Skip to content

Commit 95034f4

Browse files
committed
PM and Acrolinx feedback
1 parent 8d9a6f9 commit 95034f4

File tree

4 files changed

+47
-28
lines changed

4 files changed

+47
-28
lines changed

articles/defender-for-cloud/sql-azure-vulnerability-assessment-enable.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ tags: azure-synapse
1313

1414
# Enable vulnerability assessment on your Azure SQL databases
1515

16-
In this article, you'll learn how to enable [vulnerability assessment](sql-azure-vulnerability-assessment-overview.md) so you can find and remediate database vulnerabilities. We recommend that you enable vulnerability assessment using the express configuration so you aren't dependent on a storage account, but you can also enable vulnerability assessment using the classic configuration.
16+
In this article, you'll learn how to enable [vulnerability assessment](sql-azure-vulnerability-assessment-overview.md) so you can find and remediate database vulnerabilities. We recommend that you enable vulnerability assessment using the express configuration so you aren't dependent on a storage account. You can also enable vulnerability assessment using the classic configuration.
1717

1818
When you enable the Defender for Azure SQL plan in Defender for Cloud, Defender for Cloud automatically enables Advanced Threat Protection and vulnerability assessment with the express configuration for all Azure SQL databases in the selected subscription.
1919

@@ -66,7 +66,7 @@ Now you can go to the [**SQL databases should have vulnerability findings resolv
6666
6767
#### Enable express vulnerability assessment at scale
6868

69-
If you have SQL resources that do not have Advanced Threat Protection and vulnerability assessment enable, you can use the [SQL vulnerability assessment APIs](sql-azure-vulnerability-assessment-manage.md#manage-vulnerability-assessments-programmatically) to enable SQL vulnerability assessment with the express configuration at scale.
69+
If you have SQL resources that don't have Advanced Threat Protection and vulnerability assessment enabled, you can use the [SQL vulnerability assessment APIs](sql-azure-vulnerability-assessment-manage.md#manage-vulnerability-assessments-programmatically) to enable SQL vulnerability assessment with the express configuration at scale.
7070

7171
### [Classic configuration](#tab/classic)
7272

articles/defender-for-cloud/sql-azure-vulnerability-assessment-find.md

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,9 @@ ms.topic: how-to
1212

1313
Microsoft Defender for Cloud provides [vulnerability assessment](sql-azure-vulnerability-assessment-overview.md) for your Azure SQL databases. Vulnerability assessment scans your databases for software vulnerabilities and provides a list of findings. You can use the findings to remediate software vulnerabilities and disable findings.
1414

15-
The [express and classic configurations](sql-azure-vulnerability-assessment-overview.md#what-are-the-express-and-classic-configurations) are managed differently so make sure you follow the instructions for your configuration.
15+
## Prerequisites
16+
17+
Make sure that you know whether you're using the [express or classic configurations](sql-azure-vulnerability-assessment-overview.md#what-are-the-express-and-classic-configurations) before you continue.
1618

1719
To see which configuration you're using:
1820

@@ -37,13 +39,13 @@ The following permissions are required to changes vulnerability assessment setti
3739

3840
- SQL Security Manager
3941

40-
If you are receiving any automated emails with links to scan results the following permissions are required to access the links about scan results or to view scan results at the resource-level:
42+
If you're receiving any automated emails with links to scan results the following permissions are required to access the links about scan results or to view scan results at the resource-level:
4143

4244
- SQL Security Manager
4345

4446
### Data residency
4547

46-
SQL vulnerability assessment queries the SQL server using publicly available queries under Defender for Cloud recommendations for SQL vulnerability assessment, and stores the query results. SQL vulnerability assessment data is stored in the location of the logical server it is configured on. For example, if the user enabled vulnerability assessment on a logical server in West Europe, the results will be stored in West Europe. This data will be collected only if the SQL vulnerability assessment solution is configured on the logical server.
48+
SQL vulnerability assessment queries the SQL server using publicly available queries under Defender for Cloud recommendations for SQL vulnerability assessment, and stores the query results. SQL vulnerability assessment data is stored in the location of the logical server it's configured on. For example, if the user enabled vulnerability assessment on a logical server in West Europe, the results will be stored in West Europe. This data will be collected only if the SQL vulnerability assessment solution is configured on the logical server.
4749

4850
### On-demand vulnerability scans
4951

@@ -87,7 +89,7 @@ To remediate the vulnerabilities discovered:
8789

8890
:::image type="content" source="media/defender-for-sql-azure-vulnerability-assessment/baseline-approval.png" alt-text="Approving a finding as a baseline for future scans":::
8991

90-
1. Any findings you've added to the baseline will now appear as **Passed** with an indication that they've passed because of the baseline changes. There is no need to run another scan for the baseline to take effect.
92+
1. Any findings you've added to the baseline will now appear as **Passed** with an indication that they've passed because of the baseline changes. There's no need to run another scan for the baseline to take effect.
9193

9294
:::image type="content" source="media/defender-for-sql-azure-vulnerability-assessment/passed-per-custom-baseline.png" alt-text="Passed assessments indicating they've passed per custom baseline":::
9395

articles/defender-for-cloud/sql-azure-vulnerability-assessment-manage.md

Lines changed: 37 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,9 @@ ms.topic: how-to
1212

1313
Microsoft Defender for Cloud provides [vulnerability assessment](sql-azure-vulnerability-assessment-overview.md) for your Azure SQL databases. Vulnerability assessment scans your databases for software vulnerabilities and provides a list of findings. You can use the findings to remediate software vulnerabilities and disable findings.
1414

15-
The [express and classic configurations](sql-azure-vulnerability-assessment-overview.md#what-are-the-express-and-classic-configurations) are managed differently so make sure you follow the instructions for your configuration.
15+
## Prerequisites
16+
17+
Make sure that you know whether you're using the [express or classic configurations](sql-azure-vulnerability-assessment-overview.md#what-are-the-express-and-classic-configurations) before you continue.
1618

1719
To see which configuration you're using:
1820

@@ -28,15 +30,15 @@ If the vulnerability settings show the option to configure a storage account, yo
2830

2931
Select **Scan History** in the vulnerability assessment pane to view a history of all scans previously run on this database. Select a particular scan in the list to view the detailed results of that scan.
3032

31-
Express configuration doesn't store scan results if they're identical to previous scans, so the history page updates only when the status of a finding changes.
33+
Express configuration doesn't store scan results if they're identical to previous scans. The scan time shown in the scan history is the time of the last scan where the scan results changed.
3234

3335
## Disable specific findings from Microsoft Defender for Cloud (preview)
3436

35-
If you have an organizational need to ignore a finding, rather than remediate it, you can optionally disable it. Disabled findings don't impact your secure score or generate unwanted noise.
37+
If you have an organizational need to ignore a finding rather than remediate it, you can disable the finding. Disabled findings don't impact your secure score or generate unwanted noise. You can see the disabled finding in the "Not applicable" section of the scan results.
3638

3739
When a finding matches the criteria you've defined in your disable rules, it won't appear in the list of findings. Typical scenarios may include:
3840

39-
- Disable findings with severity below medium
41+
- Disable findings with medium or lower severity
4042
- Disable findings that are non-patchable
4143
- Disable findings from benchmarks that aren't of interest for a defined scope
4244

@@ -92,7 +94,7 @@ The express configuration is supported in the latest REST API version with the f
9294

9395
### Using Resource Manager templates
9496

95-
To configure vulnerability assessment baselines by using Azure Resource Manager templates, use the `Microsoft.Sql/servers/databases/vulnerabilityAssessments/rules/baselines` type. Make sure that `vulnerabilityAssessments` is enabled before you add baselines.
97+
To configure vulnerability assessment baselines by using Azure Resource Manager templates, use the `Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines` type. Make sure that `vulnerabilityAssessments` is enabled before you add baselines.
9698

9799
Here are several examples to how you can set up baselines using ARM templates:
98100

@@ -151,7 +153,7 @@ Here are several examples to how you can set up baselines using ARM templates:
151153
"properties": {
152154
"latestScan": false,
153155
"results": [
154-
[ "True" ]
156+
[ "True" ]
155157
]
156158
}
157159
}
@@ -181,7 +183,9 @@ Express configuration isn't supported in PowerShell cmdlets but you can use Powe
181183

