Skip to main content

Azure SQL Management

This Integration is part of the Azure SQL Management Pack.#

Microsoft Azure SQL Management Integration manages the Auditing and Threat Policies for Azure SQL. This integration was integrated and tested with version 2021-11-01 of Azure SQL Management

In order to connect to the AzureKubernetesServices using either Cortex XSOAR Azure App or the Self-Deployed Azure App, use one of the following methods:

  • Authorization Code Flow (Recommended).
  • Device Code Flow.
  • Azure Managed Identities
  • Client Credentials Flow.

Self-Deployed Application#

To use a self-configured Azure application, you need to add a new Azure App Registration in the Azure Portal.

The application must have user_impersonation permission and must allow public client flows (found under the Authentication section of the app). And must allow public client flows (found under the Authentication section of the app) for Device-code based authentications.

Authentication Using the User-Authentication Flow (recommended)#

Follow these steps for a self-deployed configuration:

  1. To use a self-configured Azure application, you need to add a new Azure App Registration in the Azure Portal. To add the registration, refer to the following Microsoft article steps 1-8.
  2. choose the 'User Auth' option in the Authentication Type parameter.
  3. Enter your Client/Application ID in the Application ID parameter.
  4. Enter your Client Secret in the Client Secret parameter.
  5. Enter your Tenant ID in the Tenant ID parameter.
  6. Enter your Application redirect URI in the Application redirect URI parameter.
  7. Save the instance.
  8. Run the !azure-sql-generate-login-url command in the War Room and follow the instruction.
  9. Run the !azure-sql-auth-test command - a 'Success' message should be printed to the War Room.

Authentication Using the Device Code Flow#

Use the device code flow to link Azure SQL Management with Cortex XSOAR.

Follow these steps for a self-deployed configuration:

  1. Fill in the required parameters.
  2. choose the 'Device' option in the user_auth_flow parameter.
  3. Run the !azure-sql-auth-start command.
  4. Follow the instructions that appear.
  5. Run the !azure-sql-auth-complete command.

Cortex XSOAR Azure App#

In order to use the Cortex XSOAR Azure application, use the default application ID (8f9010bb-4efe-4cfa-a197-98a2694b7e0c).

You only need to fill in your subscription ID and resource group name. You can find your resource group and subscription ID in the Azure Portal. For a more detailed explanation, visit this page.

Client Credentials Flow Authentication#

Assign Azure roles using the Azure portal Microsoft article Note: In the Select members section, assign the application you created earlier. To configure a Microsoft integration that uses this authorization flow with a self-deployed Azure application:

  1. In the Authentication Type field, select the Client Credentials option.
  2. In the Application ID field, enter your Client/Application ID.
  3. In the Tenant ID field, enter your Tenant ID .
  4. In the Client Secret field, enter your Client Secret.
  5. Click Test to validate the URLs, token, and connection
  6. Save the instance.

Testing authentication and connectivity#

If you are using Device Code Flow or Authorization Code Flow, for testing your authentication and connectivity to the Azure SQL Management service run the !azure-sql-auth-test command. If you are using Client Credentials Flow, click Test when you are configuring the instance.

Configure Azure SQL Management on Cortex XSOAR#

In both options below, the device authorization grant flow is used.

In order to connect to the Azure SQL Management using either Cortex XSOAR Azure App or the Self-Deployed Azure App:

  1. Fill in the required parameters.

    ParameterDescriptionRequired
    Application IDFalse
    Default Subscription IDTest button won’t work if not populated. This value can be overridden on a command basis.False
    Default Resource Group NameTest button won’t work if not populated. This value can be overridden on a command basis.False
    Authentication TypeType of authentication - can be Authorization Code Flow (recommended), Device Code Flow, Azure Managed Identities or Client Credentials Flow.True
    Tenant IDFor authorization code mode or client credentials.False
    Client SecretFor authorization code mode or client credentials.False
    Client SecretFor authorization code mode or client credentials.False
    Application redirect URIFor authorization code mode.False
    Authorization codefor user-auth mode - received from the authorization step.False
    Azure Managed Identities Client IDThe Managed Identities client ID for authentication - relevant only if the integration is running on Azure VM.False
    Azure AD endpointAzure AD endpoint associated with a national cloud.False
    Trust any certificate (not secure)False
    Use system proxy settingsFalse

At the end of the process you'll see a message that you've logged in successfully.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

azure-sql-auth-start#


Run this command to start the authorization process and follow the instructions in the command results.

