Merge pull request #54485 from R-C-Stewart/SQLPub-implement-defender-databases

The first push of a new module to learn

Author: JamesJBarnett

learn-pr/wwl-sci/implement-defender-databases/1-introduction.yml

@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.implement-defender-databases.introduction
+title: Introduction
+metadata:
+  title: Introduction
+  description: "Introduction to implementing Microsoft Defender for Databases to detect threats across Azure SQL services."
+  ms.date: 04/22/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-generated
+durationInMinutes: 2
+content: |
+  [!include[](includes/1-introduction.md)]

learn-pr/wwl-sci/implement-defender-databases/2-explore-defender-databases-capabilities.yml

@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.implement-defender-databases.explore-defender-databases-capabilities
+title: Explore Microsoft Defender for Databases capabilities
+metadata:
+  title: Explore Microsoft Defender for Databases Capabilities
+  description: "Explore the Defender for Databases plans, their coverage scope, and the threat types each plan detects across Azure SQL and open-source relational database services."
+  ms.date: 04/22/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-generated
+durationInMinutes: 3
+content: |
+  [!include[](includes/2-explore-defender-databases-capabilities.md)]

learn-pr/wwl-sci/implement-defender-databases/3-enable-defender-azure-sql-databases.yml

@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.implement-defender-databases.enable-defender-azure-sql-databases
+title: Enable Defender for Azure SQL Databases at subscription scope
+metadata:
+  title: Enable Defender for Azure SQL Databases at Subscription Scope
+  description: "Enable Defender for Azure SQL Databases at subscription scope in Microsoft Defender for Cloud, verify coverage, and enforce consistent protection using Azure Policy."
+  ms.date: 04/22/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-generated
+durationInMinutes: 3
+content: |
+  [!include[](includes/3-enable-defender-azure-sql-databases.md)]

learn-pr/wwl-sci/implement-defender-databases/4-enable-defender-open-source-databases.yml

@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.implement-defender-databases.enable-defender-open-source-databases
+title: Enable Defender for open-source relational databases
+metadata:
+  title: Enable Defender for Open-Source Relational Databases
+  description: "Enable Defender for open-source relational databases to protect Azure Database for PostgreSQL, MySQL, and MariaDB, and understand the coverage boundaries and limitations of this plan."
+  ms.date: 04/22/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-generated
+durationInMinutes: 3
+content: |
+  [!include[](includes/4-enable-defender-open-source-databases.md)]

learn-pr/wwl-sci/implement-defender-databases/5-configure-vulnerability-assessment.yml

@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.implement-defender-databases.configure-vulnerability-assessment
+title: Configure vulnerability assessment
+metadata:
+  title: Configure Vulnerability Assessment
+  description: "Configure vulnerability assessment for Azure SQL Database and SQL Managed Instance, set scan baselines to distinguish accepted configurations from new findings, and remediate high-severity vulnerabilities."
+  ms.date: 04/22/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-generated
+durationInMinutes: 3
+content: |
+  [!include[](includes/5-configure-vulnerability-assessment.md)]

learn-pr/wwl-sci/implement-defender-databases/6-configure-alert-routing-validate-coverage.yml

@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.implement-defender-databases.configure-alert-routing-validate-coverage
+title: Configure alert routing and validate coverage
+metadata:
+  title: Configure Alert Routing and Validate Coverage
+  description: "Configure email notifications and Microsoft Sentinel integration for Defender for Databases alerts, create suppression rules for known-good patterns, and validate coverage using sample alerts."
+  ms.date: 04/22/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-generated
+durationInMinutes: 3
+content: |
+  [!include[](includes/6-configure-alert-routing-validate-coverage.md)]

