chore: add azure/sqlserver metadata update to changelog

prowler/CHANGELOG.md

@@ -11,6 +11,8 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS Step Functions service metadata to new format [(#9432)](https://github.com/prowler-cloud/prowler/pull/9432)
 - Update AWS Route 53 service metadata to new format [(#9406)](https://github.com/prowler-cloud/prowler/pull/9406)
 - Update AWS SQS service metadata to new format [(#9429)](https://github.com/prowler-cloud/prowler/pull/9429)
+- Update Azure SQL Server service metadata to new format [(#9627)](https://github.com/prowler-cloud/prowler/pull/9627)
+
 
 ---
 

prowler/providers/azure/services/sqlserver/sqlserver_auditing_enabled/sqlserver_auditing_enabled.metadata.json

@@ -1,29 +1,42 @@
 {
   "Provider": "azure",
   "CheckID": "sqlserver_auditing_enabled",
-  "CheckTitle": "Ensure that SQL Servers have an audit policy configured",
+  "CheckTitle": "SQL Server has an auditing policy configured",
   "CheckType": [],
   "ServiceName": "sqlserver",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "SQLServer",
-  "Description": "Ensure that there is an audit policy configured",
-  "Risk": "Audit policies are used to store logs associated to the SQL server (for instance, successful/unsuccesful log in attempts). These logs may be useful to detect anomalies or to perform an investigation in case a security incident is detected",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing",
+  "Severity": "high",
+  "ResourceType": "microsoft.sql/servers",
+  "Description": "**Azure SQL Server** auditing is assessed at the server level to confirm audit logging is active. Configurations with any auditing policy state set to `Disabled` indicate auditing is not configured for the server and its databases.",
+  "Risk": "Without **SQL auditing**, visibility into logins, privilege changes, and query activity is lost. Stealthy data exfiltration and tampering can go undetected, impacting **confidentiality** and **integrity**. Absent audit trails hinder **forensics**, slow incident response, and weaken compliance evidence.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.linkedin.com/learning/microsoft-azure-database-administrator-associate-dp-300-cert-prep-by-microsoft-press/configure-server-and-database-audits",
+    "https://irzu.org/research/auditing-azure-sql-microsoft-qa/",
+    "https://learn.microsoft.com/is-is/azure/azure-sql/database/auditing-overview?view=azuresql&viewFallbackFrom=azuresql-vm",
+    "https://www.mssqltips.com/sqlservertip/6732/azure-sql-database-auditing/",
+    "https://connectioncloudsupport.zendesk.com/hc/en-us/articles/4402652204441-Auditing-for-Azure-SQL-Database-and-Azure-Synapse-Analytics",
+    "https://docs.prowler.com/checks/azure/azure-logging-policies/bc_azr_logging_2",
+    "https://docs.prowler.com/checks/azure/azure-logging-policies/bc_azr_logging_2#terraform",
+    "https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Sql/auditing.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "Set-AzureRmSqlServerAuditingPolicy -ResourceGroupName <RESOURCE_GROUP_NAME> -ServerName <SERVER_NAME> -AuditType <AUDIT_TYPE> -StorageAccountName <STORAGE_ACCOUNT_NAME>",
-      "NativeIaC": "",
-      "Other": "https://docs.prowler.com/checks/azure/azure-logging-policies/bc_azr_logging_2",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-logging-policies/bc_azr_logging_2#terraform"
+      "CLI": "az sql server audit-policy update --resource-group <RESOURCE_GROUP_NAME> --name <SERVER_NAME> --state Enabled --storage-account <STORAGE_ACCOUNT_NAME>",
+      "NativeIaC": "```bicep\n// Enable server-level auditing to an existing Storage Account\nparam sqlServerName string = \"<example_resource_name>\"\nparam storageAccountName string = \"<example_resource_name>\"\n\nresource sql 'Microsoft.Sql/servers@2021-11-01' existing = {\n  name: sqlServerName\n}\n\nresource sa 'Microsoft.Storage/storageAccounts@2023-01-01' existing = {\n  name: storageAccountName\n}\n\nresource audit 'Microsoft.Sql/servers/auditingSettings@2021-11-01' = {\n  name: 'default'\n  parent: sql\n  properties: {\n    state: 'Enabled' // Critical: turns on auditing\n    storageEndpoint: 'https://${sa.name}.blob.core.windows.net/' // Critical: audit log destination\n    storageAccountAccessKey: listKeys(sa.id, '2023-01-01').keys[0].value // Critical: grants write access to logs\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to SQL servers and select your server\n2. Under Security, click Auditing\n3. Set Auditing to On\n4. Select Storage as the destination and choose a Storage account\n5. Click Save",
+      "Terraform": "```hcl\n# Enable server-level auditing to Azure Storage\nresource \"azurerm_mssql_server_extended_auditing_policy\" \"<example_resource_name>\" {\n  server_id                  = \"<example_resource_id>\"\n  storage_endpoint           = \"https://<STORAGE_ACCOUNT_NAME>.blob.core.windows.net/\" # Critical: audit log destination\n  storage_account_access_key = \"<STORAGE_ACCOUNT_KEY>\"                                  # Critical: allows writing audit logs\n}\n```"
     },
     "Recommendation": {
-      "Text": "Create an audit policy for the SQL server",
-      "Url": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Sql/auditing.html"
+      "Text": "Enable server-level **auditing** and send logs to a centralized, tamper-resistant store with defined retention. Enforce **least privilege** and **separation of duties** for log access, integrate with monitoring for alerts, and periodically validate coverage. Use database-level auditing only for specific exceptions.",
+      "Url": "https://hub.prowler.com/check/sqlserver_auditing_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/sqlserver/sqlserver_auditing_retention_90_days/sqlserver_auditing_retention_90_days.metadata.json

@@ -1,29 +1,38 @@
 {
   "Provider": "azure",
   "CheckID": "sqlserver_auditing_retention_90_days",
-  "CheckTitle": "Ensure that 'Auditing' Retention is 'greater than 90 days'",
+  "CheckTitle": "SQL server has auditing enabled with retention greater than 90 days",
   "CheckType": [],
   "ServiceName": "sqlserver",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "SQLServer",
-  "Description": "SQL Server Audit Retention should be configured to be greater than 90 days.",
-  "Risk": "Audit Logs can be used to check for anomalies and give insight into suspected breaches or misuse of information and access.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing",
+  "Severity": "high",
+  "ResourceType": "microsoft.sql/servers",
+  "Description": "**Azure SQL Server auditing** settings are evaluated to ensure **auditing is enabled** and log retention is greater than `90` days. It considers the auditing policy state and the configured `retention_days` value.",
+  "Risk": "Without adequate retention or with auditing disabled, **activity trails expire too soon**, limiting detection and investigation of **unauthorized access, data exfiltration, and privilege abuse**. This weakens **confidentiality** and **integrity** and slows incident response.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/purview/audit-log-retention-policies",
+    "https://docs.prowler.com/checks/azure/azure-logging-policies/bc_azr_logging_3",
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Sql/auditing-retention.html#",
+    "https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "Set-AzSqlServerAudit -ResourceGroupName resource_group_name -ServerName SQL_Server_name -RetentionInDays 100 -LogAnalyticsTargetState Enabled -WorkspaceResourceId '/subscriptions/subscription_ID/resourceGroups/insights-integration/providers/Microsoft.OperationalInsights/workspaces/workspace_name'",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Sql/auditing-retention.html#",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-logging-policies/bc_azr_logging_3"
+      "CLI": "Set-AzSqlServerAudit -ResourceGroupName <example_resource_name> -ServerName <example_resource_name> -RetentionInDays 91 -LogAnalyticsTargetState Enabled -WorkspaceResourceId <example_resource_id>",
+      "NativeIaC": "```bicep\n// Enable server-level auditing with retention > 90 days\nresource audit 'Microsoft.Sql/servers/auditingSettings@2021-02-01-preview' = {\n  name: '<example_resource_name>/default'\n  properties: {\n    state: 'Enabled'                         // Critical: turns auditing ON\n    retentionDays: 91                        // Critical: > 90 days\n    isAzureMonitorTargetEnabled: true        // Critical: send to Log Analytics\n    workspaceResourceId: '<example_resource_id>' // Critical: target workspace\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to SQL servers and select <example_resource_name>\n2. Under Security, click Auditing\n3. Set Auditing to On\n4. Destination: select Log Analytics workspace and choose your workspace\n5. Set Retention (days) to 91\n6. Click Save",
+      "Terraform": "```hcl\n# Enable server-level auditing with retention > 90 days\nresource \"azurerm_mssql_server_extended_auditing_policy\" \"audit\" {\n  server_id          = \"<example_resource_id>\"\n  log_monitoring_enabled = true   # Critical: enable Log Analytics target\n  retention_in_days      = 91     # Critical: > 90 days\n}\n```"
     },
     "Recommendation": {
-      "Text": "1. Go to SQL servers 2. For each server instance 3. Click on Auditing 4. If storage is selected, expand Advanced properties 5. Set the Retention (days) setting greater than 90 days or 0 for unlimited retention. 6. Select Save",
-      "Url": "https://learn.microsoft.com/en-us/purview/audit-log-retention-policies"
+      "Text": "Enable **server-level auditing** and set retention above `90` days, aligned with policy needs. Store logs in **tamper-resistant, centralized storage**, restrict access with **least privilege**, and integrate alerting and review. Apply **defense in depth** with continuous monitoring.",
+      "Url": "https://hub.prowler.com/check/sqlserver_auditing_retention_90_days"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging",
+    "forensics-ready"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/sqlserver/sqlserver_azuread_administrator_enabled/sqlserver_azuread_administrator_enabled.metadata.json

@@ -1,29 +1,36 @@
 {
   "Provider": "azure",
   "CheckID": "sqlserver_azuread_administrator_enabled",
-  "CheckTitle": "Ensure that SQL Servers have an Azure Active Directory administrator",
+  "CheckTitle": "SQL Server has an Azure Active Directory administrator configured",
   "CheckType": [],
   "ServiceName": "sqlserver",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "SQLServer",
-  "Description": "Ensure that there is an Azure Active Directory administrator configured",
-  "Risk": "Azure Active Directory provides a centralized way of managing identities. Using local SQL administrator identites makes it more difficult to manage user accounts. In addition, from Azure Active Directory, security policies can be enforced to users in centralized way.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication",
+  "ResourceType": "microsoft.sql/servers",
+  "Description": "Azure SQL Server is configured with a **Microsoft Entra (Azure AD) administrator** at the server scope, indicated by `administrator_type` set to `ActiveDirectory`.",
+  "Risk": "Without a **Microsoft Entra admin**, the server can't use Entra identities, pushing reliance on **SQL authentication**. This weakens confidentiality and integrity: no MFA/conditional access, harder offboarding and auditing, and compromised passwords can enable unauthorized data access and privilege escalation.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-azure-active-directory-admin-is-configured#terraform",
+    "https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Sql/active-directory-admin.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az sql server ad-admin create --resource-group resource_group_name --server server_name --display-name display_name --object-id user_object_id",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Sql/active-directory-admin.html",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-azure-active-directory-admin-is-configured#terraform"
+      "CLI": "az sql server ad-admin create --resource-group <RESOURCE_GROUP> --server <SERVER_NAME> --display-name <AAD_ADMIN_NAME> --object-id <AAD_OBJECT_ID>",
+      "NativeIaC": "```bicep\n// Configure Microsoft Entra (Azure AD) admin on an existing SQL Server\nresource aadAdmin 'Microsoft.Sql/servers/administrators@2021-11-01' = {\n  name: '<example_resource_name>/ActiveDirectory' // serverName/ActiveDirectory\n  properties: {\n    administratorType: 'ActiveDirectory' // CRITICAL: ensures admin type is AAD\n    login: '<AAD_ADMIN_NAME>'             // CRITICAL: AAD admin display name\n    sid: '<AAD_OBJECT_ID>'                // CRITICAL: AAD object (GUID)\n    tenantId: '<TENANT_ID>'               // CRITICAL: Tenant where the AAD object exists\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to SQL servers and select <SERVER_NAME>\n2. Select Active Directory admin\n3. Click Set admin\n4. Select the desired Microsoft Entra user or group and click Select\n5. Click Save",
+      "Terraform": "```hcl\n# Set Microsoft Entra (Azure AD) admin on an existing SQL Server\nresource \"azurerm_mssql_active_directory_administrator\" \"<example_resource_name>\" {\n  server_id = \"<example_resource_id>\"  # CRITICAL: target SQL server resource ID\n  login     = \"<AAD_ADMIN_NAME>\"        # CRITICAL: AAD admin display name\n  object_id = \"<AAD_OBJECT_ID>\"         # CRITICAL: AAD object (GUID)\n  tenant_id = \"<TENANT_ID>\"             # CRITICAL: Tenant where the AAD object exists\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable an Azure Active Directory administrator",
-      "Url": ""
+      "Text": "Assign a **Microsoft Entra administrator** (prefer a security group) at the server level and manage access via Entra groups. Enforce **least privilege**, require **MFA/conditional access**, and use **managed identities** for services. *If feasible*, adopt Entra-only authentication and phase out shared SQL logins.",
+      "Url": "https://hub.prowler.com/check/sqlserver_azuread_administrator_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/sqlserver/sqlserver_microsoft_defender_enabled/sqlserver_microsoft_defender_enabled.metadata.json

