Defender for SQL Vulnerability Assessment Updates

Microsoft Defender for SQL provides full database protection and benefit from the following components: to detect attacks in real-time and vulnerability assessment (VA) that scans, flags, and reports on database misconfigurations that may result in vulnerabilities for attackers to exploit. 

A few months ago, we launched the express configuration for vulnerability assessments in Defender for SQL (in public preview) that provides a streamlined onboarding experience for SQL vulnerability assessments with one–click configuration (or a simple API call), without any additional settings or dependencies on managed accounts.

This feature is currently available for Servers only.

Express configuration for Azure SQL Servers is now generally available

We're excited to announce the general availability of express configuration for vulnerability assessment on Servers, that includes the previously announced preview features together with full internal platform readiness and a variety of extensibility features that will allow you to manage the feature at scale.

What's included in express configuration?

  • Simple enablement experience of SQL vulnerability assessment – without any additional settings or dependencies on customer-managed accounts.
  • Enable the vulnerability assessment capability for all Servers when turning on the Microsoft for SQL plan at the subscription-level.
  • Apply baselines without rescanning a database – once you select “Add all results as baseline”, the status of that finding will change from Unhealthy to Healthy immediately.
  • Set baselines at scale – enable multiple rules at once that can also be based on latest scan results.
  • (NEW!) Open findings in Azure Resource Graph (ARG) – supported in all vulnerability assessment database blades.

Selecting “Open Query” will open ARG in the context of the specified database with an out-of-the-box query.Selecting “Open Query” will open ARG in the context of the specified database with an out-of-the-box query.

The query results can be exported as a .CSV file as-is or it can be customized. For example, changing the scope to all databases under a server.The query results can be exported as a .CSV file as-is or it can be customized. For example, changing the scope to all databases under a server.

  • (NEW!) PowerShell wrapper examples that allows you to invoke any express configuration API functionality. 
  • (NEW!) AzCli examples to utilize any express configuration API functionality. 
  • (NEW!) Updated migration scripts that will enable the migration of your existing baselines without manually reapplying them. 
  • (NEW!) Scan history record added every month even if there were no changes in the scan results.

Scan History.png

Enable the new express configuration for SQL vulnerability assessments

Read the original preview announcement or review the updated documentation.

Updates to classic configuration support

In the next few weeks, we will provide an update on the deprecation timelines regarding classic configuration for SQL vulnerability assessment on Azure SQL Servers.

 

This article was originally published by Microsoft's Defender for Cloud Blog. You can find the original article here.