4.2.4 Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server

Information

Configure 'Send scan reports to' with email addresses of concerned data owners/stakeholders for a critical SQL servers.

Rationale:

Vulnerability Assessment (VA) scan reports and alerts will be sent to email addresses configured at 'Send scan reports to'. This may help in reducing time required for identifying risks and taking corrective measures.

Impact:

Enabling the Microsoft Defender for SQL features will incur additional costs for each SQL server.

Solution

From Azure Portal

Go to SQL servers

Select a server instance

Select Microsoft Defender for Cloud

Select Configure next to Enablement status

Set Microsoft Defender for SQL to On

Under Vulnerability Assessment Settings, select a Storage Account

Set Periodic recurring scans to On

Under Send scan reports to, provide email addresses for data owners and stakeholders

Click Save

From PowerShell
If not already, Enable Advanced Data Security for a SQL Server:

Set-AZSqlServerThreatDetectionPolicy -ResourceGroupName <resource group name> -ServerName <server name> -EmailAdmins $True

To enable ADS-VA service and Set 'Send scan reports to'

Update-AzSqlServerVulnerabilityAssessmentSetting '
-ResourceGroupName '<resource group name>''
-ServerName '<Server Name>''
-StorageAccountName '<Storage Name from same subscription and same Location' '
-ScanResultsContainerName 'vulnerability-assessment' '
-RecurringScansInterval Weekly '
-EmailSubscriptionAdmins $true '
-NotificationEmail @('[email protected]' , '[email protected]')

Default Value:

By default, 'Send reports to' is blank.

See Also

https://workbench.cisecurity.org/benchmarks/10624