Check Resource Coverage
Implementation Effort: Medium
Customer IT and Security Operations teams must use Azure tools like Resource Graph Explorer and Defender for Cloud dashboards to validate which resources are protected.
User Impact: Low
All actions are performed by administrators; no user-facing changes or notifications are required.
Overview
Checking resource coverage in Microsoft Defender for Databases ensures that all intended database workloads—across Azure, on-premises, and multicloud—are actively protected. This process involves verifying that Defender plans are enabled and that resources are being scanned and monitored correctly.
Key Methods
-
Use Defender for Cloud Recommendations
- Navigate to Microsoft Defender for Cloud > Recommendations in the Azure portal.
- Search for recommendations like:
- SQL databases should have vulnerability findings resolved
- SQL servers on machines should have vulnerability findings resolved
- These show which resources are covered and which are missing protection 1.
-
Query Azure Resource Graph (ARG)
-
Use Resource Graph Explorer to run Kusto queries that return affected resources or security findings.
-
Example:
securityresources
| where type =~ "microsoft.security/assessments/subassessments"
| project resourceId, name=properties.displayName, status=properties.status.code -
This helps identify gaps in coverage and validate that Defender for SQL is actively scanning the databases 1.
-
-
Review Defender Plan Activation
- Ensure the following Defender plans are enabled:
- Defender for Azure SQL Databases
- Defender for SQL Servers on Machines
- Defender for Open-Source Relational Databases
- Defender for Azure Cosmos DB 2
- Ensure the following Defender plans are enabled:
This process supports the Zero Trust principle of "Verify Explicitly" by ensuring that all database resources are accounted for and protected. Skipping this step may result in unmonitored workloads, increasing the risk of undetected threats or compliance gaps.