Manage vulnerability findings in your Azure SQL databases
Microsoft Defender for Cloud provides vulnerability assessment for your Azure SQL databases. Vulnerability assessment scans your databases for software vulnerabilities and provides a list of findings. You can use the findings to remediate software vulnerabilities and disable findings.
Prerequisites
Make sure that you know whether you're using the express or classic configurations before you continue.
To see which configuration you're using:
- In the Azure portal, open the specific resource in Azure SQL Database, SQL Managed Instance Database, or Azure Synapse.
- Under the Security heading, select Defender for Cloud.
- In the Enablement Status, select Configure to open the Microsoft Defender for SQL settings pane for either the entire server or managed instance.
If the vulnerability settings show the option to configure a storage account, you're using the classic configuration. If not, you're using the express configuration.
View scan history
Select Scan History in the vulnerability assessment pane to view a history of all scans previously run on this database.
Express configuration doesn't store scan results if they're identical to previous scans. The scan time shown in the scan history is the time of the last scan where the scan results changed.
Disable specific findings from Microsoft Defender for Cloud (preview)
If you have an organizational need to ignore a finding rather than remediate it, you can disable the finding. Disabled findings don't impact your secure score or generate unwanted noise. You can see the disabled finding in the "Not applicable" section of the scan results.
When a finding matches the criteria you've defined in your disable rules, it won't appear in the list of findings. Typical scenarios may include:
- Disable findings with medium or lower severity
- Disable findings that are non-patchable
- Disable findings from benchmarks that aren't of interest for a defined scope
Important
To disable specific findings, you need permissions to edit a policy in Azure Policy. Learn more in Azure RBAC permissions in Azure Policy.
To create a rule:
From the recommendations detail page for Vulnerability assessment findings on your SQL servers on machines should be remediated, select Disable rule.
Select the relevant scope.
Define your criteria. You can use any of the following criteria:
- Finding ID
- Severity
- Benchmarks
Create a disable rule for VA findings on SQL servers on machines
Select Apply rule. Changes might take up to 24 hrs to take effect.
To view, override, or delete a rule:
- Select Disable rule.
- From the scope list, subscriptions with active rules show as Rule applied.
- To view or delete the rule, select the ellipsis menu ("...").
Configure email notifications using Azure Logic Apps
To receive regular updates of the vulnerability assessment status for your database, you can use the customizable Azure Logic Apps template.
Using the template will allow you to:
- Choose the timing of the email reports.
- Have a consistent view of your vulnerability assessment status that includes disabled rules.
- Send reports for Azure SQL Servers and SQL VMs.
- Customize report structure and look-and-feel to match your organizational standards.
Manage vulnerability assessments programmatically
The express configuration is supported in the latest REST API version with the following functionality:
Using Azure Resource Manager templates
Use the following ARM template to create a new Azure SQL Logical Server with expresss configuration for SQL vulnerability assessment.
To configure vulnerability assessment baselines by using Azure Resource Manager templates, use the Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines type. Make sure that vulnerabilityAssessments is enabled before you add baselines.
Here are several examples to how you can set up baselines using ARM templates:
Setup batch baseline based on latest scan results:
{ "type": "Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines", "apiVersion": "2022-02-01-preview", "name": "[concat(parameters('serverName'),'/', parameters('databaseName') , '/default/default')]", "properties": { "latestScan": true } }Setup batch baseline based on specific results:
{ "type": "Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines", "apiVersion": "2022-02-01-preview", "name": "[concat(parameters('serverName'),'/', parameters('databaseName') , '/default/default')]", "properties": { "latestScan": false, "results": { "VA2065": [ [ "FirewallRuleName3", "62.92.15.67", "62.92.15.67" ], [ "FirewallRuleName4", "62.92.15.68", "62.92.15.68" ] ], "VA2130": [ [ "dbo" ] ] } } }Set up baseline for a specific rule:
{ "type": "Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines/rules", "apiVersion": "2022-02-01-preview", "name": "[concat(parameters('serverName'),'/', parameters('databaseName') , '/default/default/VA1143')]", "properties": { "latestScan": false, "results": [ [ "True" ] ] } }Set up batch baselines on the master database based on latest scan results:
{ "type": "Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines", "apiVersion": "2022-02-01-preview", "name": "[concat(parameters('serverName'),'/master/default/default')]", "properties": { "latestScan": true } }
Using PowerShell
Express configuration isn't supported in PowerShell cmdlets but you can use PowerShell to invoke the latest vulnerability assessment capabilities using REST API, for example:
- Enable express configuration on an Azure SQL Server
- Setup baselines based on latest scan results for all databases in an Azure SQL Server
FAQ
What happens to the old scan results and baselines after I switch to express configuration?
Old results and baselines settings remain available on your storage account, but won't be updated or used by the system. You don't need to maintain these files for SQL vulnerability assessment to work after you switch to express configuration, but you can keep your old baseline definitions for future reference.
When express configuration is enabled, you don't have direct access to the result and baseline data because it's stored on internal Microsoft storage.
Can I setup reccuring scans with express configuration?
Express configuration automatically sets up reccuring scans for all databases under your server. This is the default and is not configurable at server or database level.
Is there a way with express configuration to get the weekly email report that is provided in the classic configuration?
You can use workflow automation and Logic Apps email scheduling, following the Microsoft Defender for Cloud processes:
- Time based triggers
- Scan based triggers
- Support for disabled rules
Why can’t I set database policies anymore?
SQL vulnerability assessment reports all vulnerabilities and misconfigurations in your environment, so it helps to have all databases included. Defender for SQL is billed per server, not per database.
Can I revert back to the classic configuration?
Yes. You can revert back to the classic configuration using the existing REST APIs and PowerShell cmdlets. When you revert back to the classic configuration, you see a notification in the Azure portal to change to the express configuration.
Will we see express configuration for other types of SQL?
Stay tuned for updates!
Can I choose which experience will be the default?
No. Express configuration will be the default for every new supported Azure SQL database.
Does express configuration change scan behavior?
No, express configuration provides the same scanning behavior and performance.
Does express configuration have any effect on pricing?
Express configuration doesn't require a storage account, so you don't need to pay extra storage fees unless you choose to keep old scan and baseline data.
What does the 1-MB cap per rule mean?
Any individual rule can't produce results that are more than 1 MB. When that limit is reached, the results for the rule are stopped. You can't set a baseline for the rule, the rule isn't included in the overall recommendation health, and the results are shown as "Not applicable".
Troubleshooting
Revert back to the classic configuration
To change an Azure SQL database from the express vulnerability assessment configuration to the classic configuration:
Disable the Defender for Azure SQL plan from the Azure portal.
Use PowerShell to reconfigure using the classic experience:
Update-AzSqlServerAdvancedThreatProtectionSetting ` -ResourceGroupName "demo-rg" ` -ServerName "dbsrv1" ` -Enable 1 Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName "demo-rg" ` -ServerName "dbsrv1" ` -StorageAccountName "mystorage" ` -RecurringScansInterval Weekly ` -ScanResultsContainerName "vulnerability-assessment"You may have to tweak
Update-AzSqlServerVulnerabilityAssessmentSettingaccording to Store Vulnerability Assessment scan results in a storage account accessible behind firewalls and VNets.
Errors
“Vulnerability Assessment is enabled on this server or one of its underlying databases with an incompatible version”
Possible causes:
Switching to express configuration failed due to a server policy error.
Solution: Try again to enable the express configuration. If the issue persists, try to disable the Microsoft Defender for SQL in the Azure SQL resource, select Save, enable Microsoft Defender for SQL again, and select Save.
Switching to express configuration failed due to a database policy error. Database policies aren't visible in the Azure portal for Defender for SQL vulnerability assessment, so we check for them during the validation stage of switching to express configuration.
Solution: Disable all database policies for the relevant server and then try to switch to express configuration again. Cosnider using the provided PowerShell script for assistance.
Next steps
- Learn more about Microsoft Defender for Azure SQL.
- Learn more about data discovery and classification.
- Learn more about storing vulnerability assessment scan results in a storage account accessible behind firewalls and VNets.
Feedback
Submit and view feedback for