Base Command#

azure-sql-auth-start

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command example#

!azure-sql-auth-start

Human Readable Output#

Authorization instructions#

  1. To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code CODECODE to authenticate.
  2. Run the !azure-sql-auth-complete command in the War Room.

azure-sql-auth-complete#


Run this command to complete the authorization process. Should be used after running the azure-sql-auth-start command.

Base Command#

azure-sql-auth-complete

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

!azure-nsg-auth-complete

Human Readable Output#

âś… Authorization completed successfully.

azure-sql-auth-reset#


Run this command if for some reason you need to rerun the authentication process.

Base Command#

azure-sql-auth-reset

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command example#

!azure-sql-auth-reset

Human Readable Output#

Authorization was reset successfully. You can now run !azure-sql-auth-start and !azure-sql-auth-complete.

azure-sql-auth-test#


Tests the connectivity to the Azure SQL Management.

Base Command#

azure-sql-auth-test

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

!azure-sql-auth-test

Human Readable Output#

âś… Success!

azure-sql-servers-list#


Lists all the servers.

Base Command#

azure-sql-servers-list

Input#

Argument NameDescriptionRequired
limit(Int) The maximum number of servers returned to the War Room. Default is 50.Optional
offsetOffset in the data set. Default is 0.Optional
subscription_idSubscription ID. This value will override the instance param 'subscription_id'.Optional
resource_group_nameA comma-separated list of resource group names. This value will override the instance param 'resource_group_name'.Optional
list_by_resource_groupIf true, returns the server lists that matches the given resource groups. Else, returns a list of all the servers. Possible values are: true, false.Optional

Context Output#

PathTypeDescription
AzureSQL.ServerUnknownServer list.
AzureSQL.Server.kindStringKind of server.
AzureSQL.Server.locationStringServer location.
AzureSQL.Server.tagsUnknownServer tags.
AzureSQL.Server.idStringServer ID.
AzureSQL.Server.nameStringServer name.
AzureSQL.Server.typeStringServer type.
AzureSQL.Server.administratorLoginStringUsername of the server administrator.
AzureSQL.Server.versionStringServer version.
AzureSQL.Server.stateStringServer state.
AzureSQL.Server.fullyQualifiedDomainNameUnknownFully qualified domain name of the server.
AzureSQL.Server.privateEndpointConnectionsUnknownList of private endpoint connections of the server.
AzureSQL.Server.publicNetworkAccessBooleanWhether the public endpoint access of the server is enabled.
AzureSQL.Server.restrictOutboundNetworkAccessUnknownWhether or not to restrict outbound network access for this server. Value is optional but if passed in, must be 'Enabled' or 'Disabled'.

Command example#

!azure-sql-servers-list

Context Example#

{
"AzureSQL": {
"Server": {
"administratorLogin": "xsoaradmin",
"fullyQualifiedDomainName": "sqlintegration.database.windows.net",
"id": "/subscriptions/0123456789/resourceGroups/sql-integration/providers/Microsoft.Sql/servers/sqlintegration",
"kind": "v12.0",
"location": "eastus",
"name": "sqlintegration",
"privateEndpointConnections": [],
"publicNetworkAccess": "Enabled",
"restrictOutboundNetworkAccess": "Disabled",
"state": "Ready",
"tags": {},
"type": "Microsoft.Sql/servers",
"version": "12.0"
}
}
}

Human Readable Output#

Servers List#

Administrator LoginFully Qualified Domain NameIdKindLocationNamePublic Network AccessStateTypeVersion
xsoaradminsqlintegration.database.windows.net/subscriptions/0123456789/resourceGroups/sql-integration/providers/Microsoft.Sql/servers/sqlintegrationv12.0eastussqlintegrationEnabledReadyMicrosoft.Sql/servers12.0

azure-sql-db-list#


Lists all of the databases for the server.

