Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Use this article to review Microsoft Defender for SQL alerts and investigate suspicious activity across affected resources. The guidance helps you open alerts quickly and follow through with deeper investigation when needed.
View and investigate SQL alerts
This article explains how to access and review security alerts from Microsoft Defender for SQL. When Defender for SQL detects suspicious database activity or potential vulnerabilities, it generates alerts that require investigation.
There are several ways to view Microsoft Defender for SQL alerts in Microsoft Defender for Cloud:
- The Alerts page.
- The affected machine's security page.
- The workload protections dashboard, which shows security coverage across resources.
- Through the direct link provided in the alert's email.
How to view alerts
To view security alerts in Microsoft Defender for Cloud, follow these steps:
Go to the Azure portal and sign in.
Search for and select Microsoft Defender for Cloud.
Select Security alerts.
Select an alert.
Alerts are self-contained and include detailed remediation steps and investigation guidance. For broader investigation, use related Microsoft Defender for Cloud and Microsoft Sentinel capabilities:
Enable SQL Server auditing for deeper investigations. If you use Microsoft Sentinel, you can upload SQL auditing logs from Windows Security Log events to Sentinel for richer investigation. For details, see SQL Server auditing.
To improve your security posture, use Defender for Cloud's recommendations for the host machine indicated in each alert to reduce the risks of future attacks.
For details, see Manage and respond to security alerts.
Related content
For related information, see these resources: