Set-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline
Sets the vulnerability assessment rule baseline.
Syntax
SetByNameParameterSet (Default)
Set-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline
[-InstanceName] <String>
[-DatabaseName] <String>
[-ResourceGroupName] <String>
-BaselineResult <String[][]>
-RuleId <String>
[-RuleAppliesToMaster]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Set-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline
[-ResourceGroupName] <String>
-BaselineResult <String[][]>
-RuleId <String>
[-InputObject <VulnerabilityAssessmentRuleBaselineModel>]
[-RuleAppliesToMaster]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
The Set-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline cmdlet sets the vulnerability assessment rule baseline.
As you review your assessment results, you can mark specific results as being an acceptable Baseline in your environment. The baseline is essentially a customization of how the results are reported. Results that match the baseline are considered as passing in subsequent scans. Once you have established your baseline security state, vulnerability assessment only reports on deviations from the baseline, and you can focus your attention on the relevant issues.
Note that you need to run Enable-AzSqlInstanceAdvancedDataSecurity and Update-AzSqlInstanceVulnerabilityAssessmentSetting cmdlet as a prerequisite for using this cmdlets.
Examples
Example 1: Set a vulnerability assessment rule baseline
Set-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline `
-ResourceGroupName "ResourceGroup01" `
-InstanceName "ManagedInstance01" `
-DatabaseName "Database01" `
-RuleId "VA2108" `
-RuleAppliesToMaster `
-BaselineResult @( 'Principal1', 'db_ddladmin', 'SQL_USER', 'None') , @( 'Principal2', 'db_ddladmin', 'SQL_USER', 'None')
ResourceGroupName : ResourceGroup01
InstanceName : ManagedInstance01
DatabaseName : Database01
RuleId : VA2108
RuleAppliesToMaster : True
BaselineResult : @( 'Principal1', 'db_ddladmin', 'SQL_USER', 'None') , @( 'Principal2', 'db_ddladmin', 'SQL_USER', 'None')
BaselineResult value is a composition of several sub arrays that described the T-SQL results that will be added to the baseline.
You may find the Scan results under the storage defined by the Update-AzSqlInstanceVulnerabilityAssessmentSetting cmdlet, under scans/{ManagedInstanceName}/{ManagedDatabaseName}/scan_{ScanId}.json
Example 2: Set a vulnerability assessment rule baseline from a baseline object
Set-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline `
-ResourceGroupName "ResourceGroup01" `
-InstanceName "ManagedInstance01" `
-DatabaseName "Database01" `
-RuleId "VA2108" `
-BaselineResult @( 'Principal1', 'db_ddladmin', 'SQL_USER', 'None') , @( 'Principal2', 'db_ddladmin', 'SQL_USER', 'None')
Get-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline `
-ResourceGroupName "ResourceGroup01" `
-InstanceName "ManagedInstance01" `
-DatabaseName "Database01" `
-RuleId "VA2108" `
| Set-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline `
-ResourceGroupName "ResourceGroup02" `
-InstanceName "ManagedInstance02" `
-DatabaseName "Database02"
ResourceGroupName : ResourceGroup02
InstanceName : ManagedInstance02
DatabaseName : Database02
RuleId : VA2108
RuleAppliesToMaster : False
BaselineResult : @( 'Principal1', 'db_ddladmin', 'SQL_USER', 'None') , @( 'Principal2', 'db_ddladmin', 'SQL_USER', 'None')
Example 3: Set a vulnerability assessment rule baseline on all the databases under a managed instance
Get-AzSqlInstanceDatabase -ResourceGroupName "ResourceGroup01" `
-InstanceName "ManagedInstance01" `
| Where-Object {$_.Name -ne "master"} `
| Set-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline `
-RuleId "VA2108" `
-BaselineResult @( 'Principal1', 'db_ddladmin', 'SQL_USER', 'None') , @( 'Principal2', 'db_ddladmin', 'SQL_USER', 'None')
ResourceGroupName : ResourceGroup01
InstanceName : ManagedInstance01
DatabaseName : Database01
RuleId : VA2108
RuleAppliesToMaster : False
BaselineResult : @( 'Principal1', 'db_ddladmin', 'SQL_USER', 'None') , @( 'Principal2', 'db_ddladmin', 'SQL_USER', 'None')
ResourceGroupName : ResourceGroup01
InstanceName : ManagedInstance01
DatabaseName : Database02
RuleId : VA2108
RuleAppliesToMaster : False
BaselineResult : @( 'Principal1', 'db_ddladmin', 'SQL_USER', 'None') , @( 'Principal2', 'db_ddladmin', 'SQL_USER', 'None')
Parameters
-BaselineResult
The results to set as baseline for the rule in all future scans
Parameter properties
Type: String [ ][ ]
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-Confirm
Prompts you for confirmation before running the cmdlet.
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False Aliases: cf
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-DatabaseName
SQL Managed Database name.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
SetByNameParameterSet
Position: 2 Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with Azure.
Parameter properties
Type: IAzureContextContainer
Default value: None Supports wildcards: False DontShow: False Aliases: AzContext, AzureRmContext, AzureCredential
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
The Vulnerability Assessment rule baseline object to set
SetByInputObjectParameterSet
Position: Named Mandatory: False Value from pipeline: True Value from pipeline by property name: False Value from remaining arguments: False
-InstanceName
SQL Managed Instance name.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
SetByNameParameterSet
Position: 1 Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-ResourceGroupName
The name of the resource group.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: 0 Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-RuleAppliesToMaster
Specifies whether the baseline results should apply on a server level rule identified by the RuleId
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-RuleId
The rule ID which identifies the rule to set the baseline results to.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: True Value from remaining arguments: False
-WhatIf
Shows what would happen if the cmdlet runs.
The cmdlet is not run.
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False Aliases: wi
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable,
-InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable,
-ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see
about_CommonParameters .
Outputs