Base Command#

azure-sql-db-list

Input#

Argument NameDescriptionRequired
server_nameServer name.Required
limitThe maximum number of databases returned to the War Room. Default is 50.Optional
offsetOffset in the data set. Default is 0.Optional
subscription_idSubscription ID. This value will override the instance param 'subscription_id'.Optional
resource_group_nameResource group name. This value will override the instance param 'resource_group_name'.Optional

Context Output#

PathTypeDescription
AzureSQL.DBUnknownAll databases related to the server.
AzureSQL.DB.kindStringKind of database.
AzureSQL.DB.locationStringDatabase location.
AzureSQL.DB.idStringDatabase ID.
AzureSQL.DB.nameStringDatabase name.
AzureSQL.DB.typeStringDatabase type.
AzureSQL.DB.managedByStringResource that manages the database.
AzureSQL.DB.skuUnknownDatabase SKU.
AzureSQL.DB.catalogCollationStringCollation of the catalog for the database.
AzureSQL.DB.collationStringDatabase collation.
AzureSQL.DB.creationDateStringCreation date of the database in ISO format.
AzureSQL.DB.currentServiceObjectiveNameStringCurrent service level objective name of the database.
AzureSQL.DB.currentSkuUnknownName, tier, and capacity of the SKU.
AzureSQL.DB.databaseIDStringDatabase ID.
AzureSQL.DB.defaultSecondaryLocationStringDefault secondary location of the database.
AzureSQL.DB.maxSizeBytesNumberThe maximum size of the database in bytes.
AzureSQL.DB.readReplicaCountNumberThe number of read-only secondary replicas of the database.
AzureSQL.DB.readScaleStringThe read-only routing state. "Enabled" or "Disabled".
AzureSQL.DB.requestedServiceObjectiveNameStringThe requested service objective name of the database.
AzureSQL.DB.statusStringDatabase status.
AzureSQL.DB.storageAccountTypeStringDatabase storage account type.
AzureSQL.DB.zoneRedundantBooleanWhether the database zone is redundant.
AzureSQL.DB.currentBackupStorageRedundancyUnknownThe storage account type used to store backups for this database.
AzureSQL.DB.requestedBackupStorageRedundancyUnknownThe storage account type to be used to store backups for this database.
AzureSQL.DB.maintenanceConfigurationIdStringMaintenance configuration ID assigned to the database. This configuration defines the period when the maintenance updates will occur.
AzureSQL.DB.isLedgerOnBooleanWhether or not this database is a ledger database, which means all tables in the database are ledger tables. The value of this property cannot be changed after the database has been created.
AzureSQL.DB.isInfraEncryptionEnabledBooleanWhether infra encryption is enabled for this database.

Command Example#

!azure-sql-db-list server_name=sqlintegration

Context Example#

{
"AzureSQL": {
"DB": [
{
"catalogCollation": "SQL_Latin1_General_CP1_CI_AS",
"collation": "SQL_Latin1_General_CP1_CI_AS",
"creationDate": "2020-12-15T14:31:06.663Z",
"currentBackupStorageRedundancy": "currentBackupStorageRedundancy",
"currentServiceObjectiveName": "S0",
"currentSku": {
"capacity": 10,
"name": "Standard",
"tier": "Standard"
},
"databaseId": "databaseId",
"defaultSecondaryLocation": "westus",
"earliestRestoreDate": "2023-05-04T13:34:04.2874123Z",
"id": "id",
"isInfraEncryptionEnabled": false,
"isLedgerOn": false,
"kind": "v12.0,user",
"location": "eastus",
"maintenanceConfigurationId": "maintenanceConfigurationId",
"maxSizeBytes": 268435456000,
"name": "sql-integration-db",
"readScale": "Disabled",
"requestedBackupStorageRedundancy": "requestedBackupStorageRedundancy",
"requestedServiceObjectiveName": "S0",
"sku": {
"capacity": 10,
"name": "Standard",
"tier": "Standard"
},
"status": "Online",
"tags": {},
"type": "Microsoft.Sql/servers/databases",
"zoneRedundant": false
}
]
}
}

Human Readable Output#

Database List#

NameLocationStatusManaged By
sql-integration-dbeastusOnline

azure-sql-db-audit-policy-list#


Gets the audit settings of the specified database.

