Azure Defender for open-source relational databases

Hi!

A new Azure Defender plan is available to bring threat protections for the following open-source relational databases:

  • Azure Database for PostgreSQL
  • Azure Database for MySQL
  • Azure Database for MariaDB

The goal of Azure Defender is to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.

Please find below the list of alerts available:

Alert (alert type)DescriptionMITRE tacticsSeverity
Suspected brute force attack using a valid user
(SQL.PostgreSQL_BruteForce
SQL.MariaDB_BruteForce
SQL.MySQL_BruteForce)		A potential brute force attack has been detected on your resource. The attacker is using the valid user (username), which has permissions to login.PreAttackHigh
Suspected successful brute force attack
(SQL.PostgreSQL_BruteForce
SQL.MySQL_BruteForce
SQL.MariaDB_BruteForce)		A successful login occurred after an apparent brute force attack on your resource.PreAttackHigh
Suspected brute force attack
(« SQL.MySQL_BruteForce »)		A potential brute force attack has been detected on your SQL server ‘{name}’.PreAttackHigh
Attempted logon by a potentially harmful application
(SQL.PostgreSQL_HarmfulApplication
SQL.MariaDB_HarmfulApplication
SQL.MySQL_HarmfulApplication)		A potentially harmful application attempted to access your resource.PreAttackHigh
Login from a principal user not seen in 60 days
(SQL.PostgreSQL_PrincipalAnomaly
SQL.MariaDB_PrincipalAnomaly
SQL.MySQL_PrincipalAnomaly)		A principal user not seen in the last 60 days has logged into your database. If this database is new or this is expected behavior caused by recent changes in the users accessing the database, Security Center will identify significant changes to the access patterns and attempt to prevent future false positives.ExploitationMedium
Login from a domain not seen in 60 days
(SQL.MariaDB_DomainAnomaly
SQL.PostgreSQL_DomainAnomaly
SQL.MySQL_DomainAnomaly)		A user has logged in to your resource from a domain no other users have connected from in the last 60 days. If this resource is new or this is expected behavior caused by recent changes in the users accessing the resource, Security Center will identify significant changes to the access patterns and attempt to prevent future false positives.ExploitationMedium
Log on from an unusual Azure Data Center
(SQL.PostgreSQL_DataCenterAnomaly
SQL.MariaDB_DataCenterAnomaly
SQL.MySQL_DataCenterAnomaly)		Someone logged on to your resource from an unusual Azure Data Center.ProbingLow
Logon from an unusual cloud provider
(SQL.PostgreSQL_CloudProviderAnomaly
SQL.MariaDB_CloudProviderAnomaly
SQL.MySQL_CloudProviderAnomaly)		Someone logged on to your resource from a cloud provider not seen in the last 60 days. It’s quick and easy for threat actors to obtain disposable compute power for use in their campaigns. If this is expected behavior caused by the recent adoption of a new cloud provider, Security Center will learn over time and attempt to prevent future false positives.ExploitationMedium
Log on from an unusual location
(SQL.MariaDB_GeoAnomaly
SQL.PostgreSQL_GeoAnomaly
SQL.MySQL_GeoAnomaly)		Someone logged on to your resource from an unusual Azure Data Center.ExploitationMedium
Login from a suspicious IP
(SQL.PostgreSQL_SuspiciousIpAnomaly
SQL.MariaDB_SuspiciousIpAnomaly
SQL.MySQL_SuspiciousIpAnomaly)		Your resource has been accessed successfully from an IP address that Microsoft Threat Intelligence has associated with suspicious activity.PreAttackMedium

To enable Azure Defender for open-source relational databases:

Security Center > Management > Pricing & settings

Select your subscription

Click-on On for Open-source relational databases and click on Save to save the modification.

Maxime.

ACR | Azure Defender for container registries now scans for vulnerabilities in registries protected with Azure Private Link

Hi!

Since August 2021, it’s now possible to scan the vulnerabilities of your Azure Container Registries protected with an Azure Private Link with « Azure Defender for Container Registries ».

Few months ago, I have written an article (in French) to explain you how you can enable « Azure Defender for Container Registries »: Azure Container Registry | Scanner vos images de containers

Maxime.

AKS | Private Cluster RunCommand

Hi!

Today when you need to access a private cluster, you must do so within the cluster virtual network or a peered network or client machine. This usually requires your machine to be connected via VPN or Express Route to the cluster virtual network or a jumpbox to be created in the cluster virtual network.

AKS run command allows you to remotely invoke commands in an AKS cluster through the AKS API. This feature provides an API that allows you to, for example, execute just-in-time commands from a remote laptop for a private cluster. This can greatly assist with quick just-in-time access to a private cluster when the client machine is not on the cluster private network while still retaining and enforcing the same RBAC controls and private API server.

az feature register --namespace "Microsoft.ContainerService" --name "RunCommandPreview"

az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/RunCommandPreview')].{Name:name,State:properties.state}"

az provider register --namespace Microsoft.ContainerService

az aks command invoke -g <resourceGroup> -n <clusterName> -c "kubectl get pods -n kube-system"

Maxime.