You have an Azure subscription that contains several Azure SQL databases and an Azure Sentinel workspace.
You need to create a saved query in the workspace to find events reported by Advanced Threat Protection for Azure SQL Database.
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.C
The correct answer is C. From the Azure Sentinel workspace, create a Kusto Query Language query.
Azure Sentinel is a cloud-native security information and event management (SIEM) service that provides intelligent security analytics across the enterprise. It uses Kusto Query Language (KQL) to query and analyze data.
Advanced Threat Protection (ATP) for Azure SQL Database is a security feature that provides threat detection capabilities for databases. It detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.
To create a saved query in Azure Sentinel workspace to find events reported by ATP for Azure SQL Database, you need to perform the following steps:
Open the Azure Sentinel workspace in the Azure portal.
Click on the "Logs" blade on the left-hand side of the workspace.
Click on the "+ New query" button to open the query editor.
In the query editor, select the "SecurityInsights" table, which contains security events.
Use the following KQL query to find events reported by ATP for Azure SQL Database:
SecurityEvent | where ProviderName == "Microsoft SQL Threat Detection" | where EventID == "31655"
This query filters events from the SecurityEvent table where the ProviderName is "Microsoft SQL Threat Detection" and the EventID is "31655". Event ID 31655 indicates that ATP has detected a potential SQL injection attack.
Click on the "Save" button to save the query as a saved query.
Give the query a name and a description.
Click on the "Save" button to save the query.
Option A, running the Get-AzOperationalInsightsworkspace cmdlet, is not the correct way to create a saved query in Azure Sentinel workspace.
Option B, creating a Transact-SQL query in the Azure SQL Database query editor, is not the correct way to find events reported by ATP for Azure SQL Database. The query editor is used to write and execute SQL queries against a database.
Option D, creating a Transact-SQL query in Microsoft SQL Server Management Studio (SSMS), is also not the correct way to find events reported by ATP for Azure SQL Database. SSMS is a client tool used to manage and administer SQL Server instances, but it is not the tool to query security events.