Microsoft Defender for SQL provides full database protection and benefit from the following components: threat protection to detect attacks in real-time and vulnerability assessment (VA) that scans, flags, and reports on database misconfigurations that may result in vulnerabilities for attackers to exploit.
A few months ago, we launched the express configuration for vulnerability assessments in Defender for SQL (in public preview) that provides a streamlined onboarding experience for SQL vulnerability assessments with one–click configuration (or a simple API call), without any additional settings or dependencies on managed storage accounts.
This feature is currently available for Azure SQL Servers only.
Express configuration for Azure SQL Servers is now generally available
We're excited to announce the general availability of express configuration for vulnerability assessment on Azure SQL Servers, that includes the previously announced preview features together with full internal platform readiness and a variety of extensibility features that will allow you to manage the feature at scale.
What’s included in express configuration?
- Simple enablement experience of SQL vulnerability assessment – without any additional settings or dependencies on customer-managed storage accounts.
- Enable the vulnerability assessment capability for all Azure SQL Servers when turning on the Microsoft Defender for SQL plan at the subscription-level.
- Apply baselines without rescanning a database – once you select “Add all results as baseline”, the status of that finding will change from Unhealthy to Healthy immediately.
- Set baselines at scale – enable multiple rules at once that can also be based on latest scan results.
- (NEW!) Open findings in Azure Resource Graph (ARG) – supported in all vulnerability assessment database blades.
Selecting “Open Query” will open ARG in the context of the specified database with an out-of-the-box query.
The query results can be exported as a .CSV file as-is or it can be customized. For example, changing the scope to all databases under a server.
- (NEW!) PowerShell wrapper examples that allows you to invoke any express configuration API functionality.
- (NEW!) AzCli examples to utilize any express configuration API functionality.
- (NEW!) Updated migration scripts that will enable the migration of your existing baselines without manually reapplying them.
- (NEW!) Scan history record added every month even if there were no changes in the scan results.
Enable the new express configuration for SQL vulnerability assessments
Updates to classic configuration support
In the next few weeks, we will provide an update on the deprecation timelines regarding classic configuration for SQL vulnerability assessment on Azure SQL Servers.