• 3 min read

Advanced Threat Protection for Azure Database for MySQL in preview

Advanced Threat Protection detects anomalous database activities indicating potential security threats to Azure Database for MySQL.

This blog post was co-authored by Ron Matchoro, Principal Program Manager, Azure SQL Database.

Advanced Threat Protection detects anomalous database activities indicating potential security threats to Azure Database for MySQL.

Advanced Threat Protection provides a new layer of security, which enables customers to detect and respond to potential threats as they occur by providing security alerts on anomalous database activities. Advanced Threat Protection makes it simple to address potential threats to the Azure Database for MySQL server without the need to be a security expert and integrates its alerts with Azure Security Center.

For a full investigation experience, it is recommended to use Server Logs in Azure Database for MySQL , which generates database query and error logs.

image

The benefits of Advanced Threat Protection include:

  • Simple configuration of Advanced Threat Protection policy via the Azure portal.
  • Clear email alerts upon detection of suspicious databases activities.
  • Ability to explore the activity log around the time of the event using the Azure portal.
  • No need to modify database procedures or application code.

Set up Advanced Threat Protection for your Azure Database for MySQL server in the Azure portal

  • Launch the Azure portal.
  • Navigate to the configuration page of the Azure Database for MySQL server you want to protect. In the Settings page, select Advanced Threat Protection
  • In the Advanced Threat Protection configuration blade
    • Turn ON Threat detection.
    • Configure the list of emails that will receive security alerts upon detection of anomalous database activities.
  • Click Save in the Advanced Threat Protection configuration blade to save the new or updated threat detection policy.

set-up-threat-protection

Explore anomalous MySQL server activities upon detection of a suspicious event

You will receive an email notification upon detection of anomalous database activities. The email will provide information about the suspicious security event including the nature of the anomalous activities, database name, server name and the event time. In addition, it will provide information on possible causes and recommended actions to investigate and mitigate the potential threat to the Azure Database for MySQL server.

anomalous-activity-report

Clicking on the view recent alerts link in the email will launch the Azure portal and show the Azure Security Center alerts blade which provides an overview of active SQL threats detected on the Azure Database for MySQL server.

active-threats

Clicking on a specific alert provides additional details and actions for investigating this threat and remediating future threats.

specific-alert

Azure Database for MySQL server Advanced Threat Protection alerts

Advanced Threat Detection for Azure Database for MySQL server detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases and it can trigger the following alerts:

  • Access from unusual location: This alert is triggered when there is a change in the access pattern to a Azure Database for MySQL server, where someone has logged on to the Azure Database for MySQL server from an unusual geographical location. In some cases, the alert detects a legitimate action such as a new application or developer’s maintenance operation. In other cases, the alert detects a malicious action like a former employee, external attacker, and more.
  • Access from unusual Azure data center: This alert is triggered when there is a change in the access pattern to Azure Database for MySQL server, where someone has logged on to the Azure Database for MySQL server from a Azure Data Center that was not seen accessing this Managed Instance during the recent period. In some cases, the alert detects a legitimate action such as your new application in Azure, Power BI, Azure SQL Query Editor, and more. In other cases, the alert detects a malicious action from an Azure resource/service like a former employee or external attacker.
  • Access from unfamiliar principal: This alert is triggered when there is a change in the access pattern to Azure Database for MySQL server, where someone has logged on to the Azure Database for MySQL server using an unusual principal. In some cases, the alert detects a legitimate action such as new application or developer’s maintenance operation. In other cases, the alert detects a malicious action like a former employee or external attacker.
  • Access from a potentially harmful application: This alert is triggered when a potentially harmful application is used to access the database. In some cases, the alert detects penetration testing in action. In other cases, the alert detects an attack using common attack tools.
  • Brute force login credentials: This alert is triggered when there is an abnormal high number of failed logins with different credentials. In some cases, the alert detects penetration testing in action. In other cases, the alert detects a brute force attack.

Next steps