New express configuration for Vulnerability Assessment in Microsoft Defender for SQL- Public Preview
Users of Microsoft Defender for SQL can enjoy full database protection from two components: Advanced Threat Protection (ATP) for real-time detection of attacks and Vulnerability Assessment (VA) that scans, flags, and reports on database misconfigurations that may result in vulnerabilities for attackers to exploit.
We are pleased to announce the public preview of the new express configuration experience for Vulnerability Assessment in Microsoft Defender for SQL that provides security teams with streamlined configuration experience on Azure SQL Databases and Azure Synapse Dedicated SQL Pools (formerly SQL DW).
Benefits of Microsoft Defender for SQL Vulnerability Assessment express configuration
Until now, the Vulnerability Assessment within Defender for SQL requires a customer-managed Azure storage account for correct configuration to store scan results and baseline settings.
With the new express configuration experience for vulnerability assessments, security teams can:
- Configure vulnerability assessment with one click (within the SQL resource UI in Defender for Cloud blade), without any additional settings or dependencies on customer-managed storage accounts.
Microsoft Defender for SQL Settings Blade
• Apply baselines without rescanning a database - once you select “Add all results as baseline”, the status of that finding will change from Unhealthy to Healthy immediately
Status becomes healthy immediately
• Set baselines at scale (multiple rules at once, can also be based on latest scan results)
• Enable the vulnerability assessment capability for all Azure SQL Servers when turning on the Microsoft Defender for SQL bundle at the subscription-level
Get Started
The new configuration experience is available through the Microsoft Defender for Cloud blade under your Azure SQL Server resource at no extra cost for Microsoft Defender for SQL customers, or when configuring the Defender for SQL bundle at the subscription level.
For the purpose of the public preview, express configuration will only support server-level policies on logical servers containing: Azure SQL Databases and Azure Synapse Dedicated SQL Pools (formerly SQL DW).
Express configuration will be applied in the following scenarios:
- The Microsoft Defender for SQL plan is enabled on the SQL Server (this is the new default configuration for vulnerability assessment).
- Microsoft Defender for SQL plan was turned on the subscription level after the public preview release date (available December 22).
- Customer chose to switch from the SQL Server/Database Microsoft Defender for Cloud blade or the server settings blade.
Microsoft Defender for Cloud blade:
SQL vulnerability assessment is not configured warning
Settings blade:
SQL vulnerability assessment is not configured warning in Settings blade
Common Questions
Q: What else do I need to know before switching to express configuration?
A: Not all classic configuration features are available in express configuration so please review the full comparison in the official documentation. Also, be aware that switching from classic to express configuration during the preview will not migrate existing baselines and scan history.
Q: What happens to the Azure storage accounts currently configured for VA after switching to express configuration?
A: Express configuration doesn’t change the data in the storage accounts, it just stops writing baselines and scan results to those accounts. You are not required to maintain these files for SQL vulnerability assessment to work after switching to express configuration, but you may want to keep your old baseline definitions in case you’ll need them for reference in the future.
Q: Where are the scan results and baselines stored now with the express configuration of VA?
A: On internal storage accounts that comply with our data residency standards. Customers will no longer have direct access to these files.
Q: Does express configuration change scan behaviour?
A: No, express configuration provides the same scanning behaviour and performance.
Q: Does express configuration have any effect on pricing?
A: Enabling or switching to express configuration comes at no extra cost.
Since you are no longer required to maintain a storage account, you will no longer have to pay additional storage fees (if you choose to delete old scan and baseline data)
Additional Resources
- Microsoft Docs: SQL vulnerability assessment - Azure SQL Database & SQL Managed Instance & Azure Synapse Analytics | Microsoft Docs
- Supplemental Terms of Use for Microsoft Azure Previews
Huge thanks to the reviewers of this post:
@Dick Lake, Senior Product Manager, Microsoft Defender for Cloud
@Linnet Kariuki, Program Manager, Microsoft Defender for Cloud