182184
### What happens to the old scan results and baselines after I switch to express configuration?
183185

184-
Old results and baselines settings remain available on your storage account, but won't be updated or used by the system. When express configuration is enabled, customers don't have direct access to the result and baseline data because it's stored on internal Microsoft storage.
186+
Old results and baselines settings remain available on your storage account, but won't be updated or used by the system. You don't need to maintain these files for SQL vulnerability assessment to work after you switch to express configuration, but you can keep your old baseline definitions for future reference.
187+
188+
When express configuration is enabled, you don't have direct access to the result and baseline data because it's stored on internal Microsoft storage.
185189

186190
### Is there a way with express configuration to get the weekly email report that is provided in the classic configuration?
187191

@@ -207,6 +211,18 @@ Stay tuned for updates!
207211

208212
No. Express configuration will be the default for every new supported Azure SQL database.
209213

214+
### Does express configuration change scan behavior?
215+
216+
No, express configuration provides the same scanning behavior and performance.
217+
218+
### Does express configuration have any effect on pricing?
219+
220+
Express configuration doesn't require a storage account, so you don't need to pay extra storage fees unless you choose to keep old scan and baseline data.
221+
222+
### What does the 1-MB cap per rule mean?
223+
224+
Any individual rule can't produce results that are more than 1 MB. When that limit is reached, the results for the rule are stopped. You can't set a baseline for the rule, the rule isn't included in the overall recommendation health, and the results are shown as "Not applicable".
225+
210226
## Troubleshooting
211227

212228
### Revert back to the classic configuration
@@ -231,7 +247,7 @@ To change an Azure SQL database from the express vulnerability assessment config
231247

232248
Possible causes:
233249

234-
- Switching to express configuration failed due to a server policy error. This could be due to a transient operation.
250+
- Switching to express configuration failed due to a server policy error.
235251

236252
**Solution**: Try again to enable the express configuration. If the issue persists, try to disable the Microsoft Defender for SQL in the Azure SQL resource, select **Save**, enable Microsoft Defender for SQL again, and select **Save**.
237253

@@ -252,13 +268,14 @@ If you have an organizational need to ignore a finding, rather than remediate it
252268
When a finding matches the criteria you've defined in your disable rules, it won't appear in the list of findings.
253269
Typical scenarios may include:
254270

255-
- Disable findings with severity below medium
271+
- Disable findings with medium or lower severity
256272
- Disable findings that are non-patchable
257273
- Disable findings from benchmarks that aren't of interest for a defined scope
258274

259275
> [!IMPORTANT]
260-
> 1. To disable specific findings, you need permissions to edit a policy in Azure Policy. Learn more in [Azure RBAC permissions in Azure Policy](/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy).
261-
> 2. Disabled findings will still be included in the weekly SQL vulnerability assessment email report.
276+
> - To disable specific findings, you need permissions to edit a policy in Azure Policy. Learn more in [Azure RBAC permissions in Azure Policy](/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy).
277+
> - Disabled findings will still be included in the weekly SQL vulnerability assessment email report.
278+
> - Disabled rules are shown in the "Not applicable" section of the scan results.
262279
263280
To create a rule:
264281

@@ -328,15 +345,15 @@ You can use Azure CLI commands to programmatically manage your vulnerability ass
328345

