Updating Threat Detection types

Author: yaakoviyun

src/ResourceManager/Sql/Commands.Sql.Test/ScenarioTests/ThreatDetectionTests.ps1

@@ -57,35 +57,31 @@ function Test-ThreatDetectionDatabaseUpdatePolicy
 	{
 		# Test
         Set-AzureRmSqlDatabaseAuditingPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName -DatabaseName $params.databaseName -StorageAccountName $params.storageAccount
-        Set-AzureRmSqlDatabaseThreatDetectionPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName -DatabaseName $params.databaseName -NotificationRecipientsEmails "[email protected];[email protected]" -EmailAdmins $false -ExcludedDetectionType "Successful_SQLi", "Attempted_SQLi"
+        Set-AzureRmSqlDatabaseThreatDetectionPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName -DatabaseName $params.databaseName -NotificationRecipientsEmails "[email protected];[email protected]" -EmailAdmins $false -ExcludedDetectionType "Sql_Injection", "Sql_Injection_Vulnerability"
         $policy = Get-AzureRmSqlDatabaseThreatDetectionPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName -DatabaseName $params.databaseName
 
 		# Assert
 		Assert-AreEqual $policy.ThreatDetectionState "Enabled"
 		Assert-AreEqual $policy.NotificationRecipientsEmails "[email protected];[email protected]"
         Assert-False {$policy.EmailAdmins}
         Assert-AreEqual $policy.ExcludedDetectionTypes.Length 2
-		Assert-True {$policy.ExcludedDetectionTypes.Contains([Microsoft.Azure.Commands.Sql.ThreatDetection.Model.DetectionType]::Successful_SQLi)}
-		Assert-True {$policy.ExcludedDetectionTypes.Contains([Microsoft.Azure.Commands.Sql.ThreatDetection.Model.DetectionType]::Attempted_SQLi)}
+		Assert-True {$policy.ExcludedDetectionTypes.Contains([Microsoft.Azure.Commands.Sql.ThreatDetection.Model.DetectionType]::Sql_Injection)}
+		Assert-True {$policy.ExcludedDetectionTypes.Contains([Microsoft.Azure.Commands.Sql.ThreatDetection.Model.DetectionType]::Sql_Injection_Vulnerability)}
 
 
         # Test
-        Set-AzureRmSqlDatabaseThreatDetectionPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName -DatabaseName $params.databaseName -ExcludedDetectionType "Successful_SQLi", "Attempted_SQLi", "Client_GEO_Anomaly", "Failed_Logins_Anomaly", "Failed_Queries_Anomaly", "Data_Extraction_Anomaly", "Data_Alteration_Anomaly"
+        Set-AzureRmSqlDatabaseThreatDetectionPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName -DatabaseName $params.databaseName -ExcludedDetectionType "Sql_Injection", "Sql_Injection_Vulnerability", "Access_Anomaly", "Usage_Anomaly"
         $policy = Get-AzureRmSqlDatabaseThreatDetectionPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName -DatabaseName $params.databaseName
 
 		# Assert
 		Assert-AreEqual $policy.ThreatDetectionState "Enabled"
 		Assert-AreEqual $policy.NotificationRecipientsEmails "[email protected];[email protected]"
         Assert-False {$policy.EmailAdmins}
         Assert-AreEqual $policy.ExcludedDetectionTypes.Length 7
-		Assert-True {$policy.ExcludedDetectionTypes.Contains([Microsoft.Azure.Commands.Sql.ThreatDetection.Model.DetectionType]::Successful_SQLi)}
-		Assert-True {$policy.ExcludedDetectionTypes.Contains([Microsoft.Azure.Commands.Sql.ThreatDetection.Model.DetectionType]::Attempted_SQLi)}
-		Assert-True {$policy.ExcludedDetectionTypes.Contains([Microsoft.Azure.Commands.Sql.ThreatDetection.Model.DetectionType]::Client_GEO_Anomaly)}
-		Assert-True {$policy.ExcludedDetectionTypes.Contains([Microsoft.Azure.Commands.Sql.ThreatDetection.Model.DetectionType]::Failed_Logins_Anomaly)}
-		Assert-True {$policy.ExcludedDetectionTypes.Contains([Microsoft.Azure.Commands.Sql.ThreatDetection.Model.DetectionType]::Failed_Queries_Anomaly)}
-		Assert-True {$policy.ExcludedDetectionTypes.Contains([Microsoft.Azure.Commands.Sql.ThreatDetection.Model.DetectionType]::Data_Extraction_Anomaly)}
-		Assert-True {$policy.ExcludedDetectionTypes.Contains([Microsoft.Azure.Commands.Sql.ThreatDetection.Model.DetectionType]::Data_Alteration_Anomaly)}
-
+		Assert-True {$policy.ExcludedDetectionTypes.Contains([Microsoft.Azure.Commands.Sql.ThreatDetection.Model.DetectionType]::Sql_Injection)}
+		Assert-True {$policy.ExcludedDetectionTypes.Contains([Microsoft.Azure.Commands.Sql.ThreatDetection.Model.DetectionType]::Sql_Injection_Vulnerability)}
+		Assert-True {$policy.ExcludedDetectionTypes.Contains([Microsoft.Azure.Commands.Sql.ThreatDetection.Model.DetectionType]::Access_Anomaly)}
+		Assert-True {$policy.ExcludedDetectionTypes.Contains([Microsoft.Azure.Commands.Sql.ThreatDetection.Model.DetectionType]::Usage_Anomaly)}
 
