lacework-global-625
Configure Vulnerability Assessment (VA) setting 'Send scan reports to' for a SQL server (Automated)
Profile Applicability
• Level 2
Description
Configure 'Send scan reports to' with email addresses of concerned data owners/stakeholders for critical SQL servers.
Rationale
Vulnerability Assessment (VA) scan reports and alerts will be sent to email ids configured at 'Send scan reports to'. This may help in reducing time required for identifying risks and taking corrective measures.
Impact
Enabling the Microsoft Defender for SQL
features will incur additional costs for each SQL server.
Audit
From Azure Portal
- Go to
SQL servers
- Select a server instance
- Click on
Security Center
- Ensure that
Microsoft Defender for SQL
is set toEnabled
- Select
Configure
next toEnabled at subscription-level
- In Section
Vulnerability Assessment Settings
, EnsureStorage Accounts
is Configured. - In Section
Vulnerability Assessment Settings
, EnsureSend scan reports to
is not empty.
From Azure Powershell
Get the list of all SQL Servers
Get-AZSqlServer
For each Server
Get-AzSqlServerVulnerabilityAssessmentSetting -ResourceGroupName <resource group name> -ServerName <server name>
Ensure that value for parameter NotificationEmail
is not blank/empty {}.
Sample Output:
ResourceGroupName : ResourceGroup01
ServerName : Server01
StorageAccountName : mystorage
ScanResultsContainerName : vulnerability-assessment
RecurringScansInterval : weekly
EmailSubscriptionAdmins : False
NotificationEmail : {}
Remediation
From Azure Portal
- Go to SQL servers.
- Select a server instance.
- Select Microsoft Defender for Cloud.
- Select Configure next to Enablement status.
- Set Microsoft Defender for SQL to On.
- Under Vulnerability Assessment Settings, select a Storage Account.
- Set Periodic recurring scans to On.
- Under Send scan reports to, provide email addresses for data owners and stakeholders.
- Click Save.
From Azure Powershell
If not already, Enable Advanced Data Security for a SQL Server:
Set-AZSqlServerThreatDetectionPolicy -ResourceGroupName <resource group name> -ServerName <server name> -EmailAdmins $True
To enable ADS-VA service and Set 'Send scan reports to':
Update-AzSqlServerVulnerabilityAssessmentSetting -ResourceGroupName "<resource group name>" -ServerName "<Server Name>" -StorageAccountName "<Storage Name from same subscription and same Location" -ScanResultsContainerName "vulnerability-assessment" -RecurringScansInterval Weekly -EmailSubscriptionAdmins $true -NotificationEmail @("mail1@mail.com","mail2@mail.com")
References
https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment
https://docs.microsoft.com/en-us/rest/api/sql/servervulnerabilityassessments/listbyserver
https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Update-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0
https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Get-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-6-perform-software-vulnerability-assessments