Base Command#

azure-sql-db-audit-policy-list

Input#

Argument NameDescriptionRequired
server_nameServer name.Required
db_nameDatabase name.Required
limitThe maximum number of database audit policies returned to the War Room. Default is 50.Optional
offsetOffset in the data set. Default is 0.Optional
subscription_idSubscription ID. This value will override the instance param 'subscription_id'.Optional
resource_group_nameA comma-separated list of resource group names. This value will override the instance param 'resource_group_name'.Optional

Context Output#

PathTypeDescription
AzureSQL.DBAuditPolicyUnknownList of all database audit settings.
AzureSQL.DBAuditPolicy.kindStringKind of audit policy.
AzureSQL.DBAuditPolicy.idStringAudit policy ID.
AzureSQL.DBAuditPolicy.nameStringAudit policy name.
AzureSQL.DBAuditPolicy.typeStringResource type.
AzureSQL.DBAuditPolicy.isAzureMonitorTargetEnabledBooleanWhether audit events are sent to Azure Monitor. Possible values: "True" (Enabled) or "False" (Disabled).
AzureSQL.DBAuditPolicy.retentionDaysNumberNumber of days to keep in the audit logs in the storage account.
AzureSQL.DBAuditPolicy.stateStringPolicy state.
AzureSQL.DBAuditPolicy.storageAccountSubscriptionIdStringStorage subscription ID.
AzureSQL.DBAuditPolicy.databaseNameStringThe name of the database that the audit policy is related to.
AzureSQL.DBAuditPolicy.serverNameStringThe name of the server that the audit policy is related to.
AzureSQL.DBAuditPolicy.isManagedIdentityInUseBooleanSpecifies whether Managed Identity is used to access blob storage.

Command Example#

!azure-sql-db-audit-policy-list server_name=sqlintegration db_name=sql-integration-db

Context Example#

{
"AzureSQL": {
"DBAuditPolicy": {
"auditActionsAndGroups": [
"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP",
"FAILED_DATABASE_AUTHENTICATION_GROUP",
"BATCH_COMPLETED_GROUP"
],
"databaseName": "sql-db",
"id": "/subscriptions/0123456789/resourceGroups/sql-integration/providers/Microsoft.Sql/servers/sqlintegration/databases/sql-integration-db/auditingSettings/Default",
"isAzureMonitorTargetEnabled": true,
"isManagedIdentityInUse": false,
"name": "Default",
"retentionDays": 3,
"serverName": "sql",
"state": "Enabled",
"storageAccountSubscriptionId": "00000000-0000-0000-0000-000000000000",
"storageEndpoint": "",
"type": "Microsoft.Sql/servers/databases/auditingSettings"
}
}
}

Human Readable Output#

Database Audit Settings for resource_group_name='sql-integration'#

Audit Actions And GroupsDatabase NameIdIs Azure Monitor Target EnabledIs Managed Identity In UseNameRetention DaysServer NameStateStorage Account Subscription IdType
SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP,
FAILED_DATABASE_AUTHENTICATION_GROUP,
BATCH_COMPLETED_GROUP
sql-integration-db/subscriptions/0123456789/resourceGroups/sql-integration/providers/Microsoft.Sql/servers/sqlintegration/databases/sql-integration-db/auditingSettings/DefaulttruefalseDefault3sqlintegrationEnabled00000000-0000-0000-0000-000000000000Microsoft.Sql/servers/databases/auditingSettings

azure-sql-db-threat-policy-get#


Gets the threat detection policy of the specified database.

