New-SqlVulnerabilityAssessmentBaseline

Creates a new instance of Microsoft.SQL.VulnerabilityAssessment.SecurityCheckBaseline.

Syntax

New-SqlVulnerabilityAssessmentBaseline
   [-SecurityCheckId] <String>
   -ExpectedResult <String[][]>
   [-Severity <SecurityCheckSeverity>]
   [<CommonParameters>]

Description

The New-SqlVulnerabilityAssessmentBaseline cmdlet creates a new instance of Microsoft.SQL.VulnerabilityAssessment.SecurityCheckBaseline.

As you review your assessment results, you can mark specific results of a security check as being an acceptable Baseline in your environment.

The baseline is essentially a customization of how the results of a specific security check are evaluated.

If the results of a security check match those that are expected according to the baseline, this check will be evaluated as passing.

Baselines should be added to a Baseline set, and you should run the scan with it to receive applicable results.

Module requirements: version 21+ on PowerShell 5.1; version 22+ on PowerShell 7.x.

This cmdlet was removed in v22.3+ of the module.

Examples

Example 1: Create a new security check baseline using a Vulnerability Assessment scan results

PS C:\> $scanResult = Invoke-SqlVulnerabilityAssessmentScan -ServerInstance "MyComputer\MainInstance" -Database some_database
PS C:\> $result2010 = $scanResult.Results.VA2010
PS C:\> $baseline2010 = New-SqlVulnerabilityAssessmentBaseline -SecurityCheckId $result2010.SecurityCheckId -ExpectedResult $result2010.QueryResults -Severity Medium

In this example we run a Vulnerability Assessment scan, and search for failed security checks. We see that we have two failed security checks - VA2042 and VA2109. We decide that we want to set a baseline for security check VA2109, so we create a new SecurityCheckBaseline with the security check id and query results that we got from the scan result object.

Example 2: Create a new security check baseline manually

PS C:\> [string[][]]$expectedResults = ("guest", "db_datareader", "SQLUSER", "NONE"), ("guest", "db_owner", "SQLUSER", "NONE")
PS C:\> $baseline = New-SqlVulnerabilityAssessmentBaseline -SecurityCheckId "VA2109" -ExpectedResult $expectedResults

SecurityCheckId Severity ExpectedResults
--------------- -------- ---------------
VA2109                   {guest db_datareader SQLUSER NONE, guest db_owner SQLUSER NONE}

In this example we create a baseline for security check 'VA2109' manually. We first create the expected results which contains two rows. Then we create the baseline with the expected results.

Parameters

-ExpectedResult

The baseline expected result for the security check query. This expected result overrides the security check original expected results.

Type:String[][]
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-SecurityCheckId

The security check id which the baseline applies to.

Type:String
Position:0
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-Severity

The new severity for the security check. This severity overrides the security check original severity.

Type:SecurityCheckSeverity
Accepted values:High, Medium, Low
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

None

Outputs

System.Object