         # Test
 		Remove-AzureRmSqlDatabaseThreatDetectionPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName -DatabaseName $params.databaseName
@@ -96,13 +92,20 @@ function Test-ThreatDetectionDatabaseUpdatePolicy
 		Assert-AreEqual $policy.NotificationRecipientsEmails "[email protected];[email protected]"
         Assert-False {$policy.EmailAdmins}
         Assert-AreEqual $policy.ExcludedDetectionTypes.Length 7
-		Assert-True {$policy.ExcludedDetectionTypes.Contains([Microsoft.Azure.Commands.Sql.ThreatDetection.Model.DetectionType]::Successful_SQLi)}
-		Assert-True {$policy.ExcludedDetectionTypes.Contains([Microsoft.Azure.Commands.Sql.ThreatDetection.Model.DetectionType]::Attempted_SQLi)}
-		Assert-True {$policy.ExcludedDetectionTypes.Contains([Microsoft.Azure.Commands.Sql.ThreatDetection.Model.DetectionType]::Client_GEO_Anomaly)}
-		Assert-True {$policy.ExcludedDetectionTypes.Contains([Microsoft.Azure.Commands.Sql.ThreatDetection.Model.DetectionType]::Failed_Logins_Anomaly)}
-		Assert-True {$policy.ExcludedDetectionTypes.Contains([Microsoft.Azure.Commands.Sql.ThreatDetection.Model.DetectionType]::Failed_Queries_Anomaly)}
-		Assert-True {$policy.ExcludedDetectionTypes.Contains([Microsoft.Azure.Commands.Sql.ThreatDetection.Model.DetectionType]::Data_Extraction_Anomaly)}
-		Assert-True {$policy.ExcludedDetectionTypes.Contains([Microsoft.Azure.Commands.Sql.ThreatDetection.Model.DetectionType]::Data_Alteration_Anomaly)}
+		Assert-True {$policy.ExcludedDetectionTypes.Contains([Microsoft.Azure.Commands.Sql.ThreatDetection.Model.DetectionType]::Sql_Injection)}
+		Assert-True {$policy.ExcludedDetectionTypes.Contains([Microsoft.Azure.Commands.Sql.ThreatDetection.Model.DetectionType]::Sql_Injection_Vulnerability)}
+		Assert-True {$policy.ExcludedDetectionTypes.Contains([Microsoft.Azure.Commands.Sql.ThreatDetection.Model.DetectionType]::Access_Anomaly)}
+		Assert-True {$policy.ExcludedDetectionTypes.Contains([Microsoft.Azure.Commands.Sql.ThreatDetection.Model.DetectionType]::Usage_Anomaly)}
+	
+	    # Test
+        Set-AzureRmSqlDatabaseThreatDetectionPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName -DatabaseName $params.databaseName -ExcludedDetectionType "None"
+        $policy = Get-AzureRmSqlDatabaseThreatDetectionPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName -DatabaseName $params.databaseName
+	
+		# Assert
+		Assert-AreEqual $policy.ThreatDetectionState "Enabled"
+		Assert-AreEqual $policy.NotificationRecipientsEmails "[email protected];[email protected]"
+        Assert-False {$policy.EmailAdmins}
+        Assert-AreEqual $policy.ExcludedDetectionTypes.Length 0	
 	}
 	finally
 	{
@@ -183,6 +186,9 @@ function Test-InvalidArgumentsThreatDetection
          #  Check that EmailAdmins is not False and NotificationRecipientsEmails is not empty 
          Assert-Throws {Set-AzureRmSqlDatabaseThreatDetectionPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName -DatabaseName $params.databaseName -EmailAdmins $false} 
          Assert-Throws {Set-AzureRmSqlDatabaseThreatDetectionPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName -DatabaseName $params.databaseName -EmailAdmins $false -NotificationRecipientsEmails ""} 
+
+         #  Check that ExcludedDetectionType doesn't hold None and any other type 
+         Assert-Throws {Set-AzureRmSqlDatabaseThreatDetectionPolicy -ResourceGroupName $params.rgname -ServerName $params.serverName -DatabaseName $params.databaseName -EmailAdmins $true -ExcludedDetectionType "None", "Sql_Injection_Vulnerability" } 
 	}
 	finally
 	{

