Azure SQL Server Advanced Data Security Does Not Send Alerts To Service And Co-administrators

Advanced data security (ADS) provides a set of advanced SQL security capabilities, including vulnerability assessment, threat detection, and data discovery and classification. This policy identifies Azure SQL Servers that are not enabled with ADS. As a best practice, enable ADS so that the administrators—service and co-administrator—can receive email alerts when anomalous activities are detected on the SQL Servers.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform

Build Rules

Azure SQL Server advanced data security does not send alerts to service and co-administrators.
JSON Query:
$.resource.*.azurerm_sql_database[*].*[*].threat_detection_policy anyNull or $.resource.*.azurerm_sql_database[*].*[*].threat_detection_policy[*].state anyEqual Disabled or $.resource.*.azurerm_sql_database[*].*[*].threat_detection_policy[*].email_account_admins anyNull or $.resource.*.azurerm_sql_database[*].*[*].threat_detection_policy[*].email_account_admins anyFalse
Recommendation:
Recommended solution for kaming sure that data security does sends alerts to service and co-administrators.
It is recommended that Azure SQL Server advanced data security sends alerts to service and co-administrators. Please make sure if your template have "threat_detection_policy" defined for "azurerm_sql_database" and it has the "state" is set to "enabled" and "email_account_admins" set to "true".
For example:
"azurerm_sql_database": [ { "<sql_database_name>": [ { "location": "West US", "name": "mysqldatabase", "resource_group_name": "${azurerm_resource_group.example.name}", "server_name": "${azurerm_sql_server.example.name}", "threat_detection_policy": [ { "state": "enabled", "email_account_admins": true } ] } ] } ]

Run Rule Recommendation

  1. Log in to the Azure portal.
  2. Select 'SQL servers', to select the SQL server you need to modify.
  3. Select 'Advanced Data Security'.
  4. Ensure that 'Advanced Data Security' status is 'ON'.
  5. Select 'Email service and co-administrators'.
  6. 'Save' your changes.

Compliance

There is 1 standard that is applicable to this policy:
  • CIS v1.1 (Azure)

Recommended For You