Answer: Microsoft Defender for SQL

## Analysis of Options ### **D. Microsoft Defender for SQL** - **CORRECT** Microsoft Defender for SQL is the optimal solution for auditing SQL statements that affect sensitive data with minimal administrative effort because: - **Built-in Auditing Capabilities**: Microsoft Defender for SQL provides comprehensive SQL auditing features that automatically track and log all SQL statements executed against the database, including those affecting sensitive data. - **Advanced Threat Protection**: It includes advanced security monitoring that can detect and alert on suspicious activities involving sensitive data, providing both auditing and security insights. - **Minimal Administrative Overhead**: Once enabled, Microsoft Defender for SQL operates automatically with continuous monitoring, requiring minimal ongoing administrative effort for monthly audits. - **Integration with Azure Services**: Audit logs can be automatically exported to Azure Storage, Log Analytics, or Event Hubs, facilitating easy monthly review and analysis. - **Comprehensive Coverage**: It provides a complete auditing solution that captures the full context of SQL operations, including user identities, timestamps, and the actual SQL statements executed. ### **B. Sensitivity Labels** - **INCORRECT** While sensitivity labels are valuable for data classification and protection, they do not provide auditing capabilities: - Sensitivity labels help classify and tag sensitive data but do not track or log SQL statements that access or modify this data. - They are primarily for data classification and access control, not for auditing SQL query execution. ### **C. Dynamic Data Masking** - **INCORRECT** Dynamic data masking focuses on data protection rather than auditing: - It obfuscates sensitive data in query results but does not audit or log the SQL statements themselves. - The primary purpose is to prevent unauthorized viewing of sensitive data, not to track database operations. ### **A. Workload Management** - **INCORRECT** Workload management is unrelated to auditing sensitive data access: - It manages query performance, resource allocation, and concurrency but provides no auditing capabilities. - Focuses on optimizing database performance rather than security monitoring or compliance auditing. ## Conclusion Microsoft Defender for SQL is specifically designed to address the requirement of auditing SQL statements affecting sensitive data with minimal administrative overhead. Its automated monitoring, comprehensive logging, and integration with Azure's security ecosystem make it the most appropriate solution for monthly compliance audits.