4.2.5 Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server

Information

Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners'.

Rationale:

VA scan reports and alerts will be sent to admins and subscription owners by enabling setting 'Also send email notifications to admins and subscription owners'. This may help in reducing time required for identifying risks and taking corrective measures.

Impact:

Enabling the Microsoft Defender for SQL features will incur additional costs for each SQL server.

Solution

From Azure Portal

Go to SQL servers

Select a server instance

Click on Security Center

Select Configure next to Enabled at subscription-level

In Section Vulnerability Assessment Settings, configure Storage Accounts if not already

Check/enable 'Also send email notifications to admins and subscription owners'

Click Save

From PowerShell
If not already, Enable Advanced Data Security for a SQL Server:

Set-AZSqlServerThreatDetectionPolicy -ResourceGroupName <resource group name> -ServerName <server name> -EmailAdmins $True

To enable ADS-VA service and Set 'Also send email notifications to admins and subscription owners'

Update-AzSqlServerVulnerabilityAssessmentSetting '
-ResourceGroupName '<resource group name>''
-ServerName '<Server Name>''
-StorageAccountName '<Storage Name from same subscription and same Location' '
-ScanResultsContainerName 'vulnerability-assessment' '
-RecurringScansInterval Weekly '
-EmailSubscriptionAdmins $true '
-NotificationEmail @('[email protected]' , '[email protected]')

Default Value:

By default, 'Also send email notifications to admins and subscription owners' is enabled.

See Also

https://workbench.cisecurity.org/benchmarks/10624