Run this in April: UPDATE Azure SET SQLthreat_detection = ‘generally available’

Share this…

Microsoft says it will fully power up its Azure SQL Database Threat Detection service this spring.

This technology, which has been in preview mode for the past year or so, monitors for suspicious database activities, and raises the alarm if malicious access is detected. It has been two years in the making, and will enter general availability in April, we’re told.

This feature is supposed to reassure Azure subscribers that their information is protected on remote servers. Microsoft is keen to stress to businesses that it is safe to run their applications on its infrastructure. As everyone knows, running software in the cloud just means running software on someone else’s computers, and biz execs don’t like the idea of being sued if something horrible was to happen to their faraway data, especially if it was outside of their control.

These cloud migrations are going to dominate the enterprise technology world for the next twenty years, but for that time on-premises system will remain. The highest-value data remains within many companies’ own servers, and while the threat detection service will only be made generally available to cloud users, on-premises SQL Server customers may see some form of it in the future.

The Azure service will continuously monitor and profile customers’ application behavior to detect suspicious database activities and identify potential mischief, using machine learning algorithms written in R, which is now supported by SQL Server 2016 running on Azure’s back-end.


When malicious attempts to access, breach or exploit sensitive data are spotted, security officers and designated administrators get immediate notifications and will be able to view the alerts in the Azure Security Center, along with recommendations for how to mitigate the threats.

Speaking to The Register, Rohan Kumar, general manager of database systems, explained how Microsoft’s telemetry helped it inform the machine learning algorithms that have contributed to the database threat detection service.

“We get 300 billion authentication requests each month,” Kumar explained, all of which contribute to Microsoft’s intelligence security graph, which collects the signals based on access patterns “to create the graph and help us leverage hundreds of gigabytes of telemetry every second, including a lot on Azure.”

There are 1.3 billion calls to Azure Active Directory daily, and Microsoft scans more than 200 billion emails for malware and phishing attacks each month. Microsoft collects between 600 and 700TB of telemetry data on a daily basis, not all of which is collected for security purposes, but “a significant proportion” of which is used to create the models that will be used with the threat detection service.