More Info:

Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases.

Risk Level

Medium

Address

Security

Compliance Standards

CISAZURE, CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Ensure That Vulnerability Assessment Setting Periodic Recurring Scans Is Set To On” for AZURE using AZURE console, follow the below steps:
  1. Login to the Azure portal using your credentials.
  2. Navigate to the Security Center dashboard from the left-hand side menu.
  3. Click on the “Security policy” tab from the top menu.
  4. Select the subscription and the scope for which you want to configure the vulnerability assessment settings.
  5. Click on the “Edit” button to edit the security policy.
  6. Scroll down to the “Vulnerability Assessment” section and click on the “On” button for “Periodic recurring scans”.
  7. Set the “Recurring scans” frequency as per your requirement.
  8. Click on the “Save” button to save the changes.
Once the above steps are completed, the vulnerability assessment setting for periodic recurring scans will be turned on and the system will perform periodic scans as per the configured frequency.

To remediate the misconfiguration “Ensure That Vulnerability Assessment Setting Periodic Recurring Scans Is Set To On” for Azure using Azure CLI, you can follow the below steps:
  1. Open the Azure CLI command prompt.
  2. Run the following command to enable vulnerability assessment for the specified Azure SQL Server: 
    az sql server va show --resource-group <resource-group-name> --server <server-name> --name default
    This command will show the current status of vulnerability assessment for the specified Azure SQL Server.
  3. Run the following command to enable periodic recurring scans for the specified Azure SQL Server: 
    az sql server va update --resource-group <resource-group-name> --server <server-name> --name default --email-admins On --email-address <email-address> --state On --recurring-scans-interval 1
    This command will enable periodic recurring scans for the specified Azure SQL Server with a frequency of 1 day.
  4. Verify the vulnerability assessment settings by running the following command: 
    az sql server va show --resource-group <resource-group-name> --server <server-name> --name default
    This command will show the updated status of vulnerability assessment for the specified Azure SQL Server.
By following these steps, you can remediate the misconfiguration “Ensure That Vulnerability Assessment Setting Periodic Recurring Scans Is Set To On” for Azure using Azure CLI.
To remediate the misconfiguration “Ensure That Vulnerability Assessment Setting Periodic Recurring Scans Is Set To On” in Azure using Python, you can use the Azure SDK for Python. Here are the steps to remediate the issue:
  1. Install the Azure SDK for Python using the following command:
pip install azure-mgmt-security
  1. Import the necessary modules:
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.security import SecurityCenter
  1. Set up the credentials and the client:
TENANT_ID = '<your tenant id>'
CLIENT_ID = '<your client id>'
CLIENT_SECRET = '<your client secret>'
SUBSCRIPTION_ID = '<your subscription id>'

credentials = ServicePrincipalCredentials(
    client_id=CLIENT_ID,
    secret=CLIENT_SECRET,
    tenant=TENANT_ID
)

security_center_client = SecurityCenter(credentials, SUBSCRIPTION_ID)
  1. Get the security policy for your subscription:
policy = security_center_client.policies.get('default')
  1. Update the vulnerability assessment setting to enable periodic recurring scans:
vulnerability_assessment_settings = policy.security_contact_configurations.vulnerability_assessment
vulnerability_assessment_settings.recurring_scans = True

security_center_client.policies.create_or_update(policy.id, policy)
This will enable the vulnerability assessment setting for periodic recurring scans in Azure.

Additional Reading: