适用于 Azure SQL 数据库、SQL 托管实例和 Azure Synapse Analytics 的高级威胁防护Advanced Threat Protection for Azure SQL Database, SQL Managed Instance, and Azure Synapse Analytics

适用于: Azure SQL 数据库 Azure SQL 托管实例 Azure Synapse Analytics (SQL DW)

适用于 Azure SQL 数据库Azure SQL 托管实例Azure Synapse Analytics 的高级威胁防护可检测异常活动,这些活动指示访问或利用数据库的异常和潜在有害尝试。Advanced Threat Protection for Azure SQL Database, Azure SQL Managed Instance and Azure Synapse Analytics detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.

高级威胁防护包含在 Azure Defender for SQL 产品/服务中,这是用于高级 SQL 安全功能的统一软件包。Advanced Threat Protection is part of the Azure Defender for SQL offering, which is a unified package for advanced SQL security capabilities. 可通过中心 Azure Defender for SQL 门户访问和管理高级威胁防护。Advanced Threat Protection can be accessed and managed via the central Azure Defender for SQL portal.

概述Overview

高级威胁防护提供新的安全层,在发生异常活动时会提供安全警报,让客户检测潜在威胁并做出响应。Advanced Threat Protection provides a new layer of security, which enables customers to detect and respond to potential threats as they occur by providing security alerts on anomalous activities. 出现可疑数据库活动、潜在漏洞、SQL 注入攻击和异常数据库访问和查询模式时,用户将收到警报。Users receive an alert upon suspicious database activities, potential vulnerabilities, and SQL injection attacks, as well as anomalous database access and queries patterns. 高级威胁防护将警报与 Azure 安全中心集成,其中包含可疑活动的详细信息以及有关如何调查和缓解威胁的建议操作。Advanced Threat Protection integrates alerts with Azure Security Center, which include details of suspicious activity and recommend action on how to investigate and mitigate the threat. 不必是安全专家,也不需要管理先进的安全监视系统,就能使用高级威胁防护轻松解决数据库的潜在威胁。Advanced Threat Protection makes it simple to address potential threats to the database without the need to be a security expert or manage advanced security monitoring systems.

为了提供完整的调查体验,建议启用审核,它会将数据库事件写入到 Azure 存储帐户中的审核日志。For a full investigation experience, it is recommended to enable auditing, which writes database events to an audit log in your Azure storage account. 若要启用审核,请参阅 Azure SQL 数据库和 Azure Synapse 的审核Azure SQL 托管实例的审核To enable auditing, see Auditing for Azure SQL Database and Azure Synapse or Auditing for Azure SQL Managed Instance.

警报Alerts

Azure SQL 数据库的高级威胁防护可检测异常活动,指出有人在访问或利用数据库时的异常行为和可能有害的尝试。Advanced Threat Protection for Azure SQL Database detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. 有关 Azure SQL 数据库的警报列表,请参阅 Azure 安全中心内关于 SQL 数据库和 Azure Synapse Analytics(以前称为“SQL 数据仓库”)的警报For a list of alerts for Azure SQL Database, see the Alerts for SQL Database and Azure Synapse Analytics (formerly SQL Data Warehouse) in Azure Security Center.

浏览检测到的可疑事件Explore detection of a suspicious event

检测到异常数据库活动时,将收到电子邮件通知。You receive an email notification upon detection of anomalous database activities. 电子邮件将提供可疑安全事件的相关信息,包括异常活动的性质、数据库名称、服务器名称、应用程序名称和事件时间。The email provides information on the suspicious security event including the nature of the anomalous activities, database name, server name, application name, and the event time. 此外,电子邮件还会提供可能原因和建议操作的相关信息,帮助调查和缓解数据库的潜在威胁。In addition, the email provides information on possible causes and recommended actions to investigate and mitigate the potential threat to the database.

异常活动报告

  1. 单击电子邮件中“查看最近的 SQL 警报”链接以启动 Azure 门户并显示“Azure 安全中心警报”页,该页面提供在数据库上检测到的活动威胁的概述。Click the View recent SQL alerts link in the email to launch the Azure portal and show the Azure Security Center alerts page, which provides an overview of active threats detected on the database.

    活动威胁

  2. 单击特定警报可获得其他详细信息以及用于调查此威胁和解决潜在威胁的操作。Click a specific alert to get additional details and actions for investigating this threat and remediating future threats.

    例如,SQL 注入是 Internet 上最常见的 Web 应用程序安全问题之一,用于攻击数据驱动的应用程序。For example, SQL injection is one of the most common Web application security issues on the Internet that is used to attack data-driven applications. 攻击者利用应用程序漏洞将恶意 SQL 语句注入应用程序入口字段,以破坏或修改数据库中的数据。Attackers take advantage of application vulnerabilities to inject malicious SQL statements into application entry fields, breaching or modifying data in the database. 对于 SQL 注入警报,警报的详细信息包括被利用的有漏洞的 SQL 语句。For SQL Injection alerts, the alert's details include the vulnerable SQL statement that was exploited.

    特定警报

在 Azure 门户中浏览警报Explore alerts in the Azure portal

高级威胁防护将其警报与 Azure 安全中心集成。Advanced Threat Protection integrates its alerts with Azure security center. Azure 门户中“数据库和 SQL Azure Defender”边栏选项卡内的“实时 SQL 高级威胁防护”磁贴会跟踪活动威胁的状态。Live SQL Advanced Threat Protection tiles within the database and SQL Azure Defender blades in the Azure portal track the status of active threats.

单击“高级威胁防护警报”以启动“Azure 安全中心警报”页,并获取在数据库中检测到的活动 SQL 威胁的概述。Click Advanced Threat Protection alert to launch the Azure Security Center alerts page and get an overview of active SQL threats detected on the database.

后续步骤Next steps