Base Command#

azure-sql-db-threat-policy-get

Input#

Argument NameDescriptionRequired
server_nameServer name.Required
db_nameDatabase name.Required
subscription_idSubscription ID. This value will override the instance param 'subscription_id'.Optional
resource_group_nameResource group name. This value will override the instance param 'resource_group_name'.Optional

Context Output#

PathTypeDescription
AzureSQL.DBThreatPolicyUnknownAll threat policies related to the database.
AzureSQL.DBThreatPolicy.kindStringKind of threat policy.
AzureSQL.DBThreatPolicy.locationStringThreat policy location.
AzureSQL.DBThreatPolicy.idStringThreat policy ID.
AzureSQL.DBThreatPolicy.nameStringThreat policy name.
AzureSQL.DBThreatPolicy.typeStringThreat policy type.
AzureSQL.DBThreatPolicy.stateStringThreat policy state.
AzureSQL.DBThreatPolicy.creationTimeStringThreat policy creation time.
AzureSQL.DBThreatPolicy.retentionDaysNumberNumber of days to keep in the Threat Detection audit logs.
AzureSQL.DBThreatPolicy.storageAccountAccessKeyStringThe identifier key of the Threat Detection audit storage account.
AzureSQL.DBThreatPolicy.storageEndpointStringThreat Detection audit storage account.
AzureSQL.DBThreatPolicy.emailAccountAdminsBooleanEmail account administrators who the alert is sent to.
AzureSQL.DBThreatPolicy.emailAddressesStringList of email addresses to which the alert is sent.
AzureSQL.DBThreatPolicy.disabledAlertsStringList of alerts that are disabled, or an empty string if no alerts are disabled.
AzureSQL.DBThreatPolicy.useServerDefaultUnknownWhether to use the default server policy.
AzureSQL.DBThreatPolicy.databaseNameStringThe name of the database that the threat policy is related to.
AzureSQL.DBThreatPolicy.serverNameStringThe name of server that the threat policy is related to.

Command example#

!azure-sql-db-threat-policy-get server_name=sqlintegration db_name=sql-integration-db

Context Example#

{
"AzureSQL": {
"DBThreatPolicy": {
"creationTime": "2021-01-04T08:05:32.05Z",
"databaseName": "sql-db",
"disabledAlerts": [
""
],
"emailAccountAdmins": false,
"emailAddresses": [
""
],
"id": "/subscriptions/0123456789/resourceGroups/sql-integration/providers/Microsoft.Sql/servers/sqlintegration/databases/sql-integration-db/securityAlertPolicies/Default",
"name": "Default",
"retentionDays": 0,
"serverName": "sql",
"state": "Enabled",
"storageAccountAccessKey": "",
"storageEndpoint": "",
"type": "Microsoft.Sql/servers/databases/securityAlertPolicies"
}
}
}

Human Readable Output#

Database Threat Detection Policies#

Creation TimeDatabase NameDisabled AlertsEmail Account AdminsEmail AddressesIdNameRetention DaysServer NameStateType
2021-01-04T08:05:32.05Zsql-dbfalse/subscriptions/0123456789/resourceGroups/sql/providers/Microsoft.Sql/servers/sqlintegration/databases/sql-integration-db/securityAlertPolicies/DefaultDefault0sqlintegrationEnabledMicrosoft.Sql/servers/databases/securityAlertPolicies

azure-sql-db-audit-policy-create-update#


Creates or updates the database's auditing policy.

Base Command#

azure-sql-db-audit-policy-create-update

Input#

Argument NameDescriptionRequired
server_nameServer name.Required
db_nameDatabase name.Required
stateSet the state of the policy. Possible values: "Enable" or "Disable". When state is enabled, storage_endpoint or is_azure_monitor_target_enabled are required.Required
audit_actions_groupsComma-separated list of actions groups and actions to audit. For all possible values, see the integration documentation at https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions?view=sql-server-ver15.Optional
is_azure_monitor_target_enabledWhether audit events are sent to the Azure Monitor. Possible values: "true" and "false".Optional
is_storage_secondary_key_in_useWhether the storage Account Access Key value is the storage's secondary key. Possible values: "true" and "false".Optional
queue_delay_msTime in milliseconds that can elapse before audit actions are forced to be processed. The default minimum value is 1000 (1 second).Optional
retention_daysNumber of days to keep the policy in the audit logs.Optional
storage_account_access_keyIdentifier key of the auditing storage account.Optional
storage_account_subscription_idStorage subscription ID.Optional
storage_endpointStorage endpoint. If the value for the state argument is enabled, the value for the storage_endpoint or is_azure_monitor_target_enabled argument is required.Optional
subscription_idSubscription ID. This value will override the instance param 'subscription_id'.Optional
resource_group_nameA comma-separated list of resource group names. This value will override the instance param 'resource_group_name'.Optional
is_managed_identity_in_useSpecifies whether Managed Identity is used to access blob storage. Possible values are: true, false.Optional

