Control: 4.2.4 Ensure that VA setting 'Send scan reports to' is configured for a SQL server
Description
It is recommended to configure Send scan reports to with email ids of concerned data owners or stakeholders for a critical SQL servers.
Vulnerability Assessment (VA) scan reports and alerts will be sent to email ids configured at Send scan reports to. This may help in reducing time required for identifying risks and taking corrective measures.
Remediation
From Console
- Login to Azure console and navigate to SQL Servers.
- For each server instance, go to Security section from left pane.
- Click on
Security Center. - Make sure
Enable Azure Defender for SQLisOn. - Select
Configurenext to Azure Defender for SQL: Enabled at the server-level. - In section
VULNERABILITY ASSESSMENT SETTINGS, select subscription and storage account. - Set
Periodic recurring scansto ON. - Configure email ids for concerned stakeholders at
Send scan reports to. - Click Save.
From PowerShell
Enable Azure Defender for a SQL if not enabled
Set-AZSqlServerThreatDetectionPolicy -ResourceGroupName <resource group name> -ServerName <server name> -EmailAdmins $True
Enable ADS-VA service and set Send scan reports to
Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName "<resource group name>"`-ServerName "<Server Name>"`-StorageAccountName "<Storage Name from same subscription and same Location" `-ScanResultsContainerName "vulnerability-assessment" `-RecurringScansInterval Weekly `-EmailSubscriptionAdmins $true `-NotificationEmail @("mail1@mail.com" , "mail2@mail.com")
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v140_4_2_4Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v140_4_2_4 --shareSQL
This control uses a named query:
sql_server_va_setting_scan_reports_configured