Exam AZ-500 topic 1 question 19 discussion

A possible vulnerability to SQL Injection (SQL.VM_VulnerabilityToSqlInjection SQL.DB_VulnerabilityToSqlInjection SQL.MI_VulnerabilityToSqlInjection SQL.DW_VulnerabilityToSqlInjection) An application has generated a faulty SQL statement in the database. This can indicate a possible vulnerability to SQL injection attacks. There are two possible reasons for a faulty statement. A defect in application code might have constructed the faulty SQL statement. Or, application code or stored procedures didn't sanitize user input when constructing the faulty SQL statement, which can be exploited for SQL injection. ) https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-sql-db-and-warehouse

correct

https://learn.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview?view=azuresql

The correct answer is A. A Potential SQL injection alert is triggered. Here's why: Azure SQL Database Advanced Threat Protection (ATP) includes built-in security monitoring for detecting potential SQL injection attacks, which occur when an application generates faulty or suspicious SQL statements that could be exploited by attackers to manipulate database queries. When ATP is enabled, it actively analyzes queries and flags anomalous patterns indicative of SQL injection attempts. Option B (Vulnerability to SQL injection alert) is not correct, as this type of alert is raised when ATP detects misconfigurations or weak security settings that could make the database susceptible to SQL injection—not when an actual faulty SQL statement is executed. Option C (Access from a potentially harmful application alert) applies when an application known for malicious behavior tries to access the database. Option D (Brute force SQL credentials alert) detects repeated authentication attempts trying to guess database credentials.

this question is worded in weird way that makes you answer wrong

https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-sql-db-and-warehouse

SQL Vulnerability Assessment - Identifies misconfiguration or weak points in your database When Advanced Threat Protection (ATP) is enabled for an Azure SQL Database, it continuously monitors database activity and uses machine learning and behavioral analysis to detect potential security threats.

If an application generates a faulty SQL statement, Azure ATP might detect it as a potential SQL injection attempt, especially if the statement appears to be malformed or crafted to exploit vulnerabilities. For Option B: This alert is not triggered by an actual faulty SQL statement execution, but rather by a security assessment scan that detects misconfigured security settings that make SQL injection possible.

https://learn.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview?view=azuresql under "Explore detection of a suspicious event"

https://learn.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview?view=azuresql

Reference: https://learn.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview?view=azuresql#advanced-threat-protection-alerts It literally says in red on the screenshot seen in the link "Potential exploitation of application code - vulnerability to SQL Injection was detected." So B is correct.

Answer: A, Potential SQL injection alert is triggered. Reason: Check the reference link and you'll see the system triggers a "Potential SQL injection" alert to notify administrators for this type of suspicious acitivty. Reference: https://learn.microsoft.com/en-us/azure/azure-sql/database/threat-detection-overview?view=azuresql#advanced-threat-protection-alerts

b correct

What kind of alerts does Microsoft Defender for SQL provide? Threat intelligence enriched security alerts are triggered when there's: Potential SQL injection attacks - including vulnerabilities detected when applications generate a faulty SQL statement in the database Anomalous database access and query patterns - for example, an abnormally high number of failed sign-in attempts with different credentials (a brute force attempt) Suspicious database activity - for example, a legitimate user accessing an SQL Server from a breached computer which communicated with a crypto-mining C&C server Alerts include details of the incident that triggered them, as well as recommendations on how to investigate and remediate threats.

A possible vulnerability to SQL Injection: "An application has generated a faulty SQL statement in the database. This can indicate a possible vulnerability to SQL injection attacks. There are two possible reasons for a faulty statement. A defect in application code might have constructed the faulty SQL statement. Or, application code or stored procedures didn't sanitize user input when constructing the faulty SQL statement, which can be exploited for SQL injection." https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference#alerts-sql-db-and-warehouse

Alert: A possible vulnerability to SQL Injection Description: An application has generated a faulty SQL statement in the database. This can indicate a possible vulnerability to SQL injection attacks. There are two possible reasons for a faulty statement. A defect in application code might have constructed the faulty SQL statement. Or, application code or stored procedures didn't sanitize user input when constructing the faulty SQL statement, which can be exploited for SQL injection. ↑ B is the correct answer since a faulty SQL statement will result in a possible vulnerability alert. Alert: Potential SQL injection Description: An active exploit has occurred against an identified application vulnerable to SQL injection. This means an attacker is trying to inject malicious SQL statements by using the vulnerable application code or stored procedures. ↑ A is incorrect since a potential SQL injection alert is triggered when an active exploit is identified. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference#alerts-sql-db-and-warehouse

B. Vulnerability to SQL injection – an alert is triggered when an application generates a faulty SQL statement in your SQL database Potential SQL injection - This alert is triggered when the attacker is trying to inject malicious SQL statements using the vulnerable application code or stored procedures.