Azure SQL Threat Detection Filters IP from Azure SQL Query Editor
Today we received an alert as "An unfamiliar principal successfully logged on to server [SERVERNAME]" with some following details:
Client IP address: 23.96.227.***
Client IP location: Chicago, United States
Data center: North Central US
Client application: Azure SQL Query Editor
After working with MS Support Technician, it turns out that Detection Threats doesn't recognize internal IP from a server node assigned by Azure SQL Query Editor.
This alert created huge pressure and noise in order to identify the origin of this connection.
It is great if any IP from Azure internal nodes are whitelisted by Threat Detection.