4.2.4 Ensure that VA setting Send scan reports to is configured for a SQL server

Information

Configure 'Send scan reports to' with email ids of concerned data owners/stakeholders for a critical SQL servers.

Rationale:

Vulnerability Assessment (VA) scan reports and alerts will be sent to email ids configured at 'Send scan reports to'. This may help in reducing time required for identifying risks and taking corrective measures.

Impact:

Enabling the Azure Defender for SQL features will incur additional costs for each SQL server.

Solution

From Azure Console

Go to SQL servers

Select a server instance

Click on Security Center

Ensure that Azure Defender for SQL is set to Enabled

Select Configure next to Enabled at subscription-level

In Section Vulnerability Assessment Settings, configure Storage Accounts if not already

Configure email ids for concerned data owners/stakeholders at 'Send scan reports to'

Click Save

Using Azure PowerShell
If not already, Enable Advanced Data Security for a SQL Server:

Set-AZSqlServerThreatDetectionPolicy -ResourceGroupName <resource group name> -ServerName <server name> -EmailAdmins $True

To enable ADS-VA service and Set 'Send scan reports to'

Update-AzSqlServerVulnerabilityAssessmentSetting '
-ResourceGroupName '<resource group name>''
-ServerName '<Server Name>''
-StorageAccountName '<Storage Name from same subscription and same Location' '
-ScanResultsContainerName 'vulnerability-assessment' '
-RecurringScansInterval Weekly '
-EmailSubscriptionAdmins $true '
-NotificationEmail @('[email protected]' , '[email protected]')

Default Value:

By default, 'Send reports to' is blank.

See Also

https://workbench.cisecurity.org/files/3459

Item Details

Category: RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|RA-5, 800-53|SI-4, CSCv7|3.1

Plugin: microsoft_azure

Control ID: 698d67ab1123e9bca8b80b9c03246a81a8a608efa4a19eeaf93489706ded0cfe