Merge pull request #107043 from paulth1/sql-vulnerability-assessment

edit pass: sql-vulnerability-assessment

Author: ShawnJackson

articles/sql-database/sql-vulnerability-assessment.md

@@ -1,6 +1,6 @@
 ---
 title: SQL Vulnerability Assessment
-description: Learn how to configure and SQL Vulnerability Assessment on SQL Database, and interpret the assessment reports.
+description: Learn how to configure SQL Vulnerability Assessment on Azure SQL Database and interpret the assessment reports.
 services: sql-database
 ms.service: sql-database
 ms.subservice: security
@@ -14,85 +14,90 @@ ms.date: 02/05/2020
 tags: azure-synapse
 ---
 
-# SQL Vulnerability Assessment service helps you identify database vulnerabilities
+# SQL Vulnerability Assessment helps you identify database vulnerabilities
 
-SQL Vulnerability Assessment is an easy to configure service that can discover, track, and help you remediate potential database vulnerabilities. Use it to proactively improve your database security.
+SQL Vulnerability Assessment is an easy-to-configure service that can discover, track, and help you remediate potential database vulnerabilities. Use it to proactively improve your database security.
 
-Vulnerability Assessment is part of the [advanced data security](sql-database-advanced-data-security.md) (ADS) offering, which is a unified package for advanced SQL security capabilities. Vulnerability Assessment can be accessed and managed via the central SQL ADS portal.
+Vulnerability Assessment is part of the [Advanced Data Security](sql-database-advanced-data-security.md) offering, which is a unified package for advanced SQL security capabilities. Vulnerability Assessment can be accessed and managed via the central SQL Advanced Data Security portal.
 
 > [!NOTE]
-> Vulnerability Assessment is supported for Azure SQL Database, Azure SQL Managed Instance and Azure Synapse Analytics. For simplicity, SQL Database is used in this article when referring to any of these managed database services.
+> Vulnerability Assessment is supported for Azure SQL Database, Azure SQL Database managed instance, and Azure Synapse Analytics. For simplicity, SQL Database is used in this article when referring to any of these managed database services.
 
-## The Vulnerability Assessment service
+## Vulnerability Assessment
 
-SQL Vulnerability Assessment (VA) is a service that provides visibility into your security state, and includes actionable steps to resolve security issues, and enhance your database security. It can help you:  
+SQL Vulnerability Assessment is a service that provides visibility into your security state. Vulnerability Assessment includes actionable steps to resolve security issues and enhance your database security. It can help you: 
 
-- Meet compliance requirements that require database scan reports.  
-- Meet data privacy standards.  
-- Monitor a dynamic database environment where changes are difficult to track.  
+- Meet compliance requirements that require database scan reports.
+- Meet data privacy standards.
+- Monitor a dynamic database environment where changes are difficult to track.
 
-Vulnerability Assessment is a scanning service built into the Azure SQL Database service. The service employs a knowledge base of rules that flag security vulnerabilities and highlight deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. The rules are based on Microsoft’s best practices and focus on the security issues that present the biggest risks to your database and its valuable data. They cover both database-level issues as well as server-level security issues, like server firewall settings and server-level permissions. These rules also represent many of the requirements from various regulatory bodies to meet their compliance standards.  
+Vulnerability Assessment is a scanning service built into Azure SQL Database. The service employs a knowledge base of rules that flag security vulnerabilities. It highlights deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data.
 
-Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. An assessment report can be customized for your environment by setting an acceptable baseline for permission configurations, feature configurations, and database settings.
+The rules are based on Microsoft's best practices and focus on the security issues that present the biggest risks to your database and its valuable data. They cover database-level issues and server-level security issues, like server firewall settings and server-level permissions. These rules also represent many of the requirements from various regulatory bodies to meet their compliance standards.
 
-## Implementing Vulnerability Assessment
+Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. You can customize an assessment report for your environment by setting an acceptable baseline for:
+* Permission configurations.
+* Feature configurations.
+* Database settings.
 
-The following steps implement VA on SQL Database.  
+## Implement Vulnerability Assessment
 
-### 1. Run a scan  
+The following steps implement Vulnerability Assessment on SQL Database.
 
-Get started with VA by navigating to **Advanced Data Security** under the Security heading in your Azure SQL Database pane. Click to enable advanced data security, and then click on **Select Storage** or on the **Vulnerability Assessment** card, which automatically opens the Vulnerability Assessment settings card for the entire SQL server.
+### 1. Run a scan
 
-Start by configuring a storage account where your scan results for all databases on the server will be stored. For information about storage accounts, see [About Azure storage accounts](../storage/common/storage-create-storage-account.md). Once storage is configured, click **Scan** to scan your database for vulnerabilities.
-  
-![Scan a database](./media/sql-vulnerability-assessment/pp_va_initialize.png)  
+In your Azure SQL Database pane, under the **Security** heading, select **Advanced Data Security**. Then click **Select Storage** on the **Vulnerability Assessment** pane to open the Vulnerability Assessment settings pane for the entire SQL server.
+
+Configure a storage account where your scan results for all databases on the server will be stored. For information about storage accounts, see [About Azure storage accounts](../storage/common/storage-create-storage-account.md). After storage is configured, select **Scan** to scan your database for vulnerabilities.
+
+![Scan a database](./media/sql-vulnerability-assessment/pp_va_initialize.png)
 
   > [!NOTE]
-  > The scan is lightweight and safe. It takes a few seconds to run, and is entirely read-only. It does not make any changes to your database.  
+  > The scan is lightweight and safe. It takes a few seconds to run and is entirely read-only. It doesn't make any changes to your database.
 
 ### 2. View the report
 
-When your scan is complete, your scan report is automatically displayed in the Azure portal. The report presents an overview of your security state: how many issues were found and their respective severities. Results include warnings on deviations from best practices and a snapshot of your security-related settings, such as database principals and roles and their associated permissions.The scan report also provides a map of sensitive data discovered in your database, and includes recommendations to classify that data using [data discovery & classification](sql-database-data-discovery-and-classification.md).
+When your scan is finished, your scan report is automatically displayed in the Azure portal. The report presents an overview of your security state. It lists how many issues were found and their respective severities. Results include warnings on deviations from best practices and a snapshot of your security-related settings, such as database principals and roles and their associated permissions. The scan report also provides a map of sensitive data discovered in your database. It includes recommendations to classify that data by using [data discovery and classification](sql-database-data-discovery-and-classification.md).
 
-![View the report](./media/sql-vulnerability-assessment/pp_main_getstarted.png)  
+![View the report](./media/sql-vulnerability-assessment/pp_main_getstarted.png)
 
 ### 3. Analyze the results and resolve issues
 
-Review your results and determine the findings in the report that are true security issues in your environment. Drill down to each failed result to understand the impact of the finding and why each security check failed. Use the actionable remediation information provided by the report to resolve the issue.  
+Review your results and determine the findings in the report that are true security issues in your environment. Drill down to each failed result to understand the impact of the finding and why each security check failed. Use the actionable remediation information provided by the report to resolve the issue.
 
 ![Analyze the report](./media/sql-vulnerability-assessment/pp_fail_rule_show_remediation.png)
 
 ### 4. Set your baseline
 
-As you review your assessment results, you can mark specific results as being an acceptable *Baseline* in your environment. The baseline is essentially a customization of how the results are reported. Results that match the baseline are considered as passing in subsequent scans. Once you have established your baseline security state, VA only reports on deviations from the baseline and you can focus your attention on the relevant issues.  
+As you review your assessment results, you can mark specific results as being an acceptable *baseline* in your environment. The baseline is essentially a customization of how the results are reported. Results that match the baseline are considered as passing in subsequent scans. After you've established your baseline security state, Vulnerability Assessment only reports on deviations from the baseline. In this way, you can focus your attention on the relevant issues.
 
-![Set your baseline](./media/sql-vulnerability-assessment/pp_fail_rule_show_baseline.png)  
+![Set your baseline](./media/sql-vulnerability-assessment/pp_fail_rule_show_baseline.png)
 
 ### 5. Run a new scan to see your customized tracking report
 
-After you complete setting up your **Rule Baselines**, run a new scan to view the customized report. VA now reports only the security issues that deviate from your approved baseline state.
+After you finish setting up your **Rule Baselines**, run a new scan to view the customized report. Vulnerability Assessment now reports only the security issues that deviate from your approved baseline state.
 
