More Info:

Configure ‘Send scan reports to’ with email ids of concerned data owners/stakeholders for a critical SQL servers.

Risk Level

Medium

Address

Security

Compliance Standards

CISAZURE, CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Ensure That Vulnerability Assessment Setting Send Scan Reports To Is Configured” in Azure, please follow the below steps:
  1. Login to your Azure portal.
  2. Select the subscription where you want to remediate the misconfiguration.
  3. Go to the Security Center in the left-hand menu.
  4. Click on “Security policy” in the Security Center dashboard.
  5. Scroll down to the “Vulnerability Assessment” section and click on it.
  6. Click on the “Edit settings” button.
  7. Scroll down to the “Scan Reports” section.
  8. Ensure that the “Send scan reports to” option is set to a valid email address or a storage account.
  9. If you want to send the scan reports to an email address, enter the email address in the text box.
  10. If you want to send the scan reports to a storage account, select the storage account from the drop-down list.
  11. Click on the “Save” button to save the changes.
After completing these steps, the misconfiguration “Ensure That Vulnerability Assessment Setting Send Scan Reports To Is Configured” will be remediated in Azure.

To remediate the misconfiguration “Ensure That Vulnerability Assessment Setting Send Scan Reports To Is Configured” for AZURE using AZURE CLI, follow the steps below:
  1. Open the Azure CLI in your terminal or command prompt.
  2. Login to your Azure account using the command “az login”.
  3. Once you are logged in, run the following command to set the “sendScanReportTo” property to a valid email address: 
    az sql vm group update --name <resource-group-name> --sql-management --send-scan-report-to <email-address>
    Replace <resource-group-name> with the name of the resource group where your SQL Server virtual machine is located and <email-address> with a valid email address where you want to receive the scan reports.
  4. After running the command, the “sendScanReportTo” property will be set and the vulnerability assessment scan reports will be sent to the specified email address.
By following these steps, you can remediate the misconfiguration “Ensure That Vulnerability Assessment Setting Send Scan Reports To Is Configured” for AZURE using AZURE CLI.
To remediate the misconfiguration “Ensure That Vulnerability Assessment Setting Send Scan Reports To Is Configured” for Azure using python, you can follow the below steps:
  1. Import the necessary libraries:
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.security import SecurityCenter
from azure.mgmt.security.models import SecurityAssessmentMetadata
  1. Authenticate and create a client object:
credentials = ServicePrincipalCredentials(client_id=<client_id>,
                                          secret=<client_secret>,
                                          tenant=<tenant_id>)

security_center_client = SecurityCenter(credentials, <subscription_id>)
  1. Retrieve the assessment metadata for the specific subscription:
assessment_metadata = security_center_client.assessment_metadata.get(<subscription_id>, "vulnerabilityAssessmentSettings")
  1. Check if the “sendScanReportsTo” property is configured:
if assessment_metadata.send_scan_reports_to is None:
    assessment_metadata.send_scan_reports_to = "<email_address>"
  1. Update the assessment metadata:
security_center_client.assessment_metadata.create_or_update(<subscription_id>, "vulnerabilityAssessmentSettings", assessment_metadata)
By following these steps, you can remediate the misconfiguration “Ensure That Vulnerability Assessment Setting Send Scan Reports To Is Configured” for Azure using python.

Additional Reading: