Security Monitoring¶
Home > Monitoring > Security Monitoring
Overview
This guide covers security monitoring approaches for Azure Synapse Analytics, including threat detection, audit logging, and compliance monitoring.
🛡️ Security Monitoring Framework¶
Implement comprehensive security monitoring to detect and respond to security threats in your Azure Synapse Analytics environment.
- 👁️ Threat Detection
Monitor for suspicious activities and security threats
- 📄 Audit Logging
Track and analyze user and service activities
- ⚠️ Security Alerting
Configure proactive alerts for security events
- ✅ Compliance Monitoring
Track compliance with security standards
Threat Detection¶
Security Alert
Enable Advanced Threat Protection for all Synapse SQL pools to detect anomalous database activities.
Azure Synapse Analytics integrates with Azure Defender for SQL and Azure Security Center to provide threat detection capabilities:
- SQL Injection Detection - Identifies attempts to exploit vulnerabilities
- Access from Unusual Locations - Detects logins from unusual IP addresses
- Unusual Application Sign-ins - Identifies suspicious authentication patterns
- Brute Force Attempts - Detects repeated failed authentication attempts
- Data Exfiltration - Identifies suspicious large data extraction operations
{
"name": "default",
"type": "Microsoft.Sql/servers/securityAlertPolicies",
"properties": {
"state": "Enabled",
"disabledAlerts": [],
"emailAddresses": ["security@contoso.com"],
"emailAccountAdmins": true,
"retentionDays": 90
}
}
Audit Logging¶
Configure comprehensive audit logging for Azure Synapse Analytics:
| Log Category | Description | Retention |
|---|---|---|
| SQL Security Audit Logs | Authentication events, permission changes, data access | 90 days |
| Management Activities | Resource creation, modification, deletion | 90 days |
| Data Plane Activities | Data access and modifications | 30 days |
| Spark Job Executions | Spark job submissions and activities | 30 days |
| Pipeline Executions | Pipeline triggers and activities | 30 days |
Audit Log Configuration
# Enable diagnostic settings for Synapse workspace
$workspace = "mysynapseworkspace"
$resourceGroup = "myresourcegroup"
$logAnalytics = "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.OperationalInsights/workspaces/<workspace>"
# Enable all log categories
$logs = @()
Get-AzDiagnosticSettingCategory -ResourceId "/subscriptions/<id>/resourceGroups/$resourceGroup/providers/Microsoft.Synapse/workspaces/$workspace" |
Where-Object {$_.CategoryType -eq "Logs"} |
ForEach-Object {
$logs += @{
Category = $_.Name
Enabled = $true
RetentionPolicy = @{
Days = 90
Enabled = $true
}
}
}
# Apply the diagnostic setting
Set-AzDiagnosticSetting -Name "SecurityMonitoring" `
-ResourceId "/subscriptions/<id>/resourceGroups/$resourceGroup/providers/Microsoft.Synapse/workspaces/$workspace" `
-WorkspaceId $logAnalytics `
-Log $logs
Security Alerting¶
Implement these security alert categories for Azure Synapse Analytics:
- Authentication Failures - Multiple failed login attempts
- Permission Changes - Additions to high-privilege roles
- Firewall Changes - Modifications to firewall rules
- Suspicious Query Patterns - Potential data exfiltration attempts
- Configuration Changes - Critical security setting modifications
Best Practice
Integrate security alerts with your incident management system using Azure Logic Apps or Azure Functions.
// Example KQL query for detecting suspicious authentication patterns
let timeframe = 1h;
SigninLogs
| where TimeGenerated > ago(timeframe)
| where ResourceDisplayName contains "synapse"
| where ResultType == "50126" // Password mismatch
| summarize FailedAttempts = count() by UserPrincipalName, IPAddress, AppDisplayName
| where FailedAttempts > 5
| extend Timestamp = now()
| extend SourceSystem = "Azure AD"
| extend AlertType = "Brute Force Attempt"
| extend AlertSeverity = "High"
Compliance Monitoring¶
Track and report on compliance with key security standards:
| Standard | Monitoring Approach | Reporting Frequency |
|---|---|---|
| GDPR | Data access logs, data classification | Monthly |
| HIPAA | PHI access audit, encryption verification | Weekly |
| PCI DSS | Cardholder data access, network isolation | Daily |
| SOC 2 | Access controls, change management | Quarterly |
| ISO 27001 | Risk assessments, security controls | Monthly |
Create compliance dashboards using Azure Monitor workbooks that provide:
- Real-time compliance status visualization
- Historical compliance trends
- Remediation recommendations
- Compliance evidence collection
- Automated reporting for audits
Integration with Azure Purview¶
Integration Point
Azure Purview enhances security monitoring through data governance and classification capabilities.
Leverage Azure Purview (Microsoft Purview) integration with Synapse Analytics for:
- Automated Data Classification - Identify and tag sensitive data
- Lineage Tracking - Monitor how sensitive data moves through pipelines
- Access Reviews - Regularly validate access permissions
- Policy Enforcement - Apply consistent security policies
- Compliance Reporting - Generate compliance reports for audits