Microsoft AzureOverview
Turning on Microsoft Defender for Open-source relational databases enables threat detection for Open-source relational databases, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.
Rationale
Enabling Microsoft Defender for Open-source relational databases allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).
Impact
Turning on Microsoft Defender for Open-source relational databases incurs an additional cost per resource.
Remediation guidance
From Azure Console
- Open Microsoft Defender for Cloud | Environment settings
- Select a subscription
- Under
Settings, selectDefender plans - For
Open-source relational databases, selectOnforStatus - Select Save
Using Azure Command Line Interface
az security pricing create -n 'OpenSourceRelationalDatabases' --tier 'Standard'
Using Azure PowerShell
Set-AzSecurityPricing -Name 'OpenSourceRelationalDatabases' -PricingTier 'Standard'
Default Value
By default, the Microsoft Defender plan is off.
References
- https://learn.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities
- https://learn.microsoft.com/en-us/rest/api/securitycenter/pricings/update
- https://learn.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing
- https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-2-monitor-anomalies-and-threats-targeting-sensitive-data
- https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-1-enable-threat-detection-capabilities
Multiple Remediation Paths
Azure
SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.
az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>
ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.
PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.
References for Service-Wide Patterns
- Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
- Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
- Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure
Operational Rollout Workflow
Use this sequence to reduce risk and avoid repeated drift.
1. Contain at Service-Wide Scope First (Recommended)
- Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.
az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>
2. Remediate Existing Affected Assets
- Execute the control-specific Console/CLI steps documented above for each flagged resource.
- Prioritize internet-exposed and production assets first.
3. Validate and Prevent Recurrence
- Re-scan after each remediation batch.
- Track exceptions with owner and expiry date.
- Add preventive checks in IaC/CI pipelines.
Query logic
These are the stored checks tied to this control.
Azure Subscriptions without Microsoft Defender for Open-Source Relational Databases
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: {
pricing_SOME: {
name: "OpenSourceRelationalDatabases"
pricingTier: "Free"
}
}
) {
...AssetFragment
}
}