-![View your customized report](./media/sql-vulnerability-assessment/pp_pass_main_with_baselines.png)  
+![View your customized report](./media/sql-vulnerability-assessment/pp_pass_main_with_baselines.png)
 
-Vulnerability Assessment can now be used to monitor that your database maintains a high level of security at all times, and that your organizational policies are met. If compliance reports are required, VA reports can be helpful to facilitate the compliance process.  
+Vulnerability Assessment can now be used to monitor that your database maintains a high level of security at all times, and that your organizational policies are met. If compliance reports are required, Vulnerability Assessment reports can be helpful to facilitate the compliance process.
 
 ### 6. Set up periodic recurring scans
 
-Navigate to the Vulnerability Assessment settings to turn on **Periodic recurring scans**. This configures Vulnerability Assessment to automatically run a scan on your database once per week. A scan result summary will be sent to the email address(es) you provide.
+Go to the Vulnerability Assessment settings to turn on **Periodic recurring scans**. This setting configures Vulnerability Assessment to automatically run a scan on your database once per week. A scan result summary is sent to the email addresses you provide.
 
 ![View your customized report](./media/sql-vulnerability-assessment/pp_recurring_scans.png)
 
 ### 7. Export an assessment report
 
-Click **Export Scan Results** to create a downloadable Excel report of your scan result. This report contains a summary tab that displays a summary of the assessment, including all failed checks. It also includes a **Results** tab containing the full set of results from the scan, including all checks that were run and the result details for each.
+Select **Export Scan Results** to create a downloadable Excel report of your scan result. This report contains a summary tab that displays a summary of the assessment. The report includes all failed checks. It also includes a **Results** tab that contains the full set of results from the scan. The results include all checks that were run and the result details for each.
 
 ### 8. View scan history
 
-Click **Scan History** in the VA pane to view a history of all scans previously run on this database. Select a particular scan in the list to view the detailed results of that scan.
+Select **Scan History** in the Vulnerability Assessment pane to view a history of all scans previously run on this database. Select a particular scan in the list to view the detailed results of that scan.
 
-Vulnerability Assessment can now be used to monitor that your database maintains a high level of security at all times, and that your organizational policies are met. If compliance reports are required, VA reports can be helpful to facilitate the compliance process.
+Vulnerability Assessment can now be used to monitor that your database maintains a high level of security at all times, and that your organizational policies are met. If compliance reports are required, Vulnerability Assessment reports can be helpful to facilitate the compliance process.
 
-## Manage Vulnerability Assessments using Azure PowerShell
+## Manage vulnerability assessments by using Azure PowerShell
 
 [!INCLUDE [updated-for-az](../../includes/updated-for-az.md)]
 > [!IMPORTANT]
@@ -102,41 +107,41 @@ You can use Azure PowerShell cmdlets to programmatically manage your vulnerabili
 
 - [Update-AzSqlDatabaseVulnerabilityAssessmentSetting](https://docs.microsoft.com/powershell/module/az.sql/Update-azSqlDatabaseVulnerabilityAssessmentSetting)
 
-  Updates the vulnerability assessment settings of a database
+  Updates the Vulnerability Assessment settings of a database.
 - [Get-AzSqlDatabaseVulnerabilityAssessmentSetting](https://docs.microsoft.com/powershell/module/az.sql/Get-azSqlDatabaseVulnerabilityAssessmentSetting)
 
-  Returns the vulnerability assessment settings of a database
+  Returns the Vulnerability Assessment settings of a database.
 - [Clear-AzSqlDatabaseVulnerabilityAssessmentSetting](https://docs.microsoft.com/powershell/module/az.sql/Clear-azSqlDatabaseVulnerabilityAssessmentSetting)
 
-  Clears the vulnerability assessment settings of a database
+  Clears the Vulnerability Assessment settings of a database.
 - [Set-AzSqlDatabaseVulnerabilityAssessmentRuleBaseline](https://docs.microsoft.com/powershell/module/az.sql/Set-azSqlDatabaseVulnerabilityAssessmentRuleBaseline)
 
