Control: 4.2.4 Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server
Description
Configure 'Send scan reports to' with email addresses of concerned data owners/stakeholders for a critical SQL servers.
Vulnerability Assessment (VA) scan reports and alerts will be sent to email addresses configured at 'Send scan reports to'. This may help in reducing time required for identifying risks and taking corrective measures.
Remediation
From Azure Console
- Go to
SQL servers. - Select a server instance.
- Select
Microsoft Defender for Cloud. - Select
Configurenext toEnablement status. - Set
Microsoft Defender for SQLtoOn. - Under
Vulnerability Assessment Settings, select a Storage Account. - Set
Periodic recurring scanstoOn. - Under
Send scan reports to, provide email addresses for data owners and stakeholders. - Click
Save.
From Powershell
If not already, Enable Advanced Data Security for a SQL Server:
Set-AZSqlServerThreatDetectionPolicy -ResourceGroupName <resource group name> -ServerName <server name> -EmailAdmins $True
To enable ADS-VA service and Set 'Send scan reports to'
Update-AzSqlServerVulnerabilityAssessmentSetting `-ResourceGroupName "<resource group name>"` -ServerName "<Server Name>"` -StorageAccountName "<Storage Name from same subscription and same Location" ` -ScanResultsContainerName "vulnerability-assessment" ` -RecurringScansInterval Weekly ` -EmailSubscriptionAdmins $true ` -NotificationEmail @("mail1@mail.com" , "mail2@mail.com")
Default Value
By default, 'Send reports to' is blank.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v200_4_2_4Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v200_4_2_4 --shareSQL
This control uses a named query:
sql_server_va_setting_scan_reports_configured