Azure SQL 数据库的高级威胁防护Advanced Threat Protection for Azure SQL Database

适用于 Azure SQL 数据库SQL 数据仓库的高级威胁防护可检测异常活动,这些活动指示对数据库的异常和可能有害的访问或利用企图。Advanced Threat Protection for Azure SQL Database and SQL Data Warehouse detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.

高级威胁防护包含在高级数据安全性 (ADS) 产品/服务中,是一个针对高级 SQL 安全功能的统一软件包。Advanced Threat Protection is part of the Advanced data security (ADS) offering, which is a unified package for advanced SQL security capabilities. 可通过中心 SQL ADS 门户访问和管理高级威胁防护。Advanced Threat Protection can be accessed and managed via the central SQL ADS portal.

Note

本主题适用于 Azure SQL 服务器,同时也适用于在 Azure SQL 服务器中创建的 SQL 数据库和 SQL 数据仓库数据库。This topic applies to Azure SQL server, and to both SQL Database and SQL Data Warehouse databases that are created on the Azure SQL server. 为简单起见,在提到 SQL 数据库和 SQL 数据仓库时,本文统称 SQL 数据库。For simplicity, SQL Database is used when referring to both SQL Database and SQL Data Warehouse.

什么是高级威胁防护What is Advanced Threat Protection

高级威胁防护提供新的安全层,在发生异常活动时会提供安全警报,让客户检测潜在威胁并做出响应。Advanced Threat Protection provides a new layer of security, which enables customers to detect and respond to potential threats as they occur by providing security alerts on anomalous activities. 出现可疑数据库活动、潜在漏洞、SQL 注入攻击和异常数据库访问和查询模式时,用户将收到警报。Users receive an alert upon suspicious database activities, potential vulnerabilities, and SQL injection attacks, as well as anomalous database access and queries patterns. 高级威胁防护将警报与 Azure 安全中心集成,其中包含可疑活动的详细信息以及如何调查和缓解威胁的建议操作。Advanced Threat Protection integrates alerts with Azure Security Center, which include details of suspicious activity and recommend action on how to investigate and mitigate the threat. 不必是安全专家,也不需要管理先进的安全监视系统,就能使用高级威胁防护轻松解决数据库的潜在威胁。Advanced Threat Protection makes it simple to address potential threats to the database without the need to be a security expert or manage advanced security monitoring systems.

为了提供完整的调查体验,建议启用 SQL 数据库审核,它会将数据库事件写入到 Azure 存储帐户中的审核日志。For a full investigation experience, it is recommended to enable SQL Database Auditing, which writes database events to an audit log in your Azure storage account.

高级威胁防护警报Advanced Threat Protection alerts

适用于 Azure SQL 数据库的高级威胁防护可检测异常活动(指示异常和可能有害的数据库访问或使用企图),并可触发以下警报:Advanced Threat Protection for Azure SQL Database detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases and it can trigger the following alerts:

  • 存在易受 SQL 注入攻击的漏洞:当某个应用程序在数据库中生成错误的 SQL 语句时,会触发此警报。Vulnerability to SQL injection: This alert is triggered when an application generates a faulty SQL statement in the database. 此警报会指示可能存在易受 SQL 注入攻击的漏洞。This alert may indicate a possible vulnerability to SQL injection attacks. 生成错误语句的可能原因有两个:There are two possible reasons for the generation of a faulty statement:

    • 应用程序代码中的缺陷导致构造出错误的 SQL 语句A defect in application code that constructs the faulty SQL statement
    • 应用程序代码或存储过程在构造错误的 SQL 语句时无法清理用户输入,使该语句被 SQL 注入攻击利用Application code or stored procedures don't sanitize user input when constructing the faulty SQL statement, which may be exploited for SQL Injection
  • 潜在 SQL 注入:当 SQL 攻击有效利用已识别到的应用程序漏洞时,会触发此警报。Potential SQL injection: This alert is triggered when an active exploit happens against an identified application vulnerability to SQL injection. 这意味着,攻击者正在尝试使用有漏洞的应用程序代码或存储过程注入恶意 SQL 语句。This means the attacker is trying to inject malicious SQL statements using the vulnerable application code or stored procedures.