learn-pr/wwl-sci/implement-defender-databases/7-knowledge-check.yml

@@ -0,0 +1,60 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.implement-defender-databases.knowledge-check
+title: Knowledge check
+metadata:
+  title: Knowledge Check
+  description: "Check your knowledge of implementing Microsoft Defender for Databases across Azure SQL and open-source relational database services."
+  ms.date: 04/22/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  module_assessment: true
+  ai_generated_module_assessment: false
+durationInMinutes: 3
+content: |
+  [!include[](includes/7-knowledge-check.md)]
+quiz:
+  title: Check your knowledge
+  questions:
+  - content: "Contoso's cloud security team needs to protect both Azure SQL Managed Instance and Azure Database for MySQL. Which Defender for Databases plan selection correctly covers both services?"
+    choices:
+    - content: "Defender for Azure SQL Databases covers both Azure SQL Managed Instance and Azure Database for MySQL in a single plan"
+      isCorrect: false
+      explanation: "Incorrect. Defender for Azure SQL Databases covers Azure SQL services including SQL Database, SQL Managed Instance, elastic pools, and Synapse Analytics dedicated SQL pools. Azure Database for MySQL is covered by a separate plan."
+    - content: "Defender for open-source relational databases covers all Azure PaaS database services including Azure SQL"
+      isCorrect: false
+      explanation: "Incorrect. Defender for open-source relational databases covers PostgreSQL, MySQL, and MariaDB flexible server offerings. It doesn't cover Azure SQL Database or SQL Managed Instance."
+    - content: "Defender for Azure SQL Databases for SQL Managed Instance, and Defender for open-source relational databases for Azure Database for MySQL"
+      isCorrect: true
+      explanation: "Correct. There are two separate plans within Defender for Databases. Defender for Azure SQL Databases covers SQL Managed Instance and other Azure SQL services. Defender for open-source relational databases covers MySQL Flexible Server and other open-source database services."
+    - content: "A single Defender for Databases plan covers all Azure relational database services"
+      isCorrect: false
+      explanation: "Incorrect. Defender for Databases is a category containing two separate plans with distinct coverage boundaries, not a single unified plan covering all relational database services."
+  - content: "A security engineer enables Defender for Azure SQL Databases at subscription scope. Which statement correctly describes the resulting coverage behavior?"
+    choices:
+    - content: "Only Azure SQL resources created before the enablement date receive protection; new resources require individual enrollment"
+      isCorrect: false
+      explanation: "Incorrect. Subscription-level enablement covers both existing and future resources. New Azure SQL resources created in the subscription receive protection automatically without requiring manual enrollment."
+    - content: "All existing and future Azure SQL resources in the subscription receive protection automatically"
+      isCorrect: true
+      explanation: "Correct. When you enable Defender for Azure SQL Databases at the subscription scope, all supported resources in the subscription are protected immediately. Future resources created in the same subscription also receive protection automatically."
+    - content: "Each Azure SQL server must be individually enrolled in Defender for Cloud after subscription-level enablement"
+      isCorrect: false
+      explanation: "Incorrect. Individual enrollment is the resource-level approach. Subscription-level enablement eliminates the need to configure each resource separately."
+    - content: "Coverage applies to Azure SQL Database but SQL Managed Instance requires a separate enablement step"
+      isCorrect: false
+      explanation: "Incorrect. Defender for Azure SQL Databases covers SQL Managed Instance as part of the same plan. Subscription-level enablement protects both SQL Database and SQL Managed Instance without separate steps."
+  - content: "A cloud security engineer runs a vulnerability assessment on Contoso's Azure SQL Database and sees several findings. Some findings represent accepted configurations, such as broad read permissions for an internal reporting service account. What is the correct action to prevent these known findings from appearing as open issues?"
+    choices:
+    - content: "Create an alert suppression rule in Defender for Cloud scoped to the affected storage account"
+      isCorrect: false
+      explanation: "Incorrect. Alert suppression rules apply to threat detection alerts, not to vulnerability assessment findings. They also reference storage accounts, which are unrelated to SQL vulnerability assessment."
+    - content: "Disable vulnerability assessment on the affected database to remove the false-positive findings"
+      isCorrect: false
+      explanation: "Incorrect. Disabling vulnerability assessment removes all findings and all ongoing scanning for that database. Removing the assessment is an overly broad action that eliminates security visibility."
+    - content: "Set a baseline for the findings to mark the accepted configurations as known and expected"
+      isCorrect: true
+      explanation: "Correct. Vulnerability assessment baselines allow you to mark specific findings as accepted configurations. After setting a baseline, those findings no longer appear as open issues, and the assessment only surfaces new or changed findings that deviate from the baseline."
+    - content: "Remove the Defender for Azure SQL Databases plan from the affected SQL server to clear the findings"
+      isCorrect: false
+      explanation: "Incorrect. Removing the Defender plan disables all threat detection and vulnerability assessment for the server. Removing the plan isn't an appropriate response to accepted configuration findings."