Context Output#

PathTypeDescription
AzureSQL.DBAuditPolicy.kindStringKind of audit policy.
AzureSQL.DBAuditPolicy.idStringAudit policy ID.
AzureSQL.DBAuditPolicy.nameStringAudit policy name.
AzureSQL.DBAuditPolicy.typeStringResource type.
AzureSQL.DBAuditPolicy.isAzureMonitorTargetEnabledBooleanWhether audit events are sent to the Azure Monitor. The value is "True" (Enabled) or "False" (Disabled).
AzureSQL.DBAuditPolicy.retentionDaysNumberNumber of days to keep in the audit logs in the storage account.
AzureSQL.DBAuditPolicy.stateStringPolicy state.
AzureSQL.DBAuditPolicy.storageAccountSubscriptionIdStringStorage subscription ID.
AzureSQL.DBAuditPolicy.auditActionsAndGroupsUnknownAudit actions and groups to audit.
AzureSQL.DBAuditPolicy.isStorageSecondaryKeyInUseBooleanWhether the storage_account_access_key value is the storage's secondary key.
AzureSQL.DBAuditPolicy.queueDelayMsStringTime in milliseconds that can elapse before audit actions are forced to be processed.
AzureSQL.DBAuditPolicy.storageAccountAccessKeyStringIdentifier key of the auditing storage account.
AzureSQL.DBAuditPolicy.storageEndpointStringStorage endpoint.
AzureSQL.DBAuditPolicy.databaseNameStringThe name of the database that the audit policy is related to.
AzureSQL.DBAuditPolicy.serverNameStringThe name of server that the audit policy is related to.
AzureSQL.DBAuditPolicy.isManagedIdentityInUseBooleanSpecifies whether Managed Identity is used to access blob storage.

Command example#

!azure-sql-db-audit-policy-create-update server_name=sqlintegration db_name=sql-integration-db state=Enabled is_azure_monitor_target_enabled=true retention_days=3 queue_delay_ms=123

Context Example#

{
"AzureSQL": {
"DBAuditPolicy": {
"auditActionsAndGroups": [
"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP",
"FAILED_DATABASE_AUTHENTICATION_GROUP",
"BATCH_COMPLETED_GROUP"
],
"databaseName": "sql-db",
"id": "/subscriptions/0123456789/resourceGroups/sql-integration/providers/Microsoft.Sql/servers/sqlintegration/databases/sql-integration-db/auditingSettings/Default",
"isAzureMonitorTargetEnabled": true,
"isManagedIdentityInUse": false,
"name": "Default",
"queueDelayMs": 123,
"retentionDays": 3,
"serverName": "sql",
"state": "Enabled",
"storageAccountSubscriptionId": "00000000-0000-0000-0000-000000000000",
"type": "Microsoft.Sql/servers/databases/auditingSettings"
}
}
}

Human Readable Output#

Create Or Update Database Auditing Settings for resource_group_name='sql-integration'#

Audit Actions And GroupsDatabase NameIdIs Azure Monitor Target EnabledIs Managed Identity In UseNameQueue Delay MsRetention DaysServer NameStateStorage Account Subscription IdType
SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP,
FAILED_DATABASE_AUTHENTICATION_GROUP,
BATCH_COMPLETED_GROUP
sql-db/subscriptions/0123456789/resourceGroups/sql/providers/Microsoft.Sql/servers/sqlintegration/databases/sql-integration-db/auditingSettings/DefaulttruefalseDefault1233sqlintegrationEnabled00000000-0000-0000-0000-000000000000Microsoft.Sql/servers/databases/auditingSettings

azure-sql-db-threat-policy-create-update#


Creates or updates the database's threat detection policy.