  • 来自异常位置的访问:当 SQL Server 的访问模式发生更改,有人从异常的地理位置登录到 SQL Server 时,会触发此警报。Access from unusual location: This alert is triggered when there is a change in the access pattern to SQL server, where someone has logged on to the SQL server from an unusual geographical location. 在某些情况下,警报会检测合法操作(发布新应用程序或开发人员维护)。In some cases, the alert detects a legitimate action (a new application or developer maintenance). 在其他情况下,警报会检测恶意操作(以前的员工、外部攻击者)。In other cases, the alert detects a malicious action (former employee, external attacker).

  • 来自异常 Azure 数据中心的访问:当 SQL Server 的访问模式发生更改,有人从最近在此服务器上出现过的 Azure 数据中心登录到 SQL Server 时,会触发此警报。Access from unusual Azure data center: This alert is triggered when there is a change in the access pattern to SQL server, where someone has logged on to the SQL server from an unusual Azure data center that was seen on this server during the recent period. 在某些情况下,警报会检测合法操作(在 Azure、Power BI 或 Azure SQL 查询编辑器中发布新应用程序)。In some cases, the alert detects a legitimate action (your new application in Azure, Power BI, Azure SQL Query Editor). 在其他情况下,警报会检测通过 Azure 资源/服务执行的恶意操作(以前的员工、外部攻击者)。In other cases, the alert detects a malicious action from an Azure resource/service (former employee, external attacker).

  • 来自陌生主体的访问:当 SQL Server 的访问模式发生更改,有人使用异常的主体(SQL 用户)登录到 SQL Server 时,会触发此警报。Access from unfamiliar principal: This alert is triggered when there is a change in the access pattern to SQL server, where someone has logged on to the SQL server using an unusual principal (SQL user). 在某些情况下,警报会检测合法操作(发布新应用程序或开发人员维护)。In some cases, the alert detects a legitimate action (new application, developer maintenance). 在其他情况下,警报会检测恶意操作(以前的员工、外部攻击者)。In other cases, the alert detects a malicious action (former employee, external attacker).

  • 来自可能有害的应用程序的访问:当使用可能有害的应用程序访问数据库时,会触发此警报。Access from a potentially harmful application: This alert is triggered when a potentially harmful application is used to access the database. 在某些情况下,警报会检测操作中的渗透测试。In some cases, the alert detects penetration testing in action. 在其他情况下,警报会检测使用常见攻击工具执行的攻击。In other cases, the alert detects an attack using common attack tools.

  • 暴力破解 SQL 凭据:当有人使用不同的凭据异常登录并失败很多次时,会触发此警报。Brute force SQL credentials: This alert is triggered when there is an abnormal high number of failed logins with different credentials. 在某些情况下,警报会检测操作中的渗透测试。In some cases, the alert detects penetration testing in action. 在其他情况下,警报会检测暴力破解攻击。In other cases, the alert detects brute force attack.

在 Azure 门户中浏览针对数据库发出的高级威胁防护警报Explore Advanced Threat Protection alerts for your database in the Azure portal

高级威胁防护功能将其警报与 Azure 安全中心集成。Advanced Threat Protection integrates its alerts with Azure Security Center. Azure 门户中“数据库和 SQL ADS”边栏选项卡内的“实时 SQL 高级威胁防护”磁贴会跟踪活动威胁的状态。Live SQL Advanced Threat Protection tiles within the database and SQL ADS blades in the Azure portal track the status of active threats.

单击“高级威胁防护警报”以启动“Azure 安全中心警报”页,并获取在数据库或数据仓库中检测到的活动 SQL 威胁的概述。Click Advanced Threat Protection alert to launch the Azure Security Center alerts page and get an overview of active SQL threats detected on the database or data warehouse.

高级威胁防护警报

高级威胁防护警报 2

后续步骤Next steps