주요 콘텐츠로 건너뛰기

Prioritize and Respond to Alerts

Implementation Effort: Medium
Customer IT and Security Operations teams must configure alerting, triage incoming alerts, and define response workflows across Azure and multicloud environments.

User Impact: Low
All actions are performed by administrators and security teams; no user-facing changes or notifications are required.

Overview

Microsoft Defender for Databases provides real-time alerts for suspicious activity across Azure SQL, open-source databases, and multicloud environments. These alerts help security teams detect, prioritize, and respond to threats such as SQL injection, brute-force login attempts, and anomalous query behavior.

Key Steps

  1. Enable Defender Plans

    • Ensure Defender for Databases is enabled for Azure SQL, SQL Servers on machines, and open-source databases (PostgreSQL, MySQL, MariaDB).
    • For AWS, connect your account and enable protection for RDS instances 1.
  2. Access Alerts

    • Go to Microsoft Defender for Cloud > Security alerts in the Azure portal.
    • Use filters to view alerts by severity, resource type, or time.
    • Alerts are also visible on the resource-specific Defender page and can be sent via email 1.
  3. Prioritize Alerts

    • Focus on high-severity alerts involving:
      • Sensitive data
      • Internet-exposed databases
      • Lateral movement indicators
    • Use the live tile on the Defender for Cloud dashboard to track active threats 1.
  4. Investigate and Respond

    • Select an alert to view details such as:
      • Affected database and server
      • Nature of the anomaly
      • Recommended remediation steps
    • Use the View full alert link in email notifications to jump directly to the alert in the Azure portal 1.
  5. Remediate and Document

    • Follow the recommended actions to mitigate the threat (e.g., revoke access, patch vulnerabilities, block IPs).
    • Document the incident and update detection rules or access policies as needed.

This process supports the Zero Trust principle of "Assume Breach" by ensuring that threats are detected and addressed in real time, reducing the window of exposure and improving incident response readiness.

Reference