Get answers to common questions about Microsoft Defender for Databases.
If I enable this Microsoft Defender plan on my subscription, are all SQL servers on the subscription protected?
No. To defend a SQL Server deployment on an Azure virtual machine, or a SQL Server running on an Azure Arc-enabled machine, Defender for Cloud requires:
- a Log Analytics agent on the machine
- the relevant Log Analytics workspace to have the Microsoft Defender for SQL solution enabled
The subscription status, shown in the SQL server page in the Azure portal, reflects the default workspace status and applies to all connected machines. Only the SQL servers on hosts with a Log Analytics agent reporting to that workspace are protected by Defender for Cloud.Y
Is there a performance effect from deploying Microsoft Defender for Azure SQL on machines?
The focus of Microsoft Defender for SQL on machines is obviously security. But we also care about your business and so we've prioritized performance to ensure the minimal effect on your SQL servers.
The service has a split architecture to balance data uploading and speed with performance:
- Some of our detectors, including an extended events trace named
SQLAdvancedThreatProtectionTraffic, run on the machine for real-time speed advantages. - Other detectors run in the cloud to spare the machine from heavy computational loads.
Lab tests of our solution showed CPU usage averaging 3% for peak slices, comparing it against benchmark loads. An analysis of our current user data shows a negligible effect on CPU and memory usage.
Performance always varies between environments, machines, and loads. The statements are provided as a general guideline, not a guarantee for any individual deployment.
I changed the Log Analytics workspace for Defender for SQL on Machines and lost all my scan results and baselines settings. What happened?
The scan results and baselines are not stored in the Log Analytics workspace but are linked to it. Changing the workspace will reset the scan results and baseline settings. However, if you revert to the original workspace within 90 days, the scan results and baseline settings will be restored. Read more
What happens to the old scan results and baselines after I switch to express configuration?
Old results and baselines settings remain available on your storage account, but won't be updated or used by the system. You don't need to maintain these files for SQL vulnerability assessment to work after you switch to express configuration, but you can keep your old baseline definitions for future reference.
When express configuration is enabled, you don't have direct access to the result and baseline data because it's stored on internal Microsoft storage.
Why is my Azure SQL Server marked as unhealthy for "SQL servers should have vulnerability assessment configured", even though I’ve properly set it up using classic configuration?
The policy behind this recommendation checks for the existence of subassessments for the server. With classic configuration, system databases are scanned only if at least one user database exists. Therefore, a server without any user databases will not have scans or reported scan results, causing the policy to remain unhealthy. Switching to express configuration will enable scheduled and manual scans for system databases, thus mitigating this issue.
Can I set up recurring scans with express configuration?
Express configuration automatically sets up recurring scans for all databases under your server. This is the default and isn't configurable at server or database level.
Is there a way with express configuration to get the weekly email report that is provided in the classic configuration?
You can use workflow automation and Logic Apps email scheduling, following the Microsoft Defender for Cloud processes:
- Time based triggers
- Scan based triggers
- Support for disabled rules
Why can’t I set database policies anymore?
SQL vulnerability assessment reports all vulnerabilities and misconfigurations in your environment, so it helps to have all databases included. Defender for SQL is billed per server, not per database.
Can I revert back to the classic configuration?
Yes. You can revert back to the classic configuration using the existing REST APIs and PowerShell cmdlets. When you revert back to the classic configuration, you see a notification in the Azure portal to change to the express configuration.
Will we see express configuration for other types of SQL?
Stay tuned for updates!
Can I choose which experience is the default?
No. Express configuration is the default for every new supported Azure SQL database.
Does express configuration change scan behavior?
No, express configuration provides the same scanning behavior and performance.
Does express configuration have any effect on pricing?
Express configuration doesn't require a storage account, so you don't need to pay extra storage fees unless you choose to keep old scan and baseline data.
What does the 1-MB cap per rule mean?
Any individual rule can't produce results that are more than 1 MB. When that limit is reached, the results for the rule are stopped. You can't set a baseline for the rule, the rule isn't included in the overall recommendation health, and the results are shown as "Not applicable".
Once the Microsoft Defender for SQL servers on machines deployment is done, how long do we need to wait to see a successful deployment?
It takes approximately 30 minutes to update the protection status by the SQL IaaS Extension, assuming all the prerequisites are fulfilled.
How do I verify that my Defender for SQL servers on machines deployment ended successfully and that my database is now protected?
- Locate the database on the upper search bar in the Azure portal.
- Under the Security tab, select Defender for Cloud.
- Check the Protection status. If the status is Protected, the deployment was successful.
What is the purpose of the managed identity created during the installation process on Azure SQL VMs?
The managed identity is part of the Azure Policy, which pushes out the AMA. It's used by the AMA to access the database to collect the data and send it via the Log Analytics Workspace (LAW) to Defender for Cloud. For more information about the use of the managed identity, see Resource Manager template samples for agents in Azure Monitor.
Can I use my own DCR or managed-identity instead of Defender for Cloud creating a new one?
Yes, we allow you to bring your own identity or DCR using the following script only. For more information, see Enable Microsoft Defender for SQL servers on machines at scale.
How many resource groups and Log analytics workspaces are created through the auto-provisioning process?
By default, we create the resource group, workspace and DCR per region that has the SQL machine. If you choose the custom workspace option, only one resource group/DCR is created in the same location as the workspace.
How can I enable SQL servers on machines with AMA at scale?
See Enable Microsoft Defender for SQL servers on machines at scale for the process of how to enable Microsoft Defender for SQL's autoprovisioning across multiple subscriptions simultaneously. It's applicable to SQL servers hosted on Azure Virtual Machines, on-premises environments, and Azure Arc-enabled SQL servers.
Which tables are used in LAW with AMA?
Defender for SQL on SQL VMs and Arc-enabled SQL servers uses the Log Analytics Workspace (LAW) to transfer data from the database to the Defender for Cloud portal. This means that no data is saved locally at the LAW. The tables in the LAW named SQLAtpStatus and the SqlVulnerabilityAssessmentScanStatus will be retired when MMA is deprecated. ATP and VA status can be viewed in the Defender for Cloud portal.
How does Defender for SQL collect logs from the SQL server?
Defender for SQL uses Xevent, beginning with SQL Server 2017. On previous versions of SQL Server, Defender for SQL collects the logs using the SQL server audit logs.
I see a parameter named enableCollectionOfSqlQueriesForSecurityResearch in the policy initiative. Does this mean that my data is collected for analysis?
This parameter isn't in use today. Its default value is false, meaning that unless you proactively change the value, it remains false. There's no effect from this parameter.