Azure Defender for SQLAzure Defender for SQL

适用于: Azure SQL 数据库 Azure SQL 托管实例 Azure Synapse Analytics

Azure Defender for SQL 是高级 SQL 安全功能的统一包。Azure Defender for SQL is a unified package for advanced SQL security capabilities. Azure Defender 可用于 Azure SQL 数据库、Azure SQL 托管实例和 Azure Synapse Analytics。Azure Defender is available for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics. 它包括用于发现和分类敏感数据、呈现和减少潜在数据库漏洞,以及检测可能表明数据库有威胁的异常活动的功能。It includes functionality for discovering and classifying sensitive data, surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database. 它提供用于启用和管理这些功能的一个转到位置。It provides a single go-to location for enabling and managing these capabilities.

适用于 SQL 的 Azure Defender 有哪些优点?What are the benefits of Azure Defender for SQL?

Azure Defender 提供一组高级 SQL 安全功能,包括 SQL 漏洞评估和高级威胁防护。Azure Defender provides a set of advanced SQL security capabilities, including SQL Vulnerability Assessment and Advanced Threat Protection.

  • 漏洞评估是一项易于配置的服务,可以发现、跟踪并帮助修正潜在的数据库漏洞。Vulnerability Assessment is an easy-to-configure service that can discover, track, and help you remediate potential database vulnerabilities. 它可用于直观查看安全状态,包括解决安全问题的可操作步骤,并可加强数据库的防御工事。It provides visibility into your security state, and it includes actionable steps to resolve security issues and enhance your database fortifications.
  • 高级威胁防护检测异常活动,指出尝试访问或利用数据库的行为异常且可能有害。Advanced Threat Protection detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit your database. 它连续监视数据库中的可疑活动,并针对潜在漏洞、Azure SQL 注入攻击和异常数据库访问模式提供即时安全警报。It continuously monitors your database for suspicious activities, and it provides immediate security alerts on potential vulnerabilities, Azure SQL injection attacks, and anomalous database access patterns. 高级威胁防护警报提供可疑活动的详细信息,并建议如何调查和缓解威胁。Advanced Threat Protection alerts provide details of the suspicious activity and recommend action on how to investigate and mitigate the threat.

启用 Azure Defender for SQL 之后,其包含的所有功能都会启用。Enable Azure Defender for SQL once to enable all these included features. 只需单击一次,即可为 Azure 或 SQL 托管实例中服务器上的所有数据库启用 Azure Defender。With one click, you can enable Azure Defender for all databases on your server in Azure or in your SQL Managed Instance. 需要属于 SQL 安全管理器角色或者数据库或服务器管理员角色才能启用或管理 Azure Defender 设置。Enabling or managing Azure Defender settings requires belonging to the SQL security manager role, or one of the database or server admin roles.

有关 Azure Defender for SQL 定价的详细信息,请参阅 Azure 安全中心定价页For more information about Azure Defender for SQL pricing, see the Azure Security Center pricing page.

启用 Azure DefenderEnable Azure Defender

可通过多种方式启用 Azure Defender 计划。There are multiple ways to enable Azure Defender plans. 可通过以下方式在订阅级别启用(建议):You can enable it at the subscription level (recommended) from:

或者,可以根据在资源级别为 Azure SQL 数据库启用 Azure Defender 中所述在资源级别启用它。Alternatively, you can enable it at the resource level as described in Enable Azure Defender for Azure SQL Database at the resource level

在 Azure 安全中心的订阅级别为 Azure SQL 数据库启用 Azure DefenderEnable Azure Defender for Azure SQL Database at the subscription level from Azure Security Center

若要在 Azure 安全中心内的订阅级别为 Azure SQL 数据库启用 Azure Defender:To enable Azure Defender for Azure SQL Database at the subscription level from within Azure Security Center:

  1. Azure 门户中,打开“安全中心”。From the Azure portal, open Security Center.

  2. 在安全中心的菜单中,选择“定价和设置”。From Security Center's menu, select Pricing and settings.

  3. 选择相关订阅。Select the relevant subscription.

  4. 将计划设置更改为“打开”。Change the plan setting to On.

    在订阅级别为 Azure SQL 数据库启用 Azure Defender。

  5. 选择“保存”。Select Save.

以编程方式启用 Azure Defender 计划Enable Azure Defender plans programatically

Azure 的灵活性允许使用多种编程方法来启用 Azure Defender 计划。The flexibility of Azure allows for a number of programmatic methods for enabling Azure Defender plans.

可使用以下任一方法来为订阅启用 Azure Defender:Use any of the following tools to enable Azure Defender for your subscription:

方法Method 说明Instructions
REST APIREST API 定价 APIPricings API
Azure CLIAzure CLI az security 定价az security pricing
PowerShellPowerShell Set-AzSecurityPricingSet-AzSecurityPricing
Azure PolicyAzure Policy 捆绑定价Bundle Pricings

在资源级别为 Azure SQL 数据库启用 Azure DefenderEnable Azure Defender for Azure SQL Database at the resource level

建议在订阅级别启用 Azure Defender 计划,这有助于创建不受保护的资源。We recommend enabling Azure Defender plans at the subscription level and this can help the creation of unprotected resources. 但是,如果你的组织有理由要在服务器级别启用 Azure Defender,请使用以下步骤:However, if you have an organizational reason to enable Azure Defender at the server level, use the following steps:

  1. Azure 门户中打开你的服务器或托管实例。From the Azure portal, open your server or managed instance.

  2. 在“安全性”标题下,选择“安全中心” 。Under the Security heading, select Security Center.

  3. 选择“启用 Azure Defender for SQL”。Select Enable Azure Defender for SQL.

    在 Azure SQL 数据库中启用 Azure Defender for SQL。

备注

系统会自动创建一个存储帐户用于存储 漏洞评估 的扫描结果。A storage account is automatically created and configured to store your Vulnerability Assessment scan results. 如果已为同一个资源组和区域中的另一台服务器启用 Azure Defender,则使用现有的存储帐户。If you've already enabled Azure Defender for another server in the same resource group and region, then the existing storage account is used.

Azure Defender 的成本遵循每个节点的 Azure 安全中心标准层级定价,其中节点是整个服务器或托管实例。The cost of Azure Defender is aligned with Azure Security Center standard tier pricing per node, where a node is the entire server or managed instance. 因此,只需支付一次即可使用 Azure Defender 保护服务器或托管实例上的所有数据库。You are thus paying only once for protecting all databases on the server or managed instance with Azure Defender. 你可以从免费试用版开始试用 Azure Defender。You can try Azure Defender out initially with a free trial.

管理 Azure Defender 设置Manage Azure Defender settings

查看和管理 Azure Defender 设置:To view and manage Azure Defender settings:

  1. 在服务器或托管实例的“安全”区域中,选择“安全中心” 。From the Security area of your server or managed instance, select Security Center.

    在此页上,你将看到 Azure Defender for SQL 的状态:On this page, you'll see the status of Azure Defender for SQL:

    在 Azure SQL 数据库中检查 Azure Defender for SQL 的状态。

  2. 如果启用了 Azure Defender for SQL,则将看到一个“配置”链接,如上图所示。If Azure Defender for SQL is enabled, you'll see a Configure link as shown in the previous graphic. 若要编辑 Azure Defender for SQL 的设置,请选择“配置”。To edit the settings for Azure Defender for SQL, select Configure.

    Azure Defender for SQL 的设置。

  3. 进行必要的更改并选择“保存”。Make the necessary changes and select Save.

后续步骤Next steps