Set-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline

Sets the vulnerability assessment rule baseline.

Syntax

Set-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline
   [-InstanceName] <String>
   [-DatabaseName] <String>
   -BaselineResult <String[][]>
   -RuleId <String>
   [-RuleAppliesToMaster]
   [-ResourceGroupName] <String>
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]
Set-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline
   [-InputObject <VulnerabilityAssessmentRuleBaselineModel>]
   -BaselineResult <String[][]>
   -RuleId <String>
   [-RuleAppliesToMaster]
   [-ResourceGroupName] <String>
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

The Set-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline cmdlet sets the vulnerability assessment rule baseline. As you review your assessment results, you can mark specific results as being an acceptable Baseline in your environment. The baseline is essentially a customization of how the results are reported. Results that match the baseline are considered as passing in subsequent scans. Once you have established your baseline security state, vulnerability assessment only reports on deviations from the baseline, and you can focus your attention on the relevant issues. Note that you need to run Enable-AzSqlInstanceAdvancedDataSecurity and Update-AzSqlInstanceVulnerabilityAssessmentSetting cmdlet as a prerequisite for using this cmdlets.

Examples

Example 1: Set a vulnerability assessment rule baseline

Set-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline  `
            -ResourceGroupName "ResourceGroup01" `
            -InstanceName "ManagedInstance01" `
            -DatabaseName "Database01" `
			-RuleId "VA2108" `
			-RuleAppliesToMaster `
			-BaselineResult @( 'Principal1', 'db_ddladmin', 'SQL_USER', 'None')  , @( 'Principal2', 'db_ddladmin', 'SQL_USER', 'None')

ResourceGroupName		: ResourceGroup01
InstanceName	    : ManagedInstance01
DatabaseName	    : Database01
RuleId		        	: VA2108
RuleAppliesToMaster    	: True
BaselineResult		    : @( 'Principal1', 'db_ddladmin', 'SQL_USER', 'None')  , @( 'Principal2', 'db_ddladmin', 'SQL_USER', 'None')

BaselineResult value is a composition of several sub arrays that described the T-SQL results that will be added to the baseline.
You may find the Scan results under the storage defined by the Update-AzSqlInstanceVulnerabilityAssessmentSetting cmdlet, under scans/{ManagedInstanceName}/{ManagedDatabaseName}/scan_{ScanId}.json

Example 2: Set a vulnerability assessment rule baseline from a baseline object

Set-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline `
            -ResourceGroupName "ResourceGroup01" `
            -InstanceName "ManagedInstance01" `
            -DatabaseName "Database01" `
            -RuleId "VA2108" `
            -BaselineResult @( 'Principal1', 'db_ddladmin', 'SQL_USER', 'None')  , @( 'Principal2', 'db_ddladmin', 'SQL_USER', 'None')

Get-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline `
            -ResourceGroupName "ResourceGroup01" `
            -InstanceName "ManagedInstance01" `
            -DatabaseName "Database01" `
            -RuleId "VA2108" `
            |  Set-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline `
                -ResourceGroupName "ResourceGroup02" `
                -InstanceName "ManagedInstance02" `
                -DatabaseName "Database02"

ResourceGroupName		: ResourceGroup02
InstanceName	    : ManagedInstance02
DatabaseName	    : Database02
RuleId		        	: VA2108
RuleAppliesToMaster    	: False
BaselineResult		    : @( 'Principal1', 'db_ddladmin', 'SQL_USER', 'None')  , @( 'Principal2', 'db_ddladmin', 'SQL_USER', 'None')

Example 3: Set a vulnerability assessment rule baseline on all the databases under a managed instance

Get-AzSqlInstanceDatabase -ResourceGroupName "ResourceGroup01" `
            -InstanceName "ManagedInstance01" `
            | Where-Object {$_.Name -ne "master"}  `
            | Set-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline `
                -RuleId "VA2108" `
                -BaselineResult @( 'Principal1', 'db_ddladmin', 'SQL_USER', 'None')  , @( 'Principal2', 'db_ddladmin', 'SQL_USER', 'None')

ResourceGroupName		: ResourceGroup01
InstanceName	    : ManagedInstance01
DatabaseName	    : Database01
RuleId		        	: VA2108
RuleAppliesToMaster    	: False
BaselineResult		    : @( 'Principal1', 'db_ddladmin', 'SQL_USER', 'None')  , @( 'Principal2', 'db_ddladmin', 'SQL_USER', 'None')

ResourceGroupName		: ResourceGroup01
InstanceName	    : ManagedInstance01
DatabaseName	    : Database02
RuleId		        	: VA2108
RuleAppliesToMaster    	: False
BaselineResult		    : @( 'Principal1', 'db_ddladmin', 'SQL_USER', 'None')  , @( 'Principal2', 'db_ddladmin', 'SQL_USER', 'None')

Parameters

-BaselineResult

The results to set as baseline for the rule in all future scans

Type:String[][]
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DatabaseName

SQL Managed Database name.

Type:String
Position:2
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with Azure.

Type:IAzureContextContainer
Aliases:AzContext, AzureRmContext, AzureCredential
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-InputObject

The Vulnerability Assessment rule baseline object to set

Type:VulnerabilityAssessmentRuleBaselineModel
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-InstanceName

SQL Managed Instance name.

Type:String
Position:1
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-ResourceGroupName

The name of the resource group.

Type:String
Position:0
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-RuleAppliesToMaster

Specifies whether the baseline results should apply on a server level rule identified by the RuleId

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-RuleId

The rule ID which identifies the rule to set the baseline results to.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

String

VulnerabilityAssessmentRuleBaselineModel

String[][]

SwitchParameter

Outputs

ManagedDatabaseVulnerabilityAssessmentRuleBaselineModel