You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/defender-for-cloud/sql-azure-vulnerability-assessment-enable.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,7 +13,7 @@ tags: azure-synapse
13
13
14
14
# Enable vulnerability assessment on your Azure SQL databases
15
15
16
-
In this article, you'll learn how to enable [vulnerability assessment](sql-azure-vulnerability-assessment-overview.md) so you can find and remediate database vulnerabilities. We recommend that you enable vulnerability assessment using the express configuration so you aren't dependent on a storage account, but you can also enable vulnerability assessment using the classic configuration.
16
+
In this article, you'll learn how to enable [vulnerability assessment](sql-azure-vulnerability-assessment-overview.md) so you can find and remediate database vulnerabilities. We recommend that you enable vulnerability assessment using the express configuration so you aren't dependent on a storage account. You can also enable vulnerability assessment using the classic configuration.
17
17
18
18
When you enable the Defender for Azure SQL plan in Defender for Cloud, Defender for Cloud automatically enables Advanced Threat Protection and vulnerability assessment with the express configuration for all Azure SQL databases in the selected subscription.
19
19
@@ -66,7 +66,7 @@ Now you can go to the [**SQL databases should have vulnerability findings resolv
66
66
67
67
#### Enable express vulnerability assessment at scale
68
68
69
-
If you have SQL resources that do not have Advanced Threat Protection and vulnerability assessment enable, you can use the [SQL vulnerability assessment APIs](sql-azure-vulnerability-assessment-manage.md#manage-vulnerability-assessments-programmatically) to enable SQL vulnerability assessment with the express configuration at scale.
69
+
If you have SQL resources that don't have Advanced Threat Protection and vulnerability assessment enabled, you can use the [SQL vulnerability assessment APIs](sql-azure-vulnerability-assessment-manage.md#manage-vulnerability-assessments-programmatically) to enable SQL vulnerability assessment with the express configuration at scale.
Copy file name to clipboardExpand all lines: articles/defender-for-cloud/sql-azure-vulnerability-assessment-find.md
+6-4Lines changed: 6 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,7 +12,9 @@ ms.topic: how-to
12
12
13
13
Microsoft Defender for Cloud provides [vulnerability assessment](sql-azure-vulnerability-assessment-overview.md) for your Azure SQL databases. Vulnerability assessment scans your databases for software vulnerabilities and provides a list of findings. You can use the findings to remediate software vulnerabilities and disable findings.
14
14
15
-
The [express and classic configurations](sql-azure-vulnerability-assessment-overview.md#what-are-the-express-and-classic-configurations) are managed differently so make sure you follow the instructions for your configuration.
15
+
## Prerequisites
16
+
17
+
Make sure that you know whether you're using the [express or classic configurations](sql-azure-vulnerability-assessment-overview.md#what-are-the-express-and-classic-configurations) before you continue.
16
18
17
19
To see which configuration you're using:
18
20
@@ -37,13 +39,13 @@ The following permissions are required to changes vulnerability assessment setti
37
39
38
40
- SQL Security Manager
39
41
40
-
If you are receiving any automated emails with links to scan results the following permissions are required to access the links about scan results or to view scan results at the resource-level:
42
+
If you're receiving any automated emails with links to scan results the following permissions are required to access the links about scan results or to view scan results at the resource-level:
41
43
42
44
- SQL Security Manager
43
45
44
46
### Data residency
45
47
46
-
SQL vulnerability assessment queries the SQL server using publicly available queries under Defender for Cloud recommendations for SQL vulnerability assessment, and stores the query results. SQL vulnerability assessment data is stored in the location of the logical server it is configured on. For example, if the user enabled vulnerability assessment on a logical server in West Europe, the results will be stored in West Europe. This data will be collected only if the SQL vulnerability assessment solution is configured on the logical server.
48
+
SQL vulnerability assessment queries the SQL server using publicly available queries under Defender for Cloud recommendations for SQL vulnerability assessment, and stores the query results. SQL vulnerability assessment data is stored in the location of the logical server it's configured on. For example, if the user enabled vulnerability assessment on a logical server in West Europe, the results will be stored in West Europe. This data will be collected only if the SQL vulnerability assessment solution is configured on the logical server.
47
49
48
50
### On-demand vulnerability scans
49
51
@@ -87,7 +89,7 @@ To remediate the vulnerabilities discovered:
87
89
88
90
:::image type="content" source="media/defender-for-sql-azure-vulnerability-assessment/baseline-approval.png" alt-text="Approving a finding as a baseline for future scans":::
89
91
90
-
1. Any findings you've added to the baseline will now appear as **Passed** with an indication that they've passed because of the baseline changes. There is no need to run another scan for the baseline to take effect.
