Add PowerShell scripts

bmansheim · bmansheim · commit c7fd033ae4d5 · 2022-11-29T18:15:40.000+02:00
diff --git a/articles/defender-for-cloud/powershell-sample-vulnerability-assessment-azure-sql.md b/articles/defender-for-cloud/powershell-sample-vulnerability-assessment-azure-sql.md
@@ -0,0 +1,194 @@
+---
+title: PowerShell Script Sample - Enable vulnerability assessment on a SQL server
+description: In this article, learn how to enable vulnerability assessments on Azure SQL databases with the express configuration.
+ms.topic: sample
+ms.date: 11/29/2022
+---
+
+# Enable vulnerability assessments on Azure SQL databases with the express configuration
+
+This PowerShell script enables the express configuration of [vulnerability assessments](../../defender-for-cloud/sql-azure-vulnerability-assessment-overview.md) on an Azure SQL Server.
+
+[!INCLUDE [sample-powershell-install](../../../includes/sample-powershell-install-no-ssh.md)]
+
+[!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)]
+
+## Sample script
+
+[!INCLUDE [updated-for-az](../../../includes/updated-for-az.md)]
+
+```powershell
+<#
+.SYNOPSIS
+    This script migrates an Azure SQL Server to the Vulnerability Assessment Express Configuration feature, and then scans all databases that belong to the selected server.
+
+.DESCRIPTION
+    This script migrates Azure SQL Server to the Vulnerability Assessment Express Configuration feature.
+    It deletes the current Vulnerability Assessment settings (if exists), this step will reset all the Vulnerability Assessment scans and baseline for all databases.
+
+#>
+
+
+$SubscriptionId     = "<subscriptionid>"                         # The Subscription id that the server belongs to.
+$ResourceGroupName  = "<resource group>"                         # The Resource Group that the server belongs to.
+$ServerName         = "<server name>"                            # The SQL server name that we want to apply the new SQL Vulnerability Assessment policy to (short name, without suffix).
+$Force              = $false                                     # Will remove the classic Vulnerability Assessment configurations without asking for confirmation.
+$APIVersion         = "2022-05-01-preview"
+
+
+
+###### New SQL Vulnerability Assessment Commands ######
+#######################################################
+
+
+function SetSqlVulnerabilityAssessmentServerSetting($SubscriptionId, $ResourceGroupName, $ServerName){
+    $Uri = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default?api-version=" + $APIVersion
+    $Body = @{
+        properties = @{
+            state = "Enabled"
+        }
+    }
+
+    $Body = $Body | ConvertTo-Json
+    return SendRestRequest -Method "Put" -Uri $Uri -Body $Body
+}
+
+function RunSqlVulnerabilityAssessmentScanOnUserDatabase($SubscriptionId, $ResourceGroupName, $ServerName, $DatabaseName){
+    $Uri = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAssessments/defualt/initiateScan?api-version=" + $APIVersion
+    SendRestRequest -Method "Post" -Uri $Uri
+}
+
+function RunSqlVulnerabilityAssessmentScanOnSystemDatabase($SubscriptionId, $ResourceGroupName, $ServerName, $DatabaseName){ 
+    $Uri = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default/initiateScan?api-version=" + $APIVersion + "&systemDatabaseName=$DatabaseName"
+    SendRestRequest -Method "Post" -Uri $Uri  
+}
+
+function SendRestRequest(
+    [Parameter(Mandatory=$True)]
+    [string] $Method, 
+    [Parameter(Mandatory=$True)]
+    [string] $Uri, 
+    [parameter( Mandatory=$false )]
+    [string] $Body = "DEFAULT")
+{  
+    $AccessToken = Get-AzAccessToken
+    $Token = "Bearer $($AccessToken.Token)"
+
+    $headers = @{
+        'Authorization' = $Token
+    }
+
+    $Params = @{
+         Method = $Method
+         Uri = $Uri
+         Headers = $headers
+         ContentType = "application/json"
+    }
+
+    if(!($Body -eq "DEFAULT"))
+    {
+      $Params = @{
+         Method = $Method
+         Uri = $Uri
+         Body = $Body
+         Headers = $headers
+         ContentType = "application/json"
+         }
+    }
+   
+    Invoke-RestMethod @Params
+}
+
+#######################################################
+
+
+function HaveVulnerabilityAssessmentSetting($ResourceGroupName, $ServerName, $Databases)
+{
+    # Check if we have a server setting.
+    Write-Host "Check Vulnerability Assessment setting for '$($ServerName)' server"
+    $vaServerSetting = Get-AzSqlServerVulnerabilityAssessmentSetting -ResourceGroupName $ResourceGroupName -ServerName $ServerName
+    if(![string]::IsNullOrEmpty($vaServerSetting.StorageAccountName))
+    {
+       return $true   
+    }
+
+    # Check if we have a database setting for server
+    foreach ($database in $Databases)
+    {
+      Write-Host "Check VA settings for '$($database.DatabaseName)' database"
+      $vaDatabaseSetting = Get-AzSqlDatabaseVulnerabilityAssessmentSetting -ResourceGroupName $ResourceGroupName -ServerName $ServerName -DatabaseName $database.DatabaseName
+      if(![string]::IsNullOrEmpty($vaDatabaseSetting.StorageAccountName))
+      {
+         return $true
+      }
+    }
+
+    return $false
+}
+
+
+# Connect
+Connect-AzAccount
+Set-AzContext $SubscriptionId
+
+$databases = Get-AzSqlDatabase -ResourceGroupName $ResourceGroupName -ServerName $ServerName | where {$_.DatabaseName -ne "master"}
+$haveVaSetting = HaveVulnerabilityAssessmentSetting -ResourceGroupName $ResourceGroupName -ServerName $ServerName -Databases $databases
+
+if($haveVaSetting)
+{
+
+    Write-Host "Classic Configurations detected."
+
+    if(!$Force)
+    { 
+        Write-Host "We are going to remove the current Vulnerability Assessment setting for this server and underlying databases, this step will reset all the Vulnerability Assessment scans and baseline for all databases ($($databases.Count) under this server)"
+        $Confirmation = Read-Host -Prompt "Do you approve (y/n)?"
+        if($Confirmation -ne "y")
+        {
+            Write-Host "You chose not to approve the migration process. Existing VA settings will not be changed." 
+            return
+        }
+    }
+   
+    # Removing Classic Configuration database Vulnerability Assessment setting
+    foreach ($database in $Databases)
+    {
+      Write-Host "Clear Classic Configuration Vulnerability Assessment setting for '$($database.DatabaseName)' database"
+      Clear-AzSqlDatabaseVulnerabilityAssessmentSetting -ResourceGroupName $ResourceGroupName -ServerName $ServerName -DatabaseName $database.DatabaseName
+    }
+
+    # Removing Classic Configuration server Vulnerability Assessment setting
+    Write-Host "Clear Classic Configuration Vulnerability Assessment setting for '$($ServerName)' server"
+    Clear-AzSqlServerVulnerabilityAssessmentSetting -ResourceGroupName $ResourceGroupName -ServerName $ServerName
+}
+
+# Set Express Configuration SQL Vulnerability Assessment Setting
+Write-Host "Add Express Configuration Vulnerability Assessment feature setting for '$($ServerName)' server"
+$Respond = SetSqlVulnerabilityAssessmentServerSetting -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName
+
+if( $Respond.properties.state.Equals("Enabled") )
+{
+    Write-Host "Congratulations! your server '$($ServerName)' server is set up with Vulnerability Assessment Express Configuration!"
+}
+else
+{
+    Write-Host "There was a problem to enable Vulnerability Assessment Express Configuration on the '$($ServerName)' server, please try again"
+    return
+}
+
+# Scan on all the databases
+foreach ($database in $Databases)
+{
+    Write-Host "Run scan on '$($database.DatabaseName)' database"
+    RunSqlVulnerabilityAssessmentScanOnUserDatabase -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName -DatabaseName $database.DatabaseName
+}
+
+Write-Host "Run scan on 'master' database"
+RunSqlVulnerabilityAssessmentScanOnSystemDatabase -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName -DatabaseName "master"
+
+Write-Host  "The migration process completed, the new scan results will be available in a couple of minutes."
+```
+
+## Next steps
+
+For more information on the Azure PowerShell module, see [Azure PowerShell documentation](/powershell/azure/new-azureps-module-az).
diff --git a/articles/defender-for-cloud/powershell-sample-vulnerability-assessment-baselines.md b/articles/defender-for-cloud/powershell-sample-vulnerability-assessment-baselines.md
@@ -0,0 +1,135 @@
+---
+title: PowerShell Script Sample - Enable vulnerability assessment on a SQL server
+description: In this article, learn how to enable vulnerability assessments on Azure SQL databases with the express configuration.
+ms.topic: sample
+ms.date: 11/29/2022
+---
+
+# Enable vulnerability assessments on Azure SQL databases with the express configuration
+
+This PowerShell script sets up baselines based on latest [vulnerability assessment](../../defender-for-cloud/sql-azure-vulnerability-assessment-overview.md) scan results for all databases in an Azure SQL Server.
+
+[!INCLUDE [sample-powershell-install](../../../includes/sample-powershell-install-no-ssh.md)]
+
+[!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)]
+
+## Sample script
+
+[!INCLUDE [updated-for-az](../../../includes/updated-for-az.md)]
+
+```powershell
+<#
+.SYNOPSIS
+    This script sets the results of the last successful scan as baseline for each database under the selected Azure SQL Server.
