Scan your SQL servers for vulnerabilities

Microsoft Defender for SQL servers on machines extends the protections for your Azure-native SQL Servers to fully support hybrid environments and protect SQL servers (all supported version) hosted in Azure, other cloud environments, and even on-premises machines:

The integrated vulnerability assessment scanner discovers, tracks, and helps you remediate potential database vulnerabilities. Assessment scans findings provide an overview of your SQL machines' security state, and details of any security findings.

Note

  • The scan is lightweight, safe, only takes a few seconds per database to run and is entirely read-only. It does not make any changes to your database.
  • Execute permissions on the following stored procedures is required for some of the vulnerability assessment rules to run correctly: xp_instance_regread, sysmail_help_profile_sp.

Explore vulnerability assessment reports

The vulnerability assessment service scans your databases every 12 hours.

The vulnerability assessment dashboard provides an overview of your assessment results across all your databases, along with a summary of healthy and unhealthy databases, and an overall summary of failing checks according to risk distribution.

You can view the vulnerability assessment results directly from Defender for Cloud.

  1. From Defender for Cloud's sidebar, open the Recommendations page.

  2. Select the recommendation SQL servers on machines should have vulnerability findings resolved. For more information, see the Defender for Cloud recommendations reference page.

    SQL servers on machines should have vulnerability findings resolved

    The detailed view for this recommendation appears.

    Screenshot of the recommendation details page.

  3. For more details, drill down:

    • For an overview of scanned resources (databases) and the list of security checks that were tested, open the Affected resources and select the server of interest.

    • For an overview of the vulnerabilities grouped by a specific SQL database, select the database of interest.

    In each view, the security checks are sorted by Severity. Select a specific security check to see a details pane with a Description, how to Remediate it, and other related information such as Impact or Benchmark.

Set a baseline

As you review your assessment results, you can mark results as being an acceptable baseline in your environment. The baseline is essentially a customization of how the results are reported. Results that match the baseline are considered as passing in subsequent scans. After you've established your baseline security state, the vulnerability assessment scanner only reports on deviations from the baseline. In this way, you can focus your attention on the relevant issues.

As you review your assessment results, you can mark results as being an acceptable baseline in your environment.

Export results

Use the Continuous export feature of Microsoft Defender for Cloud to export vulnerability assessment findings to Azure Event Hubs or to Log Analytics workspace.

View vulnerabilities in graphical, interactive reports

Defender for Cloud's integrated Azure Monitor Workbooks gallery includes an interactive report of all findings from the vulnerability scanners for machines, containers in container registries, and SQL servers.

Findings for each of these scanners are reported in separate recommendations:

The 'Vulnerability Assessment Findings' report gathers all of these findings and organizes them by severity, resource type, and category. You can find the report in the workbooks gallery available from Defender for Cloud's sidebar.

Defender for Cloud's vulnerability assessment findings report

Disable specific findings

If you have an organizational need to ignore a finding, rather than remediate it, you can optionally disable it. Disabled findings don't impact your secure score or generate unwanted noise.

When a finding matches the criteria you've defined in your disable rules, it won't appear in the list of findings. Typical scenarios include:

  • Disable findings with severity below medium
  • Disable findings that are non-patchable
  • Disable findings from benchmarks that aren't of interest for a defined scope

Important

To disable specific findings, you need permissions to edit a policy in Azure Policy. Learn more in Azure RBAC permissions in Azure Policy.

To create a rule:

  1. From the recommendations detail page for SQL servers on machines should have vulnerability findings resolved, select Disable rule.

  2. Select the relevant scope.

  3. Define your criteria. You can use any of the following criteria:

    • Finding ID
    • Severity
    • Benchmarks

    Create a disable rule for VA findings on SQL servers on machines.

  4. Select Apply rule. Changes might take up to 24 hours to take effect.

  5. To view, override, or delete a rule:

    1. Select Disable rule.

    2. From the scope list, subscriptions with active rules show as Rule applied.

      Screenshot showing how to modify or delete an existing rule in the Defender for Cloud portal.

    3. To view or delete the rule, select the ellipsis menu ("...").

Manage vulnerability assessments programmatically

Use Azure PowerShell

You can use Azure PowerShell cmdlets to programmatically manage your vulnerability assessments. The supported cmdlets are:

Cmdlet name as a link Description
Add-AzSecuritySqlVulnerabilityAssessmentBaseline Add SQL Vulnerability Assessment baseline.
Get-AzSecuritySqlVulnerabilityAssessmentBaseline Get SQL Vulnerability Assessment baseline.
Get-AzSecuritySqlVulnerabilityAssessmentScanResult Gets SQL Vulnerability Assessment scan results.
Get-AzSecuritySqlVulnerabilityAssessmentScanRecord Gets SQL Vulnerability Assessment scan records.
Remove-AzSecuritySqlVulnerabilityAssessmentBaseline Removes SQL Vulnerability Assessment baseline.
Set-AzSecuritySqlVulnerabilityAssessmentBaseline Sets new SQL Vulnerability Assessment baseline on a specific database discards old baseline if any exists.
   

Data residency

SQL Vulnerability Assessment queries the SQL server using publicly available queries under Defender for Cloud recommendations for SQL Vulnerability Assessment, and stores the query results. SQL Vulnerability Assessment data is stored in the location of the Log Analytics workspace that the machine is connected to. For example, if the user connects a SQL Virtual Machine to a Log Analytics workspace in China North, the results will be stored in China North. This data will be collected only if the SQL Vulnerability Assessment solution is enabled on the Log Analytics workspace.

Metadata information about the connected machine is also collected. Specifically:

  • Operating system name, type, and version
  • Computer fully qualified domain name (FQDN)
  • Connected Machine agent version
  • UUID (BIOS ID)
  • SQL server name and underlying database names

You can specify the region where your SQL Vulnerability Assessment data will be stored by choosing the Log Analytics workspace location. Azure might replicate to other regions for data resiliency, but Azure does not replicate data outside the geography.

Note

Changing the Defender for SQL on Machines plan's Log Analytics workspace will reset the scan results and baseline settings. If you revert to the original Log Analytics workspace within 90 days the the scan results and baseline settings will be made available again.

Next step