SQL Server ‘send scan reports’ for vulnerability assessments should be enabled

Description

The vulnerability assessment setting “Send scan reports to” specifies email addresses that will be sent scan reports and alerts about critical SQL servers. Configuring this setting may reduce the time required for identifying vulnerability risks and taking corrective measures.

Remediation Steps

Azure Portal

  • Navigate to SQL servers.

  • Select the SQL server and in the left navigation, select Security Center.

  • Select Enable Azure Defender for SQL if not already enabled.

  • In Azure Defender for SQL: Enabled at the subscription-level, select Configure.

  • Under VULNERABILITY ASSESSMENT SETTINGS, ensure Storage account is configured.

  • Enter the stakeholders’ email addresses in the Send scan reports to field.

  • Click Save.

Azure PowerShell

  • Enable Azure Defender for SQL, if not already enabled:

    • Set-AZSqlServerThreatDetectionPolicy -ResourceGroupName <resource group name> -ServerName <server name> -EmailAdmins $True

  • Configure the “Send scan reports to” setting:

Update-AzSqlServerVulnerabilityAssessmentSetting `
  -ResourceGroupName "<resource group name>" `
  -ServerName "<server name>" `
  -StorageAccountName "<storage name from same subscription and same location" `
  -ScanResultsContainerName "vulnerability-assessment" `
  -RecurringScansInterval Weekly `
  -EmailSubscriptionAdmins $true `
  -NotificationEmail @("mail1@mail.com" , "mail2@mail.com")