Managed identities can be used without any additional cost.

And there are description for the identities that can be used.

  • System-assigned Some Azure services allow you to enable a managed identity directly on a service instance. When you enable a system-assigned managed identity an identity is created in Azure AD that is tied to the lifecycle of that service instance. So when the resource is deleted, Azure automatically deletes the identity for you. By design, only that Azure resource can use this identity to request tokens from Azure AD.
  • User-assigned You may also create a managed identity as a standalone Azure resource. You can create a user-assigned managed identity and assign it to one or more instances of an Azure service. In the case of user-assigned managed identities, the identity is managed separately from the resources that use it.

How to use the managed identities as a Developer?

some examples of how a developer may use managed identities to get access to resources from their code without managing authentication information

What Azure services support the feature?

Managed identities for Azure resources can be used to authenticate to services that support Azure AD authentication. For a list of Azure services that support the managed identities for Azure resources feature, see Services that support managed identities for Azure resources.

Transparent Data Encryption

With TDE you will bring your own certificates to encrypt the data just like in Azure Information Protection.

You will have keys to access your data not Microsoft. So you have to keep them safe.

Benefits of TDE

Customer-managed TDE provides the following benefits to the customer:

  • Full and granular control over usage and management of the TDE protector;
  • Transparency of the TDE protector usage;
  • Ability to implement separation of duties in the management of keys and data within the organization;
  • Key Vault administrator can revoke key access permissions to make encrypted database inaccessible;
  • Central management of keys in AKV;
  • Greater trust from your end customers, since AKV is designed such that Microsoft cannot see nor extract encryption keys;

Microsoft Threat Modeling Tool

SDL Process

What it is?

The Microsoft Threat Modeling Tool 2018 was released as GA in September 2018 as a free click-to-download. The change in delivery mechanism allows us to push the latest improvements and bug fixes to customers each time they open the tool, making it easier to maintain and use. This article takes you through the process of getting started with the Microsoft SDL threat modeling approach and shows you how to use the tool to develop great threat models as a backbone of your security process.

Download here and install

Once done, the application main page will open

Choose create a model you will see templates that can be used

Analyzing threats

Once he clicks on the analysis view from the icon menu selection (file with magnifying glass), he is taken to a list of generated threats the Threat Modeling Tool found based on the default template, which uses the SDL approach called STRIDE (Spoofing, Tampering, Info Disclosure, Repudiation, Denial of Service and Elevation of Privilege). The idea is that software comes under a predictable set of threats, which can be found using these 6 categories.

STRIDE model

To better help you formulate these kinds of pointed questions, Microsoft uses the STRIDE model, which categorizes different types of threats and simplifies the overall security conversations.

SpoofingInvolves illegally accessing and then using another user’s authentication information, such as username and password
TamperingInvolves the malicious modification of data. Examples include unauthorized changes made to persistent data, such as that held in a database, and the alteration of data as it flows between two computers over an open network, such as the Internet
RepudiationAssociated with users who deny performing an action without other parties having any way to prove otherwise—for example, a user performs an illegal operation in a system that lacks the ability to trace the prohibited operations. Non-Repudiation refers to the ability of a system to counter repudiation threats. For example, a user who purchases an item might have to sign for the item upon receipt. The vendor can then use the signed receipt as evidence that the user did receive the package
Information DisclosureInvolves the exposure of information to individuals who are not supposed to have access to it—for example, the ability of users to read a file that they were not granted access to, or the ability of an intruder to read data in transit between two computers
Denial of ServiceDenial of service (DoS) attacks deny service to valid users—for example, by making a Web server temporarily unavailable or unusable. You must protect against certain types of DoS threats simply to improve system availability and reliability
Elevation of PrivilegeAn unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system. Elevation of privilege threats include those situations in which an attacker has effectively penetrated all system defenses and become part of the trusted system itself, a dangerous situation indeed


After you finish changing priorities and updating the status of each generated threat, you can save the file and/or print out a report. Go to Report > Create Full Report.

Threat model section

Feedback, Suggestions and Issues ButtonTakes you the MSDN Forum for all things SDL. It gives you an opportunity to read through what other users are doing, along with workarounds and recommendations. If you still can’t find what you’re looking for, email for our support team to help you
Create a ModelOpens a blank canvas for you to draw your diagram. Make sure to select which template you’d like to use for your model
Template for New ModelsYou must select which template to use before creating a model. Our main template is the Azure Threat Model Template, which contains Azure-specific stencils, threats and mitigations. For generic models, select the SDL TM Knowledge Base from the drop-down menu. Want to create your own template or submit a new one for all users? Check out our Template Repository GitHub Page to learn more
Open a ModelOpens previously saved threat models. The Recently Opened Models feature is great if you need to open your most recent files. When you hover over the selection, you’ll find 2 ways to open models:Open From this Computer – classic way of opening a file using local storageOpen from OneDrive – teams can use folders in OneDrive to save and share all their threat models in a single location to help increase productivity and collaboration
Getting Started GuideOpens the Microsoft Threat Modeling Tool main page

Things to remember

Protected SQL versions:

Threat intelligence enriched security alerts are triggered when there’s:

  • Potential SQL injection attacks – including vulnerabilities detected when applications generate a faulty SQL statement in the database
  • Anomalous database access and query patterns – for example, an abnormally high number of failed sign-in attempts with different credentials (a brute force attempt)
  • Suspicious database activity – for example, a legitimate user accessing an SQL Server from a breached computer which communicated with a crypto-mining C&C server

Threat detection types available

How TDE works

What is the STRIDE ( Spoofing, Tampering, Info Disclosure, Repudiation, Denial of Service and Elevation of Privilege) model

Link to main post

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *