New express configuration for Vulnerability Assessment in Microsoft Defender for SQL- Public Preview
Published Dec 12 2022 10:58 AM 2,559 Views

Users of Microsoft Defender for SQL can enjoy full database protection from two components: Advanced Threat Protection (ATP) for real-time detection of attacks and Vulnerability Assessment (VA) that scans, flags, and reports on database misconfigurations that may result in vulnerabilities for attackers to exploit. 

 

We are pleased to announce the public preview of the new express configuration experience for Vulnerability Assessment in Microsoft Defender for SQL that provides security teams with streamlined configuration experience on Azure SQL Databases and Azure Synapse Dedicated SQL Pools (formerly SQL DW).

 

Benefits of Microsoft Defender for SQL Vulnerability Assessment express configuration

Until now, the Vulnerability Assessment within Defender for SQL requires a customer-managed Azure storage account for correct configuration to store scan results and baseline settings.

With the new express configuration experience for vulnerability assessments, security teams can:

  • Configure vulnerability assessment with one click (within the SQL resource UI in Defender for Cloud blade), without any additional settings or dependencies on customer-managed storage accounts.

Liana_Anca_Tomescu_4-1670858653568.png

Microsoft Defender for SQL Settings Blade

 

• Apply baselines without rescanning a database - once you select “Add all results as baseline”, the status of that finding will change from Unhealthy to Healthy immediately

 

Liana_Anca_Tomescu_5-1670858718119.png

Status becomes healthy immediately


• Set baselines at scale (multiple rules at once, can also be based on latest scan results)
• Enable the vulnerability assessment capability for all Azure SQL Servers when turning on the Microsoft Defender for SQL bundle at the subscription-level

 

Get Started

The new configuration experience is available through the Microsoft Defender for Cloud blade under your Azure SQL Server resource at no extra cost for Microsoft Defender for SQL customers, or when configuring the Defender for SQL bundle at the subscription level. 

For the purpose of the public preview, express configuration will only support server-level policies on logical servers containing:                Azure SQL Databases and Azure Synapse Dedicated SQL Pools (formerly SQL DW).

 

Express configuration will be applied in the following scenarios:

  • The Microsoft Defender for SQL plan is enabled on the SQL Server (this is the new default configuration for vulnerability assessment).
  • Microsoft Defender for SQL plan was turned on the subscription level after the public preview release date (available December 22).
  • Customer chose to switch from the SQL Server/Database Microsoft Defender for Cloud blade or the server settings blade.

    Microsoft Defender for Cloud blade:
    Liana_Anca_Tomescu_0-1670870204865.png

    SQL vulnerability assessment is not configured warning

      

    Settings blade:

    Liana_Anca_Tomescu_1-1670870236484.png

    SQL vulnerability assessment is not configured warning in Settings blade

 

Common Questions

Q: What else do I need to know before switching to express configuration?
A: Not all classic configuration features are available in express configuration so please review the full comparison in the official documentation. Also, be aware that switching from classic to express configuration during the preview will not migrate existing baselines and scan history.

 

Q: What happens to the Azure storage accounts currently configured for VA after switching to express configuration?
A: Express configuration doesn’t change the data in the storage accounts, it just stops writing baselines and scan results to those accounts. You are not required to maintain these files for SQL vulnerability assessment to work after switching to express configuration, but you may want to keep your old baseline definitions in case you’ll need them for reference in the future. 


Q: Where are the scan results and baselines stored now with the express configuration of VA?
A: On internal storage accounts that comply with our data residency standards. Customers will no longer have direct access to these files.

 

Q: Does express configuration change scan behaviour?
A: No, express configuration provides the same scanning behaviour and performance.

 

Q: Does express configuration have any effect on pricing?
A: Enabling or switching to express configuration comes at no extra cost.
Since you are no longer required to maintain a storage account, you will no longer have to pay additional storage fees (if you choose to delete old scan and baseline data)



Additional Resources

 

Huge thanks to the reviewers of this post:

@Dick Lake, Senior Product Manager, Microsoft Defender for Cloud

@Linnet Kariuki, Program Manager, Microsoft Defender for Cloud

1 Comment
Version history
Last update:
‎Dec 12 2022 10:56 AM
Updated by: