Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Configure Emails for Classic Vulnerability Assessment Scan Reports and Alerts

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Sql-008

Ensure that your Amazon SQL database servers are configured with the email addresses of the concerned data owners, admins or stakeholders in order to receive Vulnerability Assessment (VA) scan reports and alerts for critical events. This setting is only available for SQL servers using the classic SQL Vulnerability Assessment configuration. For new, express configuration, email notifications are enabled by default and cannot be customized.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security
Cost
optimisation

After configuring email addresses, Microsoft Defender for SQL will send Vulnerability Assessment (VA) scan reports and alerts to the specified addresses. This can help your security team to reduce the time required for identifying risks and help take corrective measures.

Audit

To determine if there are email addresses configured to receive Vulnerability Assessment (VA) scan reports and alerts for SQL database servers, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access your Azure cloud resources.

03 From the Type equals all filter box, select Equals and choose SQL server to list only the SQL database servers provisioned for the selected Azure subscription.

04 Click on the name (link) of the SQL database server that you want to examine.

05 In the blade navigation panel, under Security, choose Microsoft Defender for Cloud.

06 On the Microsoft Defender for Cloud check the Enablement Status attribute value and make sure that Microsoft Defender for SQL is enabled, then choose (Configure) to access the Vulnerability Assessment (VA) settings available for the selected SQL server.

07 In the VULNERABILITY ASSESSMENT SETTINGS section, perform the following checks:

  1. Ensure there is an Azure storage account configured under Storage account. If Storage account is not available, your SQL server is using the Vulnerability Assessment (VA) express configuration and the Audit process ends here. Otherwise, you can continue the Audit process with the next step.
  2. Check the Send scan reports to configuration box. If the configuration box is inactive, periodic recurring scans are disabled for your SQL database server. If Send scan reports to is active but empty, there are no email addresses configured to receive Vulnerability Assessment (VA) scan reports and alerts for the selected Microsoft SQL database server.

08 Repeat steps no. 4 – 7 for each SQL database server provisioned in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure PowerShell

01 Run Get-AzSqlServer PowerShell command with custom query filters to list the names of each SQL database server and the name of its associated resource group, available within the current Azure subscription: 

Get-AzSqlServer | Select-Object ServerName,ResourceGroupName

02 The command output should return the requested SQL database server information: 

ServerName             ResourceGroupName
----------             -----------------
cc-prod-db-server      cloud-shell-storage-westeurope
cc-dev-sql-server      cloud-shell-storage-westeurope

03 Run Get-AzSqlServerVulnerabilityAssessmentSetting command with the name of the SQL server that you want to examine as the identifier parameter and custom query filters to determine if there are email addresses configured to receive Vulnerability Assessment scan reports and alerts: 

Get-AzSqlServerVulnerabilityAssessmentSetting -ServerName "cc-prod-db-server" -ResourceGroupName "cloud-shell-storage-westeurope" | Select-Object NotificationEmail,StorageAccountName

04 The command output should return the name of the storage account configured for Vulnerability Assessment (VA) storage and the email address(es) needed to receive VA scan reports and alerts. If the Get-AzSqlServerVulnerabilityAssessmentSetting command does not produce an output for NotificationEmail and StorageAccountName, your SQL server is using the Vulnerability Assessment (VA) express configuration and the Audit process ends here. Otherwise, you can continue the Audit process with the next step: 

NotificationEmail StorageAccountName
----------------- ------------------
{}                ProdVAStorage

If the Get-AzSqlServerVulnerabilityAssessmentSetting command output returns an empty object for the NotificationEmail attribute (i.e. {}), as shown in the example above, there are no email addresses configured to receive Vulnerability Assessment (VA) scan reports and alerts for the selected Microsoft SQL database server. If the command does not return a storage account for the StorageAccountName attribute, there is no target storage account to store the vulnerability assessments.

05 Repeat step no. 3 and 4 for each SQL database server available within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To configure one or more email addresses for receiving Vulnerability Assessment (VA) scan reports and alerts from your Azure SQL database servers with classic VA configuration, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access your Azure cloud resources.

03 From the Type equals all filter box, select Equals and choose SQL server to list only the SQL database servers provisioned for the selected Azure subscription.

04 Click on the name (link) of the SQL database server that you want to configure.

05 In the blade navigation panel, under Security, choose Microsoft Defender for Cloud.

06 On the Microsoft Defender for Cloud page, check the Enablement Status attribute value and make sure that Microsoft Defender for SQL is enabled, then choose (Configure) to access the Vulnerability Assessment (VA) settings available for the selected SQL server.

07 In the VULNERABILITY ASSESSMENT SETTINGS section, perform the following checks:

  1. Ensure there is an Azure storage account configured under Storage account.
  2. Ensure that Periodic recurring scans is set to ON to perform periodic recurring scans for your SQL database server.
  3. In the Send scan reports to configuration box, provide a semicolon separated list of email addresses to which Vulnerability Assessment (VA) scan reports and alerts will be sent.
  4. Choose Save to apply the changes. Scans will be triggered automatically once a week. A scan result summary will be sent to the email addresses that you provide.

08 Repeat steps no. 4 – 7 for each SQL database server that you want to configure, provisioned in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created within your Microsoft Azure cloud account.

Using Azure PowerShell

01 Run Update-AzSqlServerVulnerabilityAssessmentSetting cmdlet with the name of the SQL server that you want to configure and the name of the associated resource group as the identifier parameters to define one or more email addresses (separated by commas) required to receive Vulnerability Assessment (VA) scan reports and alerts. Set the -RecurringScansInterval parameter to Weekly to ensure that the Periodic Recurring Scans setting is enabled. Replace the highlighted information, i.e. <notification-email-address> with your own information: 

Update-AzSqlServerVulnerabilityAssessmentSetting
-ServerName "cc-prod-db-server"
-ResourceGroupName "cloud-shell-storage-westeurope"
-StorageAccountName "<storage-account-name>"
-RecurringScansInterval Weekly
-NotificationEmail @("<notification-email-address>")

02 The command output should return the new Vulnerability Assessment (VA) settings for classic configuration: 

ServerName                : cc-prod-db-server
ResourceGroupName         : cloud-shell-storage-westeurope
StorageAccountName        : ProdVAStorage
ScanResultsContainerName  : vulnerability-assessment
RecurringScansInterval    : Weekly
EmailAdmins               : True
NotificationEmail         : {<notification-email-address>"}

03 Repeat steps no. 1 and 2 for each SQL database server that you want to configure, available within the current Azure subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Jul 24, 2019

Related Sql rules