329346
| Command name as a link | Description |
330347
| :----------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------------------- |
331-
| [az security va sql baseline delete](/cli/azure/security/va/sql/baseline#az-security-va-sql-baseline-delete) | Delete SQL vulnerability assessment rule baseline. |
332-
| [az security va sql baseline list](/cli/azure/security/va/sql/baseline#az-security-va-sql-baseline-list) | View SQL vulnerability assessment baseline for all rules. |
333-
| [az security va sql baseline set](/cli/azure/security/va/sql/baseline#az-security-va-sql-baseline-set) | Sets SQL vulnerability assessment baseline. Replaces the current baseline. |
334-
| [az security va sql baseline show](/cli/azure/security/va/sql/baseline#az-security-va-sql-baseline-show) | View SQL vulnerability assessment rule baseline. |
335-
| [az security va sql baseline update](/cli/azure/security/va/sql/baseline#az-security-va-sql-baseline-update) | Update SQL vulnerability assessment rule baseline. Replaces the current rule baseline. |
336-
| [az security va sql results list](/cli/azure/security/va/sql/results#az-security-va-sql-results-list) | View all SQL vulnerability assessment scan results. |
337-
| [az security va sql results show](/cli/azure/security/va/sql/results#az-security-va-sql-results-show) | View SQL vulnerability assessment scan results. |
338-
| [az security va sql scans list](/cli/azure/security/va/sql/scans#az-security-va-sql-scans-list) | List all SQL vulnerability assessment scan summaries. |
339-
| [az security va sql scans show](/cli/azure/security/va/sql/scans#az-security-va-sql-scans-show) | View SQL vulnerability assessment scan summaries. |
348+
| [`az security va sql baseline delete`](/cli/azure/security/va/sql/baseline#az-security-va-sql-baseline-delete) | Delete SQL vulnerability assessment rule baseline. |
349+
| [`az security va sql baseline list`](/cli/azure/security/va/sql/baseline#az-security-va-sql-baseline-list) | View SQL vulnerability assessment baseline for all rules. |
350+
| [`az security va sql baseline set`](/cli/azure/security/va/sql/baseline#az-security-va-sql-baseline-set) | Sets SQL vulnerability assessment baseline. Replaces the current baseline. |
351+
| [`az security va sql baseline show`](/cli/azure/security/va/sql/baseline#az-security-va-sql-baseline-show) | View SQL vulnerability assessment rule baseline. |
352+
| [`az security va sql baseline update`](/cli/azure/security/va/sql/baseline#az-security-va-sql-baseline-update) | Update SQL vulnerability assessment rule baseline. Replaces the current rule baseline. |
353+
| [`az security va sql results list`](/cli/azure/security/va/sql/results#az-security-va-sql-results-list) | View all SQL vulnerability assessment scan results. |
354+
| [`az security va sql results show`](/cli/azure/security/va/sql/results#az-security-va-sql-results-show) | View SQL vulnerability assessment scan results. |
355+
| [`az security va sql scans list`](/cli/azure/security/va/sql/scans#az-security-va-sql-scans-list) | List all SQL vulnerability assessment scan summaries. |
356+
| [`az security va sql scans show`](/cli/azure/security/va/sql/scans#az-security-va-sql-scans-show) | View SQL vulnerability assessment scan summaries. |
340357

341358
### Resource Manager templates
342359

articles/defender-for-cloud/sql-azure-vulnerability-assessment-overview.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -48,14 +48,14 @@ Configuration modes benefits and limitations comparison:
4848

4949
| Parameter | Express configuration | Classic configuration |
5050
| :--------------------------- | :------------------------------------------------------------------ | :------------------------------------------------------------------ |
51-
| Supported SQL Flavors | Azure SQL Database (preview) | • Azure SQL Database<br>• Azure SQL Managed Instance<br>• Azure Synapse Analytics |
51+
| Supported SQL Flavors | Azure SQL Database (preview)<br>• Azure Synapse Dedicated SQL Pools (formerly SQL DW) (preview) | • Azure SQL Database<br>• Azure SQL Managed Instance<br>• Azure Synapse Analytics |
5252
| Supported Policy Scope | • Subscription<br>• Server | • Subscription<br>• Server<br>• Database |
5353
| Dependencies | None | Azure storage account |
5454
| Recurring scan | • Always active<br>• Scan scheduling is internal and not configurable | • Configurable on/off<br>Scan scheduling is internal and not configurable |
5555
| Supported Rules | All vulnerability assessment rules for the supported resource type. | All vulnerability assessment rules for the supported resource type. |
5656
| Baseline Settings | • Batch – several rules in one command<br>• Set by latest scan results<br>• Single rule | • Single rule |
5757
| Apply baseline | Will take effect **without** rescanning the database | Will take effect **only after** rescanning the database |
58-
| Single rule scan result size | Capped to 1MB | Unlimited |
58+
| Single rule scan result size | Maximum of 1 MB | Unlimited |
5959
| Email notifications | • Logic Apps | • Internal scheduler<br>• Logic Apps |
6060
| Scan export | TBD | Excel format |
6161

0 commit comments

Comments
 (0)