Defender for SQL Vulnerability Assessment Updates

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

Microsoft Defender for SQL provides full database protection and benefit from the following components: threat protection to detect attacks in real-time and vulnerability assessment (VA) that scans, flags, and reports on database misconfigurations that may result in vulnerabilities for attackers to exploit. 

 

A few months ago, we launched the express configuration for vulnerability assessments in Defender for SQL (in public preview) that provides a streamlined onboarding experience for SQL vulnerability assessments with one-click configuration (or a simple API call), without any additional settings or dependencies on managed storage accounts.

 

This feature is currently available for Azure SQL Servers only.

 

Express configuration for Azure SQL Servers is now generally available

We’re excited to announce the general availability of express configuration for vulnerability assessment on Azure SQL Servers, that includes the previously announced preview features together with full internal platform readiness and a variety of extensibility features that will allow you to manage the feature at scale.

 

What’s included in express configuration?

  • Simple enablement experience of SQL vulnerability assessmentwithout any additional settings or dependencies on customer-managed storage accounts.
  • Enable the vulnerability assessment capability for all Azure SQL Servers when turning on the Microsoft Defender for SQL plan at the subscription-level.
  • Apply baselines without rescanning a databaseonce you select “Add all results as baseline”, the status of that finding will change from Unhealthy to Healthy immediately.
  • Set baselines at scale - enable multiple rules at once that can also be based on latest scan results.
  • (NEW!) Open findings in Azure Resource Graph (ARG) – supported in all vulnerability assessment database blades.

Selecting “Open Query” will open ARG in the context of the specified database with an out-of-the-box query.Selecting “Open Query” will open ARG in the context of the specified database with an out-of-the-box query.

 

The query results can be exported as a .CSV file as-is or it can be customized. For example, changing the scope to all databases under a server.The query results can be exported as a .CSV file as-is or it can be customized. For example, changing the scope to all databases under a server.

 

  • (NEW!) PowerShell wrapper examples that allows you to invoke any express configuration API functionality. 
  • (NEW!) AzCli examples to utilize any express configuration API functionality. 
  • (NEW!) Updated migration scripts that will enable the migration of your existing baselines without manually reapplying them. 
  • (NEW!) Scan history record added every month even if there were no changes in the scan results.

Scan History.png

 

Enable the new express configuration for SQL vulnerability assessments

Read the original preview announcement or review the updated documentation.

 

Updates to classic configuration support

In the next few weeks, we will provide an update on the deprecation timelines regarding classic configuration for SQL vulnerability assessment on Azure SQL Servers.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.