+
+.DESCRIPTION
+    This script check if the selected Azure SQL Server uses Vulnerability Assessment Express Configuration, iterates through all user databases under a server and sets the latest scan results as a baseline.
+
+#>
+
+
+$SubscriptionId     = "<subscriptionid>"                         # The Subscription id that the server belongs to.
+$ResourceGroupName  = "<resource group>"                         # The Resource Group that the server belongs to.
+$ServerName         = "<server name>"                            # The SQL server name that we want to apply the new SQL Vulnerability Assessment policy to (short name, without suffix).
+$APIVersion         = "2022-05-01-preview"
+
+
+
+
+###### New SQL Vulnerability Assessment Commands ######
+#######################################################
+
+
+function GetExpressConfigurationStatus($SubscriptionId, $ResourceGroupName, $ServerName){
+    $Uri  = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/Defualt?api-version=" + $APIVersion
+    SendRestRequest -Method "GET" -Uri $Uri
+}
+
+
+function SetLastScanAsBaselineOnSystemDatabase($SubscriptionId, $ResourceGroupName, $ServerName){
+    $Uri  = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/default/baselines/default?systemDatabaseName=master&api-version=" + $APIVersion
+    $Body = "{properties: {latestScan: true,results: {}}}"
+    SendRestRequest -Method "PUT" -Uri $Uri -Body $Body
+}
+
+function SetLastScanAsBaselineOnUserDatabase($SubscriptionId, $ResourceGroupName, $ServerName, $DatabaseName){
+    $Uri  = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAssessments/defualt/baselines/default?api-version=" + $APIVersion
+    $Body = "{properties: {latestScan: true,results: {}}}"
+    SendRestRequest -Method "PUT" -Uri $Uri -Body $Body
+}
+
+
+function SendRestRequest(
+    [Parameter(Mandatory=$True)]
+    [string] $Method, 
+    [Parameter(Mandatory=$True)]
+    [string] $Uri, 
+    [parameter( Mandatory=$false )]
+    [string] $Body = "DEFAULT")
+{  
+    $AccessToken = Get-AzAccessToken
+    $Token = "Bearer $($AccessToken.Token)"
+
+    $headers = @{
+        'Authorization' = $Token
+    }
+
+    $Params = @{
+         Method = $Method
+         Uri = $Uri
+         Headers = $headers
+         ContentType = "application/json"
+    }
+
+    if(!($Body -eq "DEFAULT"))
+    {
+      $Params = @{
+         Method = $Method
+         Uri = $Uri
+         Body = $Body
+         Headers = $headers
+         ContentType = "application/json"
+         }
+    }
+   
+    Invoke-RestMethod @Params
+}
+
+#######################################################
+
+
+
+# Connect
+Connect-AzAccount
+Set-AzContext $SubscriptionId
+
+# Check if Express Configuration is enabled
+$ECState = (GetExpressConfigurationStatus -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName).properties.State
+
+Write-Host "Express Configuration status: " $ECState
+
+if ($ECState = "Enabled")
+{
+    # Get list of databases
+    $databases = Get-AzSqlDatabase -ResourceGroupName $ResourceGroupName -ServerName $ServerName | where {$_.DatabaseName -ne "master"}
+
+    # Set latest scan results as baseline on all user databases
+    foreach ($database in $Databases)
+    {
+        Write-Host "Set baseline on database: '$($database.DatabaseName)'"
+        SetLastScanAsBaselineOnUserDatabase -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName -DatabaseName $database.DatabaseName    
+    }
+
+    Write-Host "Set baseline on 'master' database"
+    SetLastScanAsBaselineOnSystemDatabase -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName
+}
+else
+{
+    Write-Host "The specified server does not have VA Express Configuration enabled therefore bulk baseline operations were not performed."
+    return
+}
+```
+
+## Next steps
+
+For more information on the Azure PowerShell module, see [Azure PowerShell documentation](/powershell/azure/new-azureps-module-az).
diff --git a/articles/defender-for-cloud/sql-azure-vulnerability-assessment-manage.md b/articles/defender-for-cloud/sql-azure-vulnerability-assessment-manage.md
@@ -176,8 +176,8 @@ Here are several examples to how you can setup baselines using ARM templates:
 
 Express configuration is not supported in PowerShell cmdlets but you can use PowerShell to invoke the latest vulnerability assessment capabilities using REST API, for example:
 
-- Enable express configuration on an Azure SQL Server
-- Setup baselines based on latest scan results for all databases in an Azure SQL Server
+- [Enable express configuration](powershell-sample-vulnerability-assessment-azure-sql.md) on an Azure SQL Server
+- [Setup baselines](powershell-sample-vulnerability-assessment-baselines.md) based on latest scan results for all databases in an Azure SQL Server
 
 ## FAQ
 
