Table: azure_sql_server_vulnerability_assessments

This table shows data for Azure SQL Server Vulnerability Assessments.

https://learn.microsoft.com/en-us/rest/api/sql/2021-11-01/server-vulnerability-assessments/list-by-server?tabs=HTTP#servervulnerabilityassessment (opens in a new tab)

The primary key for this table is id.

Relations

This table depends on azure_sql_servers.

Columns

NameType
_cq_iduuid
_cq_parent_iduuid
subscription_idutf8
propertiesjson
id (PK)utf8
nameutf8
typeutf8

Example Queries

These SQL queries are sampled from CloudQuery policies and are compatible with PostgreSQL.

Vulnerability assessment should be enabled on your SQL servers

WITH
  protected_servers
    AS (
      SELECT
        s.id AS server_id
      FROM
        azure_sql_servers AS s
        LEFT JOIN azure_sql_server_vulnerability_assessments AS va ON
            s._cq_id = va._cq_parent_id
      WHERE
        (va.properties->'recurringScans'->>'isEnabled')::BOOL IS true
    )
SELECT
  'Vulnerability assessment should be enabled on your SQL servers' AS title,
  i.subscription_id,
  i.id AS instance_id,
  CASE
  WHEN p.server_id IS NULL THEN 'fail'
  ELSE 'pass'
  END
FROM
  azure_sql_servers AS i LEFT JOIN protected_servers AS p ON p.server_id = i.id;

Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account (Automated)

SELECT
  'Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account (Automated)'
    AS title,
  s.subscription_id,
  s.id AS server_id,
  CASE
  WHEN (a.properties->>'storageContainerPath') IS NULL
  OR a.properties->>'storageContainerPath' = ''
  THEN 'fail'
  ELSE 'pass'
  END
FROM
  azure_sql_servers AS s
  LEFT JOIN azure_sql_server_vulnerability_assessments AS a ON
      s._cq_id = a._cq_parent_id;

Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server (Automated)

SELECT
  'Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server (Automated)'
    AS title,
  s.subscription_id,
  s.id,
  CASE
  WHEN (a.properties->'recurringScans'->>'isEnabled')::BOOL IS NOT true
  THEN 'fail'
  ELSE 'pass'
  END
FROM
  azure_sql_servers AS s
  LEFT JOIN azure_sql_server_vulnerability_assessments AS a ON
      s._cq_id = a._cq_parent_id;

Ensure that VA setting "Also send email notifications to admins and subscription owners" is set for a SQL server (Automated)

SELECT
  'Ensure that VA setting "Also send email notifications to admins and subscription owners" is set for a SQL server (Automated)'
    AS title,
  s.subscription_id,
  s.id AS server_id,
  CASE
  WHEN (a.properties->'recurringScans'->>'emailSubscriptionAdmins')::BOOL
  IS NOT true
  THEN 'fail'
  ELSE 'pass'
  END
FROM
  azure_sql_servers AS s
  LEFT JOIN azure_sql_server_vulnerability_assessments AS a ON
      s._cq_id = a._cq_parent_id;

Ensure that VA setting Send scan reports to is configured for a SQL server (Automated)

WITH
  vulnerability_emails
    AS (
      SELECT
        id,
        unnest((v.properties->'recurringScans'->>'emails')::STRING[]) AS emails
      FROM
        azure_sql_server_vulnerability_assessments AS v
    ),
  emails_count
    AS (
      SELECT
        id, count(emails) AS emails_number
      FROM
        vulnerability_emails
      GROUP BY
        id
    )
SELECT
  'Ensure that VA setting Send scan reports to is configured for a SQL server (Automated)'
    AS title,
  s.subscription_id,
  s.id AS server_id,
  CASE
  WHEN c.emails_number = 0 OR c.emails_number IS NULL THEN 'fail'
  ELSE 'pass'
  END
FROM
  azure_sql_servers AS s
  LEFT JOIN azure_sql_server_vulnerability_assessments AS sv ON
      s._cq_id = sv._cq_parent_id
  LEFT JOIN emails_count AS c ON sv.id = c.id;
Introduction