src/ResourceManager/Sql/Commands.Sql/Common/SecurityConstants.cs

@@ -60,24 +60,18 @@ public class SecurityConstants
         public const string Disabled = "Disabled";
 
         // Threat Detection disabled types:
-        public const string Successful_SQLi = "Successful_SQLi";
-        public const string Attempted_SQLi = "Attempted_SQLi";
-        public const string Client_GEO_Anomaly = "Client_GEO_Anomaly";
-        public const string Failed_Logins_Anomaly = "Failed_Logins_Anomaly";
-        public const string Failed_Queries_Anomaly = "Failed_Queries_Anomaly";
-        public const string Data_Extraction_Anomaly = "Data_Extraction_Anomaly";
-        public const string Data_Alteration_Anomaly = "Data_Alteration_Anomaly";
+        public const string Sql_Injection = "Sql_Injection";
+        public const string Sql_Injection_Vulnerability = "Sql_Injection_Vulnerability";
+        public const string Access_Anomaly = "Client_GEO_Anomaly";
+        public const string Usage_Anomaly = "Usage_Anomaly";
 
         public static readonly Dictionary<string, DetectionType> ExcludedDetectionToExcludedDetectionTypes = new Dictionary
             <string, DetectionType>
         {
-            {Successful_SQLi, DetectionType.Successful_SQLi},
-            {Attempted_SQLi, DetectionType.Attempted_SQLi},
-            {Client_GEO_Anomaly, DetectionType.Client_GEO_Anomaly},
-            {Failed_Logins_Anomaly, DetectionType.Failed_Logins_Anomaly},
-            {Failed_Queries_Anomaly, DetectionType.Failed_Queries_Anomaly},
-            {Data_Extraction_Anomaly, DetectionType.Data_Extraction_Anomaly},
-            {Data_Alteration_Anomaly, DetectionType.Data_Alteration_Anomaly},
+            {Sql_Injection, DetectionType.Sql_Injection},
+            {Sql_Injection_Vulnerability, DetectionType.Sql_Injection_Vulnerability},
+            {Access_Anomaly, DetectionType.Access_Anomaly},
+            {Usage_Anomaly, DetectionType.Usage_Anomaly}
         };
 
         // Masking functions

src/ResourceManager/Sql/Commands.Sql/Properties/Resources.Designer.cs

@@ -273,4 +273,7 @@
   <data name="AuditingIsTurnedOff" xml:space="preserve">
     <value>In order to enable Threat Detection, please enable database auditing.</value>
   </data>
+  <data name="InvalidExcludedDetectionTypeSet" xml:space="preserve">
+    <value>Cannot use the '{0}' option with other excluded detection types.</value>
+  </data>
 </root>