-  Sets the vulnerability assessment rule baseline.
+  Sets the Vulnerability Assessment rule baseline.
 - [Get-AzSqlDatabaseVulnerabilityAssessmentRuleBaseline](https://docs.microsoft.com/powershell/module/az.sql/Get-azSqlDatabaseVulnerabilityAssessmentRuleBaseline)
 
-  Gets the vulnerability assessment rule baseline for a given rule.
+  Gets the Vulnerability Assessment rule baseline for a given rule.
 - [Clear-AzSqlDatabaseVulnerabilityAssessmentRuleBaseline](https://docs.microsoft.com/powershell/module/az.sql/Clear-azSqlDatabaseVulnerabilityAssessmentRuleBaseline)
 
-  Clears the vulnerability assessment rule baseline. First set the baseline before using this cmdlet to clear it.
+  Clears the Vulnerability Assessment rule baseline. First, set the baseline before you use this cmdlet to clear it.
 - [Start-AzSqlDatabaseVulnerabilityAssessmentScan](https://docs.microsoft.com/powershell/module/az.sql/Start-azSqlDatabaseVulnerabilityAssessmentScan)
 
-  Triggers the start of a vulnerability assessment scan
+  Triggers the start of a Vulnerability Assessment scan.
 - [Get-AzSqlDatabaseVulnerabilityAssessmentScanRecord](https://docs.microsoft.com/powershell/module/az.sql/Get-azSqlDatabaseVulnerabilityAssessmentScanRecord)
 
-   Gets all vulnerability assessment scan record(s) associated with a given database.
+   Gets all Vulnerability Assessment scan records associated with a given database.
 - [Convert-AzSqlDatabaseVulnerabilityAssessmentScan](https://docs.microsoft.com/powershell/module/az.sql/Convert-azSqlDatabaseVulnerabilityAssessmentScan)
 
-  Converts vulnerability assessment scan results to an Excel file
+  Converts Vulnerability Assessment scan results to an Excel file.
 
 For a script example, see [Azure SQL Vulnerability Assessment PowerShell support](https://blogs.msdn.microsoft.com/sqlsecurity/20../../azure-sql-vulnerability-assessment-now-with-powershell-support/).
 
-## Manage Vulnerability Assessments baseline rules using Resource Manager templates
+## Manage Vulnerability Assessment baseline rules by using Resource Manager templates
 
 To configure Vulnerability Assessment baselines by using Azure Resource Manager templates, use the `Microsoft.Sql/servers/databases/vulnerabilityAssessments/rules/baselines` type.
 
-Ensure that you have enabled vulnerabilityAssements on the computer that's running SQL Server before you add baselines.
+Ensure that you have enabled `vulnerabilityAssessments` on the computer that's running SQL Server before you add baselines.
 
-Here's an example for defining Baseline Rule VA2065 to masterdb and VA1143 userdb as resources in a Resource Manager template:
+Here's an example for defining Baseline Rule VA2065 to masterdb and VA1143 to userdb as resources in a Resource Manager template:
 
 ```json
     "resources": [
@@ -183,13 +188,13 @@ Here's an example for defining Baseline Rule VA2065 to masterdb and VA1143 userd
 }   
 ```
 
-For user database and master database, the resource names are defined differently:
+For master database and user database, the resource names are defined differently:
 
 * Master database - "name": "[concat(parameters('server_name'),'/', parameters('database_name') , '/default/VA2065/<b>master</b>')]",
 * User database - "name": "[concat(parameters('server_name'),'/', parameters('database_name') , '/default/VA2065/<b>default</b>')]",
 
 
- To handle <b>Boolean</b> types as true/false, set the baseline result with binary input like "1"/"0".
+ To handle Boolean types as true/false, set the baseline result with binary input like "1"/"0".
 
  ```json
         {
@@ -216,5 +221,5 @@ For user database and master database, the resource names are defined differentl
 
 ## Next steps  
 
-- Learn more about [advanced data security](sql-database-advanced-data-security.md)
-- Learn more about [data discovery & classification](sql-database-data-discovery-and-classification.md)
+- Learn more about [Advanced Data Security](sql-database-advanced-data-security.md).
+- Learn more about [data discovery and classification](sql-database-data-discovery-and-classification.md).