Control: 4.2.4 Ensure that VA setting Send scan reports to is configured for a SQL server
Description
It is recommended to configure Send scan reports to with email ids of concerned data owners or stakeholders for a critical SQL servers.
Vulnerability Assessment (VA) scan reports and alerts will be sent to email ids configured at Send scan reports to. This may help in reducing time required for identifying risks and taking corrective measures.
Remediation
From Console
- Login to Azure console and navigate to SQL Servers.
- For each server instance, go to Security section from left pane.
- Click on
Security Center
. - Make sure
Enable Azure Defender for SQL
isOn
. - Select
Configure
next to Azure Defender for SQL: Enabled at the server-level. - In section
VULNERABILITY ASSESSMENT SETTINGS
, select subscription and storage account. - Set
Periodic recurring scans
to ON. - Configure email ids for concerned stakeholders at
Send scan reports to
. - Click Save.
From PowerShell
Enable Azure Defender for a SQL if not enabled
Set-AZSqlServerThreatDetectionPolicy -ResourceGroupName <resource group name> -ServerName <server name> -EmailAdmins $True
Enable ADS-VA service and set Send scan reports to
Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName "<resource group name>"`-ServerName "<Server Name>"`-StorageAccountName "<Storage Name from same subscription and same Location" `-ScanResultsContainerName "vulnerability-assessment" `-RecurringScansInterval Weekly `-EmailSubscriptionAdmins $true `-NotificationEmail @("mail1@mail.com" , "mail2@mail.com")
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v130_4_2_4
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v130_4_2_4 --share
SQL
This control uses a named query:
sql_server_va_setting_scan_reports_configured