learn-pr/wwl-sci/implement-defender-databases/8-summary.yml

@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.implement-defender-databases.summary
+title: Summary
+metadata:
+  title: Summary
+  description: "Summary of implementing Microsoft Defender for Databases across Azure SQL and open-source relational database services."
+  ms.date: 04/22/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-generated
+durationInMinutes: 1
+content: |
+  [!include[](includes/8-summary.md)]

learn-pr/wwl-sci/implement-defender-databases/includes/1-introduction.md

@@ -0,0 +1,14 @@
+Contoso Financial Services has platform-level security controls and a complete audit trail in place. But during a recent penetration test, SQL injection attacks bypassed input validation and extracted data—with no real-time alerts. The team also discovered that a misconfigured AI fraud detection service is sending anomalous SQL queries for six days before anyone noticed. The "access controls" and "audit logs" record everything, but they didn't detect the threats as they happened.
+
+The gap: Contoso has no active threat detection layer over its databases. Network controls and auditing are necessary but not sufficient. You need a service that monitors database activity, detects SQL injection attempts, identifies anomalous query patterns from AI services, and surfaces vulnerability exposures in real time.
+
+Microsoft Defender for Databases provides this layer. In this module, you explore the threat detection capabilities in Defender for Databases, enable protection for Azure SQL Databases and open-source relational databases, configure vulnerability assessment, and set up alert routing to ensure your security team receives actionable notifications.
+
+By the end of this module, you can:
+
+- Describe Microsoft Defender for Databases plans and threat detection capabilities
+- Enable Defender for Azure SQL Databases at subscription scope
+- Enable Defender for open-source relational databases
+- Configure vulnerability assessment to establish security baselines for Azure SQL
+- Configure alert routing to deliver Defender detections to the security operations team
+

learn-pr/wwl-sci/implement-defender-databases/includes/2-explore-defender-databases-capabilities.md

@@ -0,0 +1,48 @@
+Platform security controls and auditing logs are foundational, but they don't alert you when an attack is in progress or when an AI service begins querying sensitive data in unusual patterns. Microsoft Defender for Databases fills this gap by providing active threat detection, real-time alerts, and automated vulnerability scanning across your database workloads. At Contoso Financial Services, the security team needs to determine which plans to enable and how to configure detection policies.
+
+:::image type="content" source="../media/defender-databases-capabilities.png" alt-text="Diagram of Defender for Databases plans, coverage, shared threat detection capabilities, and MITRE ATT&CK mapping." lightbox="../media/defender-databases-capabilities.png":::
+
+| Plan | Coverage |
+|------|----------|
+| Defender for Azure SQL Databases | Azure SQL Database, Azure SQL Managed Instance, Azure Synapse Analytics dedicated SQL pools, SQL Server on Azure VMs, SQL Server on Arc-enabled machines |
+| Defender for open-source relational databases | Azure Database for PostgreSQL Flexible Server, Azure Database for MySQL Flexible Server, Amazon RDS instances—Aurora PostgreSQL, Aurora MySQL, PostgreSQL, MySQL, MariaDB (Preview) |
+
+## Compare Defender for Databases plans
+
+Defender for Databases is a bundle within Microsoft Defender for Cloud that contains four independently priced subplans: Defender for Azure SQL Databases, Defender for SQL Servers on Machines, Defender for Open-Source Relational Databases, and Defender for Azure Cosmos DB. This module focuses on the two plans most relevant to Azure SQL environments. Each plan targets a different database platform family and operates independently. Enable one or both based on your environment.
+
+The first plan, Defender for Azure SQL Databases, covers all Microsoft SQL-based services. This includes Azure SQL Database (single databases and elastic pools), Azure SQL Managed Instance (including read/write replicas), Azure Synapse Analytics dedicated SQL pools, and SQL Server running on infrastructure. With this plan, you protect SQL Server 2012–2022 running on Azure virtual machines and SQL Server on on-premises or multicloud machines connected through Azure Arc. This broad coverage means you can apply consistent threat detection policies across both platform-as-a-service databases and infrastructure-hosted SQL instances.
+
+The second plan, Defender for open-source relational databases, covers PostgreSQL and MySQL workloads. This plan protects Azure Database for PostgreSQL Flexible Server and Azure Database for MySQL Flexible Server across all pricing tiers. In preview, it also extends to Amazon RDS instances running Aurora PostgreSQL, Aurora MySQL, PostgreSQL, MySQL, and MariaDB. Unlike the Azure SQL plan, this plan doesn't support database servers running on virtual machines or Arc-enabled machines. The plan is designed exclusively for managed database services.
+
+| Feature | Azure SQL plan | Open-source plan |
+|---------|---------------|------------------|
+| PaaS database coverage | Yes | Yes |
+| IaaS database coverage | Yes (SQL Server on VMs and Arc) | No |
+| Multicloud support | Yes (Arc-enabled SQL) | Yes (Amazon RDS in preview) |
+| Threat detection | Yes | Yes |
+| Vulnerability assessment | Yes | No (not included) |
+
+The key difference for Contoso is coverage scope: if you run SQL Server on virtual machines or on-premises servers with Arc, you need the Azure SQL plan. If you only use managed PostgreSQL or MySQL services, the open-source plan provides the appropriate protection.
+
+## Detect active threats in real time
+
+Defender for Databases analyzes database information to identify attacks that bypass network and access controls. The detection engine continuously monitors query patterns, access behavior, and authentication attempts to surface threats as they occur.
+
+For Azure SQL workloads, Defender detects SQL injection attacks by identifying when applications construct SQL statements that include malicious user input. The detection logic identifies both successful injection attempts and vulnerability indicators. Even if the attacker hasn't yet escalated privileges, you receive an alert that the database is vulnerable. At Contoso, the banking API that constructs dynamic queries from customer input would trigger an alert when an attacker attempts to inject commands, giving the security team immediate visibility into the attack.
+
+Defender also detects anomalous database access and query patterns. The service establishes a baseline of normal behavior for each database, then alerts when access occurs from unusual geographic locations, at unexpected times, or with query volumes that deviate significantly from historical patterns. When Contoso's AI-powered fraud detection service begins querying customer transaction tables at 3 AM with 10 times the normal query volume, Defender flags this as suspicious activity even though the service uses legitimate credentials.
+
+Brute force attacks surface as abnormally high numbers of failed sign-in attempts within a short time window. Defender correlates these attempts and generates a single alert rather than flooding your queue with individual failed authentication events. Suspicious database activity includes access patterns associated with known threat indicators, such as queries originating from a host that's communicating with cryptocurrency mining command-and-control servers.
+
+Each alert includes a mapping to MITRE ATT&CK tactics, helping your security operations team understand which stage of the attack chain the threat represents: initial access, persistence, or exfiltration. This context accelerates response decisions and helps you prioritize remediation based on attack progression.
+
+## Identify vulnerabilities before attackers exploit them
+
+Vulnerability assessment is included in Defender for Azure SQL Databases as an integrated feature, not a separate product. The assessment engine automatically scans your databases for security misconfigurations and known vulnerabilities, then generates findings categorized by severity level: High, Medium, and lower-severity best practice recommendations.
+
+With Express configuration (the recommended mode), Microsoft manages scan result storage and no storage account configuration is required. Findings appear directly in Defender for Cloud's recommendations view without requiring you to configure storage accounts or scan agents. You can mark accepted findings—such as configurations that are intentional for your environment—so only new deviations surface as open issues. This baseline approach reduces alert fatigue and focuses your attention on configuration drift.
+
+At Contoso, vulnerability assessment might surface findings like publicly accessible database endpoints, weak password policies, or missing encryption at rest. Each finding includes remediation guidance that the security team can apply immediately or route to database administrators through Azure DevOps or ServiceNow integrations.
+
+Defender for Databases uses an agentless architecture across both plans. No agent deployment is required on database servers. Defender analyzes information at the Azure platform layer. This approach works uniformly across platform-as-a-service databases like Azure SQL Database and infrastructure-hosted SQL Server instances connected through Arc. You gain active threat detection without managing agent updates or troubleshooting connectivity issues.