src/ResourceManager/Sql/Commands.Sql/Properties/Resources.resx

@@ -78,14 +78,41 @@ internal static string[] ProcessAuditEvents(string[] eventTypes)
             {
                 if (eventTypes.Contains(SecurityConstants.All))
                 {
-                    throw new Exception(string.Format(Microsoft.Azure.Commands.Sql.Properties.Resources.InvalidEventTypeSet, SecurityConstants.All));
+                    throw new Exception(string.Format(Properties.Resources.InvalidEventTypeSet, SecurityConstants.All));
                 }
                 if (eventTypes.Contains(SecurityConstants.None))
                 {
-                    throw new Exception(string.Format(Microsoft.Azure.Commands.Sql.Properties.Resources.InvalidEventTypeSet, SecurityConstants.None));
+                    throw new Exception(string.Format(Properties.Resources.InvalidEventTypeSet, SecurityConstants.None));
                 }
             }
             return eventTypes;
-        }        
+        } 
+ 
+        /// <summary>
+        /// In cases where the user decided to use the shortcut NONE, this method sets the value of the ExcludedDetectionType property to reflect the correct values.
+        /// </summary>
+        internal static string[] ProcessExcludedDetectionTypes(string[] excludedDetectionTypes)
+        {
+            if (excludedDetectionTypes == null || excludedDetectionTypes.Length == 0)
+            {
+                return excludedDetectionTypes;
+            }
+
+            if (excludedDetectionTypes.Length == 1)
+            {
+                if (excludedDetectionTypes[0] == SecurityConstants.None)
+                {
+                    return new string[] { };
+                }
+            }
+            else
+            {
+                if (excludedDetectionTypes.Contains(SecurityConstants.None))
+                {
+                    throw new Exception(string.Format(Properties.Resources.InvalidExcludedDetectionTypeSet, SecurityConstants.None));
+                }
+            }
+            return excludedDetectionTypes;
+        } 
     }
 }

src/ResourceManager/Sql/Commands.Sql/Services/Util.cs

@@ -17,6 +17,7 @@
 using System.Management.Automation;
 using System.Text.RegularExpressions;
 using Microsoft.Azure.Commands.Sql.Common;
+using Microsoft.Azure.Commands.Sql.Services;
 using Microsoft.Azure.Commands.Sql.ThreatDetection.Model;
 
 namespace Microsoft.Azure.Commands.Sql.ThreatDetection.Cmdlet
@@ -50,7 +51,9 @@ public class SetAzureSqlDatabaseThreatDetection : SqlDatabaseThreatDetectionCmdl
         /// Gets or sets the names of the detection types to filter.
         /// </summary>
         [Parameter(Mandatory = false, ValueFromPipelineByPropertyName = true, HelpMessage = "Detection types to exclude")]
-        [ValidateSet(SecurityConstants.Successful_SQLi, SecurityConstants.Attempted_SQLi, SecurityConstants.Client_GEO_Anomaly, SecurityConstants.Failed_Logins_Anomaly, SecurityConstants.Failed_Queries_Anomaly, SecurityConstants.Data_Extraction_Anomaly, SecurityConstants.Data_Alteration_Anomaly, IgnoreCase = false)]
+        [ValidateSet(SecurityConstants.Sql_Injection,
+            SecurityConstants.Sql_Injection_Vulnerability, SecurityConstants.Access_Anomaly,
+            SecurityConstants.Usage_Anomaly, SecurityConstants.None, IgnoreCase = false)]
         public string[] ExcludedDetectionType { get; set; }
 
         /// <summary>
@@ -79,6 +82,8 @@ protected override DatabaseThreatDetectionPolicyModel ApplyUserInputToModel(Data
                 model.EmailAdmins = (bool)EmailAdmins;
             }
 
+            ExcludedDetectionType = Util.ProcessExcludedDetectionTypes(ExcludedDetectionType);
+
             if (ExcludedDetectionType != null)
             {
                 model.ExcludedDetectionTypes = ExcludedDetectionType.Select(s => SecurityConstants.ExcludedDetectionToExcludedDetectionTypes[s]).ToArray();

src/ResourceManager/Sql/Commands.Sql/ThreatDetection/Cmdlet/SetAzureSqlDatabaseThreatDetection.cs

@@ -13,7 +13,6 @@
 // ----------------------------------------------------------------------------------
 
 using Microsoft.Azure.Commands.Sql.Common;
-using Microsoft.Azure.Commands.Sql.Auditing.Services;
 using Microsoft.Azure.Commands.Sql.ThreatDetection.Model;
 using Microsoft.Azure.Commands.Sql.ThreatDetection.Services;
 using Microsoft.Azure.Common.Authentication.Models;

src/ResourceManager/Sql/Commands.Sql/ThreatDetection/Cmdlet/SqlDatabaseThreatDetectionCmdletBase.cs

@@ -24,13 +24,10 @@ public enum ThreatDetectionStateType { Enabled, Disabled, New };
     /// </summary> 
     public enum DetectionType
     {
-        Successful_SQLi,
-        Attempted_SQLi,
-        Client_GEO_Anomaly,
-        Failed_Logins_Anomaly,
-        Failed_Queries_Anomaly,
-        Data_Extraction_Anomaly,
-        Data_Alteration_Anomaly
+        Sql_Injection,
+        Sql_Injection_Vulnerability,
+        Access_Anomaly,
+        Usage_Anomaly,
     };
 
     /// <summary>