92
+
1. Any findings you've added to the baseline will now appear as **Passed** with an indication that they've passed because of the baseline changes. There's no need to run another scan for the baseline to take effect.
Copy file name to clipboardExpand all lines: articles/defender-for-cloud/sql-azure-vulnerability-assessment-manage.md
+37-20Lines changed: 37 additions & 20 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,7 +12,9 @@ ms.topic: how-to
12
12
13
13
Microsoft Defender for Cloud provides [vulnerability assessment](sql-azure-vulnerability-assessment-overview.md) for your Azure SQL databases. Vulnerability assessment scans your databases for software vulnerabilities and provides a list of findings. You can use the findings to remediate software vulnerabilities and disable findings.
14
14
15
-
The [express and classic configurations](sql-azure-vulnerability-assessment-overview.md#what-are-the-express-and-classic-configurations) are managed differently so make sure you follow the instructions for your configuration.
15
+
## Prerequisites
16
+
17
+
Make sure that you know whether you're using the [express or classic configurations](sql-azure-vulnerability-assessment-overview.md#what-are-the-express-and-classic-configurations) before you continue.
16
18
17
19
To see which configuration you're using:
18
20
@@ -28,15 +30,15 @@ If the vulnerability settings show the option to configure a storage account, yo
28
30
29
31
Select **Scan History** in the vulnerability assessment pane to view a history of all scans previously run on this database. Select a particular scan in the list to view the detailed results of that scan.
30
32
31
-
Express configuration doesn't store scan results if they're identical to previous scans, so the history page updates only when the status of a finding changes.
33
+
Express configuration doesn't store scan results if they're identical to previous scans. The scan time shown in the scan history is the time of the last scan where the scan results changed.
32
34
33
35
## Disable specific findings from Microsoft Defender for Cloud (preview)
34
36
35
-
If you have an organizational need to ignore a finding, rather than remediate it, you can optionally disable it. Disabled findings don't impact your secure score or generate unwanted noise.
37
+
If you have an organizational need to ignore a finding rather than remediate it, you can disable the finding. Disabled findings don't impact your secure score or generate unwanted noise. You can see the disabled finding in the "Not applicable" section of the scan results.
36
38
37
39
When a finding matches the criteria you've defined in your disable rules, it won't appear in the list of findings. Typical scenarios may include:
38
40
39
-
- Disable findings with severity below medium
41
+
- Disable findings with medium or lower severity
40
42
- Disable findings that are non-patchable
41
43
- Disable findings from benchmarks that aren't of interest for a defined scope
42
44
@@ -92,7 +94,7 @@ The express configuration is supported in the latest REST API version with the f
92
94
93
95
### Using Resource Manager templates
94
96
95
-
To configure vulnerability assessment baselines by using Azure Resource Manager templates, use the `Microsoft.Sql/servers/databases/vulnerabilityAssessments/rules/baselines` type. Make sure that `vulnerabilityAssessments` is enabled before you add baselines.
97
+
To configure vulnerability assessment baselines by using Azure Resource Manager templates, use the `Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines` type. Make sure that `vulnerabilityAssessments` is enabled before you add baselines.
96
98
97
99
Here are several examples to how you can set up baselines using ARM templates:
98
100
@@ -151,7 +153,7 @@ Here are several examples to how you can set up baselines using ARM templates:
151
153
"properties": {
152
154
"latestScan": false,
153
155
"results": [
154
-
[ "True"]
156
+
[ "True" ]
155
157
]
156
158
}
157
159
}
@@ -181,7 +183,9 @@ Express configuration isn't supported in PowerShell cmdlets but you can use Powe
181
183
182
184
### What happens to the old scan results and baselines after I switch to express configuration?
183
185
184
-
Old results and baselines settings remain available on your storage account, but won't be updated or used by the system. When express configuration is enabled, customers don't have direct access to the result and baseline data because it's stored on internal Microsoft storage.
186
+
Old results and baselines settings remain available on your storage account, but won't be updated or used by the system. You don't need to maintain these files for SQL vulnerability assessment to work after you switch to express configuration, but you can keep your old baseline definitions for future reference.
187
+
188
+
When express configuration is enabled, you don't have direct access to the result and baseline data because it's stored on internal Microsoft storage.
185
189
186
190
### Is there a way with express configuration to get the weekly email report that is provided in the classic configuration?
187
191
@@ -207,6 +211,18 @@ Stay tuned for updates!
207
211
208
212
No. Express configuration will be the default for every new supported Azure SQL database.
209
213
214
+
### Does express configuration change scan behavior?
215
+
216
+
No, express configuration provides the same scanning behavior and performance.
217
+
218
+
### Does express configuration have any effect on pricing?
219
+
220
+
Express configuration doesn't require a storage account, so you don't need to pay extra storage fees unless you choose to keep old scan and baseline data.
221
+
222
+
### What does the 1-MB cap per rule mean?
223
+
224
+
Any individual rule can't produce results that are more than 1 MB. When that limit is reached, the results for the rule are stopped. You can't set a baseline for the rule, the rule isn't included in the overall recommendation health, and the results are shown as "Not applicable".
225
+
210
226
## Troubleshooting
211
227
212
228
### Revert back to the classic configuration
@@ -231,7 +247,7 @@ To change an Azure SQL database from the express vulnerability assessment config
231
247
232
248
Possible causes:
233
249
234
-
- Switching to express configuration failed due to a server policy error. This could be due to a transient operation.
250
+
- Switching to express configuration failed due to a server policy error.
235
251
236
252
**Solution**: Try again to enable the express configuration. If the issue persists, try to disable the Microsoft Defender for SQL in the Azure SQL resource, select **Save**, enable Microsoft Defender for SQL again, and select **Save**.
237
253
@@ -252,13 +268,14 @@ If you have an organizational need to ignore a finding, rather than remediate it
252
268
When a finding matches the criteria you've defined in your disable rules, it won't appear in the list of findings.
253
269
Typical scenarios may include:
254
270
255
-
- Disable findings with severity below medium
271
+
- Disable findings with medium or lower severity
256
272
- Disable findings that are non-patchable
257
273
- Disable findings from benchmarks that aren't of interest for a defined scope
258
274
259
275
> [!IMPORTANT]
260
-
> 1. To disable specific findings, you need permissions to edit a policy in Azure Policy. Learn more in [Azure RBAC permissions in Azure Policy](/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy).
261
-
> 2. Disabled findings will still be included in the weekly SQL vulnerability assessment email report.
276
+
> - To disable specific findings, you need permissions to edit a policy in Azure Policy. Learn more in [Azure RBAC permissions in Azure Policy](/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy).
277
+
> - Disabled findings will still be included in the weekly SQL vulnerability assessment email report.
278
+
> - Disabled rules are shown in the "Not applicable" section of the scan results.
262
279
263
280
To create a rule:
264
281
@@ -328,15 +345,15 @@ You can use Azure CLI commands to programmatically manage your vulnerability ass
|[az security va sql baseline list](/cli/azure/security/va/sql/baseline#az-security-va-sql-baseline-list)| View SQL vulnerability assessment baseline for all rules. |
333
-
|[az security va sql baseline set](/cli/azure/security/va/sql/baseline#az-security-va-sql-baseline-set)| Sets SQL vulnerability assessment baseline. Replaces the current baseline. |
|[az security va sql scans list](/cli/azure/security/va/sql/scans#az-security-va-sql-scans-list)| List all SQL vulnerability assessment scan summaries. |
|[`az security va sql baseline list`](/cli/azure/security/va/sql/baseline#az-security-va-sql-baseline-list)| View SQL vulnerability assessment baseline for all rules. |
350
+
|[`az security va sql baseline set`](/cli/azure/security/va/sql/baseline#az-security-va-sql-baseline-set)| Sets SQL vulnerability assessment baseline. Replaces the current baseline. |
|[`az security va sql scans list`](/cli/azure/security/va/sql/scans#az-security-va-sql-scans-list)| List all SQL vulnerability assessment scan summaries. |
| Recurring scan | • Always active<br>• Scan scheduling is internal and not configurable | • Configurable on/off<br>Scan scheduling is internal and not configurable |
55
55
| Supported Rules | All vulnerability assessment rules for the supported resource type. | All vulnerability assessment rules for the supported resource type. |
56
56
| Baseline Settings | • Batch – several rules in one command<br>• Set by latest scan results<br>• Single rule | • Single rule |
57
57
| Apply baseline | Will take effect **without** rescanning the database | Will take effect **only after** rescanning the database |
58
-
| Single rule scan result size |Capped to 1MB| Unlimited |
58
+
| Single rule scan result size |Maximum of 1 MB| Unlimited |
0 commit comments