Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Microsoft Defender for Cloud for Open-Source Relational Databases

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that Microsoft Defender for Cloud is enabled for open-source relational databases such as Azure Database for PostgreSQL, Azure Database for MySQL, and Azure Database for MariaDB. Microsoft Defender for Cloud for open-source relational databases includes functionalities for discovering and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your relational databases.

Security

By default, Microsoft Defender for Cloud is disabled for all open-source relational databases. The security service monitors PostgreSQL, MySQL, and MariaDB database servers for threats such as SQL injection, brute-force attacks, and privilege abuse. Microsoft Defender for Cloud provides action-oriented security alerts with details of the suspicious activity and guidance on how to mitigate the security threats.

Audit

To determine if Microsoft Defender for Cloud is enabled for your Azure relational databases, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade available at https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0.

03 In the left navigation panel, under Management, choose Environment settings.

04 Under Azure, click on the name (link) of the Azure subscription that you want to examine.

05 In the left navigation panel, under Settings, choose Defender plans to access the Defender for Cloud pricing plans available for the selected Azure subscription.

06 In the Cloud Workload Protection (CWP) section, in the Pricing column, choose Select types > for the Databases plan to access the pricing information and quantity for each database resource type supported by Microsoft Defender for Cloud.

07 On the Resource types selection panel, check the Open-source relational databases pricing plan status. If the pricing plan status for Open-source relational databases is set to Off, Microsoft Defender for Cloud is not enabled for the open-source relational databases provisioned in the selected Azure subscription.

08 Repeat steps no. 4 – 7 for each Azure subscription created within your Microsoft Azure account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run security pricing list command (Windows/macOS/Linux) with custom output filters to describe the name of the Microsoft Defender for Cloud pricing plan configured for the supported open-source relational databases, in the selected subscription: 

az security pricing list
	--query 'value[?(name==`OpenSourceRelationalDatabases`)].pricingTier'

05 The command output should return the pricing plan (tier) configured for the open-source relational databases supported by Azure: 

[
	"Free"
]

If the security pricing list command output returns "Free", as shown in the output example above, Microsoft Defender for Cloud is not enabled for the open-source relational databases provisioned in the selected Azure subscription.

06 Repeat steps no. 3 - 5 for each Azure subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To enable Microsoft Defender for Cloud for the supported open-source relational databases, perform the following operations:

Turning on Microsoft Defender for Cloud for open-source relational databases incurs an additional cost per resource management operation.

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade available at https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0.

03 In the left navigation panel, under Management, choose Environment settings.

04 Under Azure, click on the name (link) of the Azure subscription that you want to examine.

05 In the left navigation panel, under Settings, choose Defender plans to access the Defender for Cloud pricing plans available for the selected Azure subscription.

06 In the Cloud Workload Protection (CWP) section, in the Pricing column, choose Select types > for the Databases plan to access the pricing information and quantity for each database resource type supported by Microsoft Defender for Cloud.

07 On the Resource types selection panel, choose On for Open-source relational databases to enable Microsoft Defender for Cloud for the supported open-source relational databases. Select Continue for confirmation. Choose Save from the top menu to apply the changes.

08 Repeat step no. 4 – 7 for each Azure subscription available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run security pricing create command (Windows/macOS/Linux) to enable the Standard tier (i.e., Standard pricing plan) for the open-source relational databases supported by Microsoft Defender for Cloud: 

az security pricing create
	--name OpenSourceRelationalDatabases
	--tier standard

05 The command output should return the configuration information available for modified pricing plan: 

{
	"deprecated": null,
	"enablementTime": "2025-02-26T10:00:00.000000+00:00",
	"extensions": null,
	"freeTrialRemainingTime": "0:00:00",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Security/pricings/OpenSourceRelationalDatabases",
	"name": "OpenSourceRelationalDatabases",
	"pricingTier": "Standard",
	"replacedBy": null,
	"subPlan": null,
	"type": "Microsoft.Security/pricings"
}

06 Repeat steps no. 3 - 5 for each Azure subscription available in your Microsoft Azure cloud account.

References

Publication date Feb 28, 2025

Related SecurityCenter rules