Control: 4.2.5 Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server
Description
Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners'.
VA scan reports and alerts will be sent to admins and subscription owners by enabling setting 'Also send email notifications to admins and subscription owners'. This may help in reducing time required for identifying risks and taking corrective measures.
Remediation
From Azure Console
- Go to
SQL servers
. - Select a server instance.
- Click on
Security Center
. - Select
Configure
next toEnabled at subscription-level
. - In Section
Vulnerability Assessment Settings
, configureStorage Accounts
if not already. - Check/enable 'Also send email notifications to admins and subscription owners'.
- Click
Save
.
From Powershell
If not already, Enable Advanced Data Security
for a SQL Server:
Set-AZSqlServerThreatDetectionPolicy -ResourceGroupName <resource group name> -ServerName <server name> -EmailAdmins $True
To enable ADS-VA service and Set 'Also send email notifications to admins and subscription owners'
Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName "<resource group name>"` -ServerName "<Server Name>"` -StorageAccountName "<Storage Name from same subscription and same Location" ` -ScanResultsContainerName "vulnerability-assessment" ` -RecurringScansInterval Weekly ` -EmailSubscriptionAdmins $true ` -NotificationEmail @("mail1@mail.com" , "mail2@mail.com")
Default Value
By default, 'Also send email notifications to admins and subscription owners' is enabled.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v200_4_2_5
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v200_4_2_5 --share
SQL
This control uses a named query:
sql_server_va_setting_reports_notify_admins