Base Command#

azure-sql-db-threat-policy-create-update

Input#

Argument NameDescriptionRequired
server_nameServer name.Required
db_nameDatabase name.Required
stateThe state of the policy. Possible values: "Enabled" and "Disabled".Required
retention_daysNumber of days to keep the policy in the audit logs.Optional
storage_account_access_keyThe identifier key of the threat detection audit storage account.Optional
storage_endpointThe blob storage endpoint. This blob storage will hold all Threat Detection audit logs.Optional
disabled_alertsComma-separated list of alerts that are disabled. Possible values: "None", "Sql_Injection", "Sql_Injection_Vulnerability", "Access_Anomaly", "Data_Exfiltration", and "Unsafe_Action".Optional
email_addressesComma-separated list of email addresses to which the alert is sent.Optional
email_account_adminsWhether the alert is sent to the account administrators. Possible values: "true" and "false".Optional
use_server_defaultWhether to use the default server policy. Possible values: "Enabled" and "Disabled".Optional
subscription_idSubscription ID. This value will override the instance param 'subscription_id'.Optional
resource_group_nameA comma-separated list of resource group names. This value will override the instance param 'resource_group_name'.Optional

Context Output#

PathTypeDescription
AzureSQL.DBThreatPolicy.kindStringKind of threat policy.
AzureSQL.DBThreatPolicy.locationStringThreat policy location.
AzureSQL.DBThreatPolicy.idStringThreat policy ID.
AzureSQL.DBThreatPolicy.nameStringThreat policy name.
AzureSQL.DBThreatPolicy.typeStringThreat policy type.
AzureSQL.DBThreatPolicy.stateStringThreat policy state.
AzureSQL.DBThreatPolicy.creationTimeStringThreat policy creation time.
AzureSQL.DBThreatPolicy.retentionDaysNumberNumber of days to keep in the Threat Detection audit logs.
AzureSQL.DBThreatPolicy.storageAccountAccessKeyStringThe identifier key of the Threat Detection audit storage account.
AzureSQL.DBThreatPolicy.storageEndpointStringThreat Detection audit storage account.
AzureSQL.DBThreatPolicy.emailAccountAdminsBooleanEmail accounts administrators who the alert is sent to.
AzureSQL.DBThreatPolicy.emailAddressesStringList of email addresses to which the alert is sent.
AzureSQL.DBThreatPolicy.disabledAlertsStringList of alerts that are disabled, or an empty string if no alerts are disabled.
AzureSQL.DBThreatPolicy.useServerDefaultUnknownWhether to use the default server policy.
AzureSQL.DBThreatPolicy.databaseNameStringThe name of the database that the threat policy is related to.
AzureSQL.DBThreatPolicy.serverNameStringThe name of the server that the threat policy is related to.

Command example#

!azure-sql-db-threat-policy-create-update server_name=sqlintegration db_name=sql-integration-db state=Enabled disabled_alerts="Sql_Injection,Sql_Injection_Vulnerability" retention_days=5

Context Example#

{
"AzureSQL": {
"DBThreatPolicy": {
"creationTime": "0001-01-01T00:00:00Z",
"databaseName": "sql-integration-db",
"disabledAlerts": [
"Sql_Injection",
"Sql_Injection_Vulnerability"
],
"emailAccountAdmins": false,
"emailAddresses": [],
"id": "/subscriptions/0123456789/resourceGroups/sql-integration/providers/Microsoft.Sql/servers/sqlintegration/databases/sql-integration-db/securityAlertPolicies/Default",
"name": "Default",
"retentionDays": 5,
"serverName": "sqlintegration",
"state": "Enabled",
"storageAccountAccessKey": "",
"type": "Microsoft.Sql/servers/databases/securityAlertPolicies"
}
}
}

Human Readable Output#

Create Or Update Database Threat Detection Policies for resource_group_name='sql-integration'#

Creation TimeDatabase NameDisabled AlertsEmail Account AdminsIdNameRetention DaysServer NameStateType
0001-01-01T00:00:00Zsql-integration-dbSql_Injection,
Sql_Injection_Vulnerability
false/subscriptions/0123456789/resourceGroups/sql-integration/providers/Microsoft.Sql/servers/sqlintegration/databases/sql-integration-db/securityAlertPolicies/DefaultDefault5sqlintegrationEnabledMicrosoft.Sql/servers/databases/securityAlertPolicies

azure-sql-generate-login-url#


Generate the login url used for Authorization code flow.

Base Command#

azure-sql-generate-login-url

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

azure-sql-generate-login-url

Human Readable Output#

Authorization instructions#

  1. Click on the login URL to sign in and grant Cortex XSOAR permissions for your Azure Service Management. You will be automatically redirected to a link with the following structure: REDIRECT_URI?code=AUTH_CODE&session_state=SESSION_STATE
  2. Copy the AUTH_CODE (without the code= prefix, and the session_state parameter) and paste it in your instance configuration under the Authorization code parameter.

azure-sql-subscriptions-list#


Gets all subscriptions for a tenant.

Base Command#

azure-sql-subscriptions-list

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
AzureSQL.Subscription.idStringThe fully qualified ID for the subscription.
AzureSQL.Subscription.authorizationSourceStringThe authorization source of the request. Valid values are one or more combinations of Legacy, RoleBased, Bypassed, Direct and Management. For example, 'Legacy, RoleBased'.
AzureSQL.Subscription.managedByTenantsUnknownAn array containing the tenants managing the subscription.
AzureSQL.Subscription.subscriptionIdStringThe subscription ID.
AzureSQL.Subscription.tenantIdStringThe subscription tenant ID.
AzureSQL.Subscription.displayNameStringThe subscription display name.
AzureSQL.Subscription.stateStringThe subscription state. Possible values are Enabled, Warned, PastDue, Disabled, and Deleted.
AzureSQL.Subscription.subscriptionPolicies.locationPlacementIdStringThe subscription location placement ID. The ID indicates which regions are visible for a subscription. For example, a subscription with a location placement ID of Public_2014-09-01 has access to Azure public regions.
AzureSQL.Subscription.subscriptionPolicies.quotaIdStringThe subscription quota ID.
AzureSQL.Subscription.subscriptionPolicies.spendingLimitStringThe subscription spending limit.

Command Example#

azure-sql-subscriptions-list

Context Example#

{
"AzureSQL": {
"Subscription":{
"id": "id",
"authorizationSource": "RoleBased",
"managedByTenants": [],
"subscriptionId": "subscriptionId",
"tenantId": "tenantId",
"displayName": "displayName",
"state": "Enabled",
"subscriptionPolicies": {
"locationPlacementId": "locationPlacementId",
"quotaId": "quotaId",
"spendingLimit": "On"
}
}
}
}

Human Readable Output#

Subscription List#

Subscription IdNameTenant IdState
subscriptionIddisplayNametenantIdEnabled

azure-sql-resource-group-list#


Gets all the resource groups for a subscription.

Base Command#

azure-sql-resource-group-list

Input#

Argument NameDescriptionRequired
subscription_idA comma-separated list of subscription IDs. This value will override the instance param 'subscription_id'.Optional
tagThe tag and value that is attached to the resource group. Input should be “Tag Name:Tag Value”.Optional
limitThe number of results to return. Default value is 50.Optional

Context Output#

PathTypeDescription
AzureSQL.ResourceGroup.idStringThe ID of the resource group.
AzureSQL.ResourceGroup.nameStringThe name of the resource group.
AzureSQL.ResourceGroup.typeStringThe type of the resource group.
AzureSQL.ResourceGroup.locationStringThe location of the resource group. It cannot be changed after the resource group has been created. It must be one of the supported Azure locations.
AzureSQL.ResourceGroup.propertiesStringThe resource group properties.
AzureSQL.ResourceGroup.tagsStringThe tags attached to the resource group.

Command Example#

azure-sql-resource-group-list tag="Name:name"

Context Example#

{
"AzureSQL": {
"ResourceGroup":{
"id": "id",
"name": "name",
"type": "Microsoft.Resources/resourceGroups",
"location": "location",
"tags": {
"Name": "name"
},
"properties": {
"provisioningState": "Succeeded"
}
}
}
}

Human Readable Output#

Resource Group List for subscriptionID#

NameLocationTagsProvisioning State
namelocationName: nameSucceeded