SQL Server Vulnerability Assessments send scan reports to subscribed admins
Set up the azure.sql integration.
Description
Configure send scan reports to
with the email IDs of concerned data owners and stakeholders for a critical SQL server.
Rationale
Vulnerability Assessment (VA) scan reports and alerts are sent to email IDs configured with send scan reports to
. This may help in reducing time required for identifying risks and taking corrective measures.
Impact
Note: Enabling the Azure Defender for SQL features incurs additional costs for each SQL server.
From the console
- Go to SQL servers
- Select a server instance
- Click on Security Center
- Ensure that Azure Defender for SQL is enabled
- Select Configure next to enabled at subscription-level
- In Vulnerability Assessment Settings, configure Storage Accounts
- Configure email IDs for concerned data owners and stakeholders in the
send scan reports to
section. - Click Save
Using PowerShell
If not already, enable Advanced Data Security for a SQL: ServerSet-AZSqlServerThreatDetectionPolicy -ResourceGroupName <resource group name> -ServerName <server name> -EmailAdmins $True
To enable ADS-VA service and set send scan reports to
:
Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName "<resource group name>"` -ServerName "<Server Name>"` -StorageAccountName "<Storage Name from same subscription and same Location" ` -ScanResultsContainerName "vulnerability-assessment" ` -RecurringScansInterval Weekly ` -EmailSubscriptionAdmins $true ` -NotificationEmail @("mail1@mail.com" , "mail2@mail.com")'
References
- https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment
- https://docs.microsoft.com/en-us/rest/api/sql/servervulnerabilityassessments/listbyserver
- https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Update-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0
- https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Get-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0
- https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-6-perform-software-vulnerability-assessments
CIS Controls
Version 7 3.1 - Run Automated Vulnerability Scanning Tools - Utilize an up-to-date SCAP-compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization’s systems.