This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi all,
we have a strange issue with Defender for SQL on a SQL-Server in Azure.
All findings on DBs are flagged as "Not applicable" whether with the new express mode or with the old way.
On the VAxxxx itself all the DBs from this SQL-Server are listed unter Dismissed databases.
We do not find any exemption rules or other which would create this behavior.
With the old method we can download also the report and in fact the findings are OK - but they are exempted.
Using a graph query we can see that there is an Exempt from the parent - but like i said - we simply cannot identify from where the exempt does come from
To add:
It worked once without problems - we then moved the entire Subscription to a new Tenant.
After that it has this strange behavior.
Is there a way to reforce this?
Thanks
Hi, @Benjamin Graus Welcome to the Microsoft Q&A forum, Thanks for posting your question.
Currently, I am checking with the internal team and will provide you with more details on the above issue.
Regards
Geetha
Hey @Benjamin Graus
Is Microsoft Defender for Cloud enabled across your new subscription, MDC has to be specifically enabled for each subscription you want it to perform an assessment across and are you paying for MDC protection for SQL databases as there is a cost element involved
Regards
Bill
Hi,
yes of course. Defender for Cloud is enabled. We tried it at subscription level and also server level.
Keep in mind that the vulnerability assessment works fine f.e. on a new deployed SQL-Server + DB in the same ResourceGroup. Also on other DBs from other existing servers in different RG.
Only the existing one, where we used Vulnerability Assessment already prior the move to a new AD-Tenant has this strange behavior.
We tried also to switching back to the classic method of Defender for SQL but with the same result.
The Assessments are skipped / not applicable. But we are unable to find the exemption.
Regards,
Ben
Did you find anything when looking at the exemption configs for “SQL databases should have vulnerability findings resolved”?
Note that the scan export supported in classic configuration does not take into effect exemptions or disabled rules.
Express configuration doesn’t support the export ability at the moment – but all the data should be available in ARG with the correct status, as you’ve queried in your example.
Regards
Geetha
Hi Geetha,
Unfortunately not.
The sql-server is listed under the "healthy resources" but all VAs are Not Applicable
Maybe it's worth to set an excemption rule - wait - and remove it again?
I simply can find the trigger from where this excemption rule is coming from.
First a thought it was the ResourceGroup itself - but after I created a new SQL and turned on Defender it worked on the new DB in the same RG.
Thank You
@Benjamin Graus we need to understand why the status is “Not Applicable”. can send an email to azcommunity@microsoft.com with the details.
Don't forget to mention in the subject line ATTN: Geetha
If you find a "solution" I am interested too, as we experience the same issue now. Defender is enabled, but all rules are "not applicable". Last week the rules were checked w/o issue and we did not change any settings by ourself.