Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Classic Vulnerability Assessment Email Notifications for Admins and Subscription Owners

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Sql-009

Ensure that the Vulnerability Assessment setting "Also send email notification to admins and subscription owners" is enabled for your Microsoft SQL database servers. This security setting enables Microsoft Defender for SQL to contact your subscription owners and administrators if the Microsoft Security Response Center (MSRC) discovers that your cloud resources and/or data has been accessed by an unauthorized actor. The setting is only available for SQL servers using the classic SQL Vulnerability Assessment configuration. For new, express configuration, email notifications are enabled by default and cannot be customized.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security
Cost
optimisation

Once the "Also send email notification to admins and subscription owners" setting is enabled, Vulnerability Assessment (VA) scan reports and alerts will be sent to admins and subscription owners. This can help to reduce the time required for identifying risks and taking corrective measures.

Audit

To determine if the "Also send email notification to admins and subscription owners" setting is enabled, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access your Azure cloud resources.

03 From the Type equals all filter box, select Equals and choose SQL server to list only the SQL database servers provisioned for the selected Azure subscription.

04 Click on the name (link) of the SQL database server that you want to examine.

05 In the blade navigation panel, under Security, choose Microsoft Defender for Cloud.

06 On the Microsoft Defender for Cloud page, check the Enablement Status attribute value and make sure that Microsoft Defender for SQL is enabled, then choose (Configure) to access the Vulnerability Assessment (VA) settings available for the selected SQL server.

07 In the VULNERABILITY ASSESSMENT SETTINGS section, perform the following checks:

  1. Ensure there is an Azure storage account configured under Storage account. If Storage account is not available, your SQL server is using the Vulnerability Assessment (VA) express configuration and the Audit process ends here. Otherwise, you can continue the Audit process with the next step.
  2. Check the Also send email notification to admins and subscription owners setting checkbox available under Send scan reports to. If the setting checkbox is not checked (enabled), security alerts generated for the selected Microsoft SQL database server are not being delivered to the designated subscription owners and administrators.

08 Repeat steps no. 4 – 7 for each SQL database server provisioned in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure PowerShell

01 Run Get-AzSqlServer PowerShell command with custom query filters to list the name of each SQL database server and the name of its associated resource group, available within the current Azure subscription: 

Get-AzSqlServer | Select-Object ServerName,ResourceGroupName

02 The command output should return the requested SQL database server information: 

ServerName          ResourceGroupName
----------          -----------------
cc-prod-db-server   cloud-shell-storage-westeurope
cc-dev-sql-server   cloud-shell-storage-westeurope

03 Run Get-AzSqlServerVulnerabilityAssessmentSetting command with the name of the SQL server that you want to examine as the identifier parameter and custom query filters to determine if the "Also send email notification to admins and subscription owners" setting is enabled for the selected SQL server: 

Get-AzSqlServerVulnerabilityAssessmentSetting -ServerName "cc-prod-db-server" -ResourceGroupName "cloud-shell-storage-westeurope" | Select-Object EmailAdmins,StorageAccountName

04 The command output should return the name of the storage account configured for Vulnerability Assessment (VA) storage and the required setting status. If the Get-AzSqlServerVulnerabilityAssessmentSetting command does not produce an output for EmailAdmins and StorageAccountName, your SQL server is using the Vulnerability Assessment (VA) express configuration and the Audit process ends here. Otherwise, you can continue the Audit process with the next step: 

EmailAdmins StorageAccountName
----------- ------------------
False       ProdVAStorage

If the Get-AzSqlServerVulnerabilityAssessmentSetting command output returns False for the EmailAdmins attribute, as shown in the example above, security alerts generated for the selected Microsoft SQL database server are not being delivered to the designated subscription owners and administrators. If the command does not return a storage account for the StorageAccountName attribute, there is no target storage account to store the vulnerability assessments.

05 Repeat steps no. 3 and 4 for each SQL database server available within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable sending Vulnerability Assessment (VA) email notifications to admins and subscription owners using the classic configuration, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access your Azure cloud resources.

03 From the Type equals all filter box, select Equals and choose SQL server to list only the SQL database servers provisioned for the selected Azure subscription.

04 Click on the name (link) of the SQL database server that you want to configure.

05 In the blade navigation panel, under Security, choose Microsoft Defender for Cloud.

06 On the Microsoft Defender for Cloud page, check the Enablement Status attribute value and make sure that Microsoft Defender for SQL is enabled, then choose (Configure) to access the Vulnerability Assessment (VA) settings available for the selected SQL server.

07 In the VULNERABILITY ASSESSMENT SETTINGS section, perform the following actions:

  1. Ensure there is an Azure storage account configured under Storage account.
  2. Ensure that Periodic recurring scans is set to ON to perform periodic recurring scans for your SQL database server.
  3. Check the Also send email notification to admins and subscription owners checkbox to enable sending Vulnerability Assessment email notifications to admins and subscription owners for the selected SQL database server.
  4. Choose Save to apply the configuration changes.

08 Repeat steps no. 4 – 7 for each SQL database server that you want to configure, provisioned in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created within your Microsoft Azure cloud account.

Using Azure PowerShell

01 Run Update-AzSqlServerVulnerabilityAssessmentSetting cmdlet with the name of the SQL server that you want to configure and the name of the associated resource group as the identifier parameters to enable sending Vulnerability Assessment (VA) email notifications to admins and subscription owners by setting the -EmailAdmins parameter to $true. Set the -RecurringScansInterval parameter to Weekly to ensure that the Periodic Recurring Scans setting is enabled. Replace <storage-account-name> with your own information: 

Update-AzSqlServerVulnerabilityAssessmentSetting
-ServerName "cc-prod-db-server"
-ResourceGroupName "cloud-shell-storage-westeurope"
-StorageAccountName "<storage-account-name>"
-RecurringScansInterval Weekly
-EmailAdmins $true

02 The command output should return the new Vulnerability Assessment (VA) settings for classic configuration: 

ServerName               : cc-prod-db-server
ResourceGroupName        : cloud-shell-storage-westeurope
StorageAccountName       : <storage-account-name>
ScanResultsContainerName : vulnerability-assssment
RecurringScansInterval   : Weekly
EmailAdmins              : True
NotificationEmail        : {<notification-email-address>}

03 Repeat steps no. 1 and 2 for each SQL database server that you want to configure, available within the current Azure subscription.

04 Repeat steps no. 1 - 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Jul 24, 2019

Related Sql rules