@@ -1,29 +1,39 @@
 {
   "Provider": "azure",
   "CheckID": "sqlserver_microsoft_defender_enabled",
-  "CheckTitle": "Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers",
+  "CheckTitle": "SQL Server has Microsoft Defender for SQL enabled",
   "CheckType": [],
   "ServiceName": "sqlserver",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "SQLServer",
-  "Description": "Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers",
-  "Risk": "Microsoft Defender for SQL is a unified package for advanced SQL security capabilities. Microsoft Defender is available for Azure SQL Database, Azure SQL Managed  classifying sensitive data, surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database. It provides a single go-to location for enabling and managing these capabilities.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/azure-sql/database/azure-defender-for-sql?view=azuresql",
+  "Severity": "high",
+  "ResourceType": "microsoft.sql/servers",
+  "Description": "**Azure SQL Server** instances are evaluated for the server-level **security alert policy** of **Microsoft Defender for SQL**, expecting the policy state to be `Enabled`.",
+  "Risk": "Without **Defender for SQL**, anomalous logins, SQL injection patterns, and risky configurations may go undetected, enabling data exfiltration (**confidentiality**), unauthorized changes (**integrity**), and disruptive queries or ransomware (**availability**).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.azadvertizer.net/azpolicyadvertizer/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2.html",
+    "https://docs.microsoft.com/en-us/azure/azure-sql/database/azure-defender-for-sql?view=azuresql",
+    "https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-sql-usage",
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/SecurityCenter/defender-azure-sql.html",
+    "https://learn.microsoft.com/en-us/azure/defender-for-cloud/policy-reference"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/SecurityCenter/defender-azure-sql.html",
-      "Terraform": ""
+      "CLI": "az sql server threat-policy update --resource-group <RESOURCE_GROUP> --server <SERVER_NAME> --state Enabled",
+      "NativeIaC": "```bicep\nparam serverName string = '<example_resource_name>'\n\nresource securityAlert 'Microsoft.Sql/servers/securityAlertPolicies@2021-11-01' = {\n  name: '${serverName}/Default'\n  properties: {\n    state: 'Enabled' // Critical: enables the server's security alert policy (Defender for SQL)\n  }\n}\n```",
+      "Other": "1. Sign in to the Azure portal > SQL servers > select <SERVER_NAME>\n2. Under Security, select Microsoft Defender for SQL (or Microsoft Defender for Cloud)\n3. Toggle to On (Enable) and click Save",
+      "Terraform": "```hcl\nresource \"azurerm_mssql_server_security_alert_policy\" \"<example_resource_name>\" {\n  server_id = \"<example_resource_id>\"\n  state     = \"Enabled\" # Critical: enables the server's security alert policy (Defender for SQL)\n}\n```"
     },
     "Recommendation": {
-      "Text": "1. Go to SQL servers For each production SQL server instance: 2. Click Microsoft Defender for Cloud 3. Click Enable Microsoft Defender for SQL",
-      "Url": "https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-sql-usage"
+      "Text": "Enable **Microsoft Defender for SQL** across all servers and managed instances, preferably at subscription scope. Apply **least privilege**, restrict public exposure, and integrate alerts with your SOC. Regularly review **vulnerability assessment** results and harden findings as part of **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/sqlserver_microsoft_defender_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging",
+    "forensics-ready"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "Microsoft Defender for SQL is a paid feature and will incur additional cost for each SQL server."

prowler/providers/azure/services/sqlserver/sqlserver_recommended_minimal_tls_version/sqlserver_recommended_minimal_tls_version.metadata.json

@@ -1,29 +1,40 @@
 {
   "Provider": "azure",
   "CheckID": "sqlserver_recommended_minimal_tls_version",
-  "CheckTitle": "Ensure SQL server has a recommended minimal TLS version required.",
+  "CheckTitle": "SQL server enforces minimal TLS version 1.2 or 1.3",
   "CheckType": [],
   "ServiceName": "sqlserver",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "SQLServer",
-  "Description": "Ensure that SQL Server instances are configured with the recommended minimal TLS version to maintain secure connections.",
-  "Risk": "Using outdated or weak TLS versions can expose SQL Server instances to vulnerabilities, increasing the risk of data breaches and unauthorized access.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings?view=azuresql&tabs=azure-portal#configure-minimum-tls-version",
+  "ResourceType": "microsoft.sql/servers",
+  "Description": "**Azure SQL logical servers** are assessed for the configured **minimum TLS version** for client connections. The finding determines whether the minimal accepted version aligns with recommended modern values such as `1.2` or `1.3`.",
+  "Risk": "Without a modern minimum, clients can negotiate **weak TLS** or be downgraded, enabling **MITM** and decryption. This jeopardizes **confidentiality** (credential/data exposure) and **integrity** (query tampering), and may disrupt **availability** via session resets during handshake interference.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://argonsys.com/microsoft-cloud/library/preparing-for-the-deprecation-of-tls-1-0-and-1-1-in-azure-databases/",
+    "https://githubissues.com/MicrosoftDocs/azure-docs/117817",
+    "https://stackoverflow.com/questions/66102487/jdbc-cant-connect-to-sql-server-azure-sql-database",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Sql/db-minimum-tls-version-check.html",
+    "https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings?view=azuresql&tabs=azure-portal#configure-minimum-tls-version",
+    "https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/minimal-tls-version-configure?view=azuresql",
+    "https://solutions.microsoft.xtivia.com/blog/azure-deprecating-tls-1-0-and-1-1/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az sql server update -n sql-server-name -g sql-server-group --set minimalTlsVersion=<version>",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "az sql server update -n <SQL_SERVER_NAME> -g <RESOURCE_GROUP> --set minimalTlsVersion=\"1.2\"",
+      "NativeIaC": "```bicep\n// Update Azure SQL logical server to enforce minimum TLS 1.2\nresource sqlServer 'Microsoft.Sql/servers@2021-11-01' = {\n  name: '<example_resource_name>'\n  location: resourceGroup().location\n  properties: {\n    minimalTlsVersion: '1.2' // Critical: Enforces TLS 1.2+ for client connections\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to SQL servers and select your server\n2. Open Networking > Connectivity\n3. Set Minimum TLS Version to 1.2 (or 1.3)\n4. Click Save",
+      "Terraform": "```hcl\n# Enforce minimum TLS 1.2 on Azure SQL logical server\nresource \"azurerm_mssql_server\" \"<example_resource_name>\" {\n  name                         = \"<example_resource_name>\"\n  resource_group_name          = \"<example_resource_name>\"\n  location                     = \"<example_location>\"\n  version                      = \"12.0\"\n  administrator_login          = \"<example_admin>\"\n  administrator_login_password = \"<example_password>\"\n\n  minimum_tls_version = \"1.2\" # Critical: Enforces TLS 1.2+ for client connections\n}\n```"
     },
     "Recommendation": {
-      "Text": "1. Go to Azure SQL Server 2. Navigate to 'Security' -> 'Networking' 3. Select 'Connectivity' 4. Update the TLS version in the field 'Minimum TLS version' to a recommended minimal version (e.g., TLS 1.2).",
-      "Url": "https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings?view=azuresql&tabs=azure-portal#configure-minimum-tls-version"
+      "Text": "Set the **minimum TLS** to `1.2` or higher (prefer `1.3` when supported). Upgrade client libraries and OS trust stores; remove legacy protocols and weak ciphers to prevent downgrades. Validate compatibility before enforcement and monitor connections for outdated TLS. Uphold **encryption in transit** and **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/sqlserver_recommended_minimal_tls_version"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "encryption"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "Verify support for the TLS version from the application side before changing the minimal version."

prowler/providers/azure/services/sqlserver/sqlserver_tde_encrypted_with_cmk/sqlserver_tde_encrypted_with_cmk.metadata.json

@@ -1,29 +1,36 @@
 {
   "Provider": "azure",
   "CheckID": "sqlserver_tde_encrypted_with_cmk",
-  "CheckTitle": "Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key",
+  "CheckTitle": "SQL server uses a customer-managed key for the TDE protector and all databases have TDE enabled",
   "CheckType": [],
   "ServiceName": "sqlserver",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "SQLServer",
-  "Description": "Transparent Data Encryption (TDE) with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.",
-  "Risk": "Customer-managed key support for Transparent Data Encryption (TDE) allows user control of TDE encryption keys and restricts who can access them and when. Azure Key Vault, Azure cloud-based external key management system, is the first key management service where TDE has integrated support for Customer-managed keys. With Customer-managed key support, the database encryption key is protected by an asymmetric key stored in the Key Vault. The asymmetric key is set at the server level and inherited by all databases under that server",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-byok-azure-sql",
+  "Severity": "critical",
+  "ResourceType": "microsoft.sql/servers",
+  "Description": "**Azure SQL Server** uses **Transparent Data Encryption** with a **customer-managed key** in Azure Key Vault, and each database has TDE `Enabled`",
+  "Risk": "Without **TDE with CMK**, data at rest may be unencrypted or controlled by service keys, weakening **confidentiality** and **key custody**. Attackers or insiders could read backups, snapshots, or stolen disks, and you cannot enforce **rotation**, **revocation**, or **separation of duties**, raising compliance and incident response risks.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Sql/use-byok-for-transparent-data-encryption.html#",
+    "https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=azuresql",
+    "https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-byok-azure-sql"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az sql server tde-key set --resource-group resourceName --server dbServerName --server-key-type {AzureKeyVault} --kid keyIdentifier",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Sql/use-byok-for-transparent-data-encryption.html#",
-      "Terraform": ""
+      "CLI": "",
+      "NativeIaC": "```bicep\n// Add the Key Vault key to the SQL server\nresource serverKey 'Microsoft.Sql/servers/keys@2021-11-01' = {\n  name: '<example_resource_name>/<example_resource_name>'\n  properties: {\n    serverKeyType: 'AzureKeyVault' // critical: use a customer-managed key from Azure Key Vault\n    uri: 'https://<example_resource_name>.vault.azure.net/keys/<example_resource_name>/<example_resource_id>' // critical: KID of the Key Vault key\n  }\n}\n\n// Set the server TDE protector to the Key Vault key (CMK)\nresource encryptionProtector 'Microsoft.Sql/servers/encryptionProtector@2021-11-01' = {\n  name: '<example_resource_name>/current'\n  properties: {\n    serverKeyType: 'AzureKeyVault' // critical: switches protector from service-managed to CMK\n    serverKeyName: '<example_resource_name>' // critical: reference the key added above\n  }\n}\n\n// Ensure TDE is enabled on the database\nresource dbTde 'Microsoft.Sql/servers/databases/transparentDataEncryption@2014-04-01' = {\n  name: '<example_resource_name>/<example_resource_name>/current'\n  properties: {\n    status: 'Enabled' // critical: turns on TDE for the database\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to SQL servers > select <server>\n2. Under Security, open Transparent data encryption\n3. Select Customer-managed key and choose the key from Azure Key Vault, then Save\n4. For each database on this server: go to SQL databases > select <database> > Transparent data encryption\n5. Set Status to On and Save",
+      "Terraform": "```hcl\n# Set the SQL Server TDE protector to a Key Vault CMK\nresource \"azurerm_sql_server_key\" \"<example_resource_name>\" {\n  server_id        = \"<example_resource_id>\"\n  key_vault_key_id = \"<key_identifier>\" # critical: KID of the Key Vault key to use as TDE protector\n}\n\n# Ensure TDE is enabled on the database\nresource \"azurerm_sql_database_transparent_data_encryption\" \"<example_resource_name>\" {\n  resource_group_name = \"<example_resource_name>\"\n  server_name         = \"<example_resource_name>\"\n  database_name       = \"<example_resource_name>\"\n  enabled             = true # critical: turns on TDE for the database\n}\n```"
     },
     "Recommendation": {
-      "Text": "1. Go to SQL servers For the desired server instance 2. Click On Transparent data encryption 3. Set Transparent data encryption to Customer-managed key 4. Browse through your key vaults to Select an existing key or create a new key in the Azure Key Vault. 5. Check Make selected key the default TDE protector",
-      "Url": "https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=azuresql"
+      "Text": "Use a **customer-managed TDE protector** in Azure Key Vault or Managed HSM and ensure TDE is `Enabled` for every database.\n- Apply **least privilege** to key access\n- Enable **rotation** and monitor key use\n- Protect keys with soft-delete and purge protection\n- Enforce via **policy** and maintain key backups for restores",
+      "Url": "https://hub.prowler.com/check/sqlserver_tde_encrypted_with_cmk"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "encryption"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "Once TDE protector is encrypted with a Customer-managed key, it transfers entire responsibility of respective key management on to you, and hence you should be more careful about doing any operations on the particular key in order to keep data from corresponding SQL server and Databases hosted accessible. When deploying Customer Managed Keys, it is prudent to ensure that you also deploy an automated toolset for managing these keys (this should include discovery and key rotation), and Keys should be stored in an HSM or hardware backed keystore, such as Azure Key Vault. As far as toolsets go, check with your cryptographic key provider, as they may well provide one as an add-on to their service."

prowler/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled.metadata.json

@@ -1,29 +1,36 @@
 {
   "Provider": "azure",
   "CheckID": "sqlserver_tde_encryption_enabled",
-  "CheckTitle": "Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted",
+  "CheckTitle": "SQL database has Transparent Data Encryption (TDE) enabled",
   "CheckType": [],
   "ServiceName": "sqlserver",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "SQLServer",
-  "Description": "Enable Transparent Data Encryption on every SQL server.",
-  "Risk": "Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-with-azure-sql-database",
+  "Severity": "critical",
+  "ResourceType": "microsoft.sql/servers/databases",
+  "Description": "**Azure SQL user databases** have **Transparent Data Encryption** (`TDE`) enabled, ensuring encryption of database files, backups, and transaction logs at rest.\n\n*The `master` system database is excluded from evaluation.*",
+  "Risk": "Without **TDE**, data at rest remains unencrypted:\n- Stolen backups, snapshots, or compromised storage enable offline data disclosure\n- Attackers with substrate access can bypass DB auth, harming **confidentiality** and enabling **exfiltration**",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-with-azure-sql-database",
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Sql/data-encryption.html#",
+    "https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=azuresql"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az sql db tde set --resource-group resourceGroup --server dbServerName --database dbName --status Enabled",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Sql/data-encryption.html#",
-      "Terraform": ""
+      "CLI": "az sql db tde set --resource-group <RESOURCE_GROUP> --server <SERVER_NAME> --database <DATABASE_NAME> --status Enabled",
+      "NativeIaC": "```bicep\n// Enable TDE on an existing Azure SQL Database\nresource tde 'Microsoft.Sql/servers/databases/transparentDataEncryption@2021-11-01' = {\n  name: '<example_server_name>/<example_database_name>/current'\n  properties: {\n    state: 'Enabled' // critical: enables Transparent Data Encryption (TDE)\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to SQL databases and select the target database (not master)\n2. Under Settings, open Transparent data encryption\n3. Set Transparent data encryption to On (Enabled) and click Save",
+      "Terraform": "```hcl\nresource \"azurerm_mssql_database\" \"<example_resource_name>\" {\n  name      = \"<example_resource_name>\"\n  server_id = \"<example_resource_id>\"\n\n  transparent_data_encryption_enabled = true # critical: enables TDE\n}\n```"
     },
     "Recommendation": {
-      "Text": "1. Go to SQL databases 2. For each DB instance 3. Click on Transparent data encryption 4. Set Data encryption to On",
-      "Url": "https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=azuresql"
+      "Text": "Enable **TDE** on all Azure SQL user databases. Prefer **customer-managed keys** in Key Vault or Managed HSM for control, rotation, and revocation. Apply **least privilege** and **separation of duties** to key access, enforce via **policy**, and monitor key/audit logs. *Maintain key backups and lifecycle to prevent availability loss.*",
+      "Url": "https://hub.prowler.com/check/sqlserver_tde_encryption_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "encryption"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/sqlserver/sqlserver_unrestricted_inbound_access/sqlserver_unrestricted_inbound_access.metadata.json

@@ -1,29 +1,38 @@
 {
   "Provider": "azure",
   "CheckID": "sqlserver_unrestricted_inbound_access",
-  "CheckTitle": "Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)",
+  "CheckTitle": "Azure SQL Server does not have firewall rules allowing 0.0.0.0-255.255.255.255",
   "CheckType": [],
   "ServiceName": "sqlserver",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "critical",
-  "ResourceType": "SQLServer",
-  "Description": "Ensure that there are no firewall rules allowing traffic from 0.0.0.0-255.255.255.255",
-  "Risk": "Azure SQL servers provide a firewall that, by default, blocks all Internet connections. When the rule (0.0.0.0-255.255.255.255) is used, the server can be accessed by any source from the Internet, incrementing significantly the attack surface of the SQL Server. It is recommended to use more granular firewall rules.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/sql-database/sql-database-vnet-service-endpoint-rule-overview",
+  "ResourceType": "microsoft.sql/servers",
+  "Description": "**Azure SQL Server** server-level firewall rules are evaluated for an entry that allows the entire IPv4 space (`0.0.0.0` to `255.255.255.255`).\n\nThe finding identifies presence of this Internet-wide rule on the server firewall.",
+  "Risk": "An Internet-wide rule permits unsolicited access from any host, enabling mass scanning, brute force, and exploitation of weak configurations.\n- Confidentiality: unauthorized data access/exfiltration\n- Integrity: malicious data/DDL changes\n- Availability: resource abuse or DoS via excessive connections",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.prowler.com/checks/azure/azure-networking-policies/bc_azr_networking_4#terraform",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Sql/unrestricted-sql-database-access.html",
+    "https://docs.microsoft.com/en-us/azure/sql-database/sql-database-vnet-service-endpoint-rule-overview",
+    "https://www.developerload.com/how-to-disable-firewall-in-azure-sql-database",
+    "https://eitanblumin.com/sql-vulnerability-assessment-tool-rules-reference-list/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az sql server firewall-rule delete --resource-group resource_group_name --server sql_server_name --name rule_name",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Sql/unrestricted-sql-database-access.html",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-networking-policies/bc_azr_networking_4#terraform"
+      "CLI": "az sql server firewall-rule delete --resource-group <RESOURCE_GROUP> --server <SERVER_NAME> --name <RULE_NAME>",
+      "NativeIaC": "```bicep\n// Update the firewall rule to not allow the entire Internet\nresource sqlServer 'Microsoft.Sql/servers@2021-11-01' existing = {\n  name: '<example_resource_name>'\n}\n\nresource restricted 'Microsoft.Sql/servers/firewallRules@2021-11-01' = {\n  name: '${sqlServer.name}/<example_resource_name>'\n  properties: {\n    startIpAddress: '<START_IP>' // Critical: not 0.0.0.0; restricts start IP\n    endIpAddress: '<END_IP>'     // Critical: not 255.255.255.255; restricts end IP\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to SQL servers and select your server\n2. Open Security > Networking\n3. Under Firewall rules, find any rule with Start IP 0.0.0.0 and End IP 255.255.255.255\n4. Select the rule and click Delete\n5. Click Save",
+      "Terraform": "```hcl\n# Replace any allow-all firewall rule with a restricted range\nresource \"azurerm_mssql_firewall_rule\" \"<example_resource_name>\" {\n  name             = \"<example_resource_name>\"\n  server_id        = \"<example_resource_id>\"\n  start_ip_address = \"<START_IP>\" # Critical: not 0.0.0.0\n  end_ip_address   = \"<END_IP>\"   # Critical: not 255.255.255.255\n}\n```"
     },
     "Recommendation": {
-      "Text": "Remove firewall rules allowing all sources and, instead, use more granular rules",
-      "Url": ""
+      "Text": "Remove the all-open rule and enforce **least privilege**.\n- Restrict access to specific IPs/ranges\n- Prefer **private endpoints** or VNet rules to avoid Internet exposure\n- Layer controls (NSGs, Azure Firewall)\n- Avoid broad exceptions like `Allow Azure services` and never use `0.0.0.0/0`",
+      "Url": "https://hub.prowler.com/check/sqlserver_unrestricted_inbound_access"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/sqlserver/sqlserver_va_emails_notifications_admins_enabled/sqlserver_va_emails_notifications_admins_enabled.metadata.json

@@ -1,29 +1,40 @@
 {
   "Provider": "azure",
   "CheckID": "sqlserver_va_emails_notifications_admins_enabled",
-  "CheckTitle": "Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server",
+  "CheckTitle": "SQL Server has Vulnerability Assessment enabled and email notifications to subscription admins configured",
   "CheckType": [],
   "ServiceName": "sqlserver",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "SQLServer",
-  "Description": "Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners'.",
-  "Risk": "VA scan reports and alerts will be sent to admins and subscription owners by enabling setting 'Also send email notifications to admins and subscription owners'. This may help in reducing time required for identifying risks and taking corrective measures.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment",
+  "ResourceType": "microsoft.sql/servers",
+  "Description": "**Azure SQL Server** Vulnerability Assessment configuration, specifically whether recurring scans are set to email results to subscription admins/owners via `Also send email notifications to admins and subscription owners`.",
+  "Risk": "Without these notifications, findings may go unnoticed, delaying fixes. Prolonged exposure of misconfigurations and weak permissions threatens data **confidentiality** and **integrity**, can affect **availability**, and slows **incident response** and audit readiness.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Sql/enable-email-alerts-for-administrators-and-subscription-owners.html",
+    "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-va-setting-also-send-email-notifications-to-admins-and-subscription-owners-is-set-for-an-sql-server/",
+    "https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-enable",
+    "https://guides.spectralops.io/docs/d9_azu_mon_25",
+    "https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-overview",
+    "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-va-setting-also-send-email-notifications-to-admins-and-subscription-owners-is-set-for-an-sql-server#terraform",
+    "https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-va-setting-also-send-email-notifications-to-admins-and-subscription-owners-is-set-for-an-sql-server#terraform"
+      "CLI": "az rest --method put --url \"https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Sql/servers/<SERVER_NAME>/vulnerabilityAssessments/default?api-version=2021-11-01\" --body '{\"properties\":{\"storageContainerPath\":\"https://<STORAGE_ACCOUNT>.blob.core.windows.net/<CONTAINER>\",\"storageAccountAccessKey\":\"<STORAGE_KEY>\",\"recurringScans\":{\"isEnabled\":true,\"emailSubscriptionAdmins\":true}}}'",
+      "NativeIaC": "```bicep\n// Enable VA at server level with classic storage and email to subscription admins\nresource sqlServer 'Microsoft.Sql/servers@2021-11-01' existing = {\n  name: '<example_resource_name>'\n}\n\nresource va 'Microsoft.Sql/servers/vulnerabilityAssessments@2021-11-01' = {\n  name: 'default'\n  parent: sqlServer\n  properties: {\n    storageContainerPath: 'https://<example_resource_name>.blob.core.windows.net/<example_resource_name>' // Critical: required so the check detects VA configured\n    storageAccountAccessKey: '<example_resource_id>'\n    recurringScans: {\n      isEnabled: true\n      emailSubscriptionAdmins: true // Critical: sends scan reports to subscription admins to PASS the check\n    }\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to SQL servers and open <SERVER_NAME>\n2. Under Security, select Vulnerability assessment (classic)\n3. Select a Storage account container and click Save (ensures a storage container path)\n4. Enable Recurring scans\n5. Enable Send scan reports to subscription admins\n6. Click Save",
+      "Terraform": "```hcl\n# Enable VA at server level and email subscription admins\nresource \"azurerm_mssql_server_security_alert_policy\" \"<example_resource_name>\" {\n  server_id = \"<example_resource_id>\"\n  state     = \"Enabled\"\n}\n\nresource \"azurerm_mssql_server_vulnerability_assessment\" \"<example_resource_name>\" {\n  server_security_alert_policy_id = azurerm_mssql_server_security_alert_policy.<example_resource_name>.id\n  storage_container_path          = \"https://<example_resource_name>.blob.core.windows.net/<example_resource_name>\" # Critical: required so the check detects VA configured\n  storage_account_access_key      = \"<example_resource_id>\"\n\n  recurring_scans {\n    enabled                   = true\n    email_subscription_admins = true # Critical: sends scan reports to subscription admins to PASS the check\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "1. Go to SQL servers 2. Select a server instance 3. Click on Security Center 4. Select Configure next to Enabled at subscription-level 5. In Section Vulnerability Assessment Settings, configure Storage Accounts if not already 6. Check/enable 'Also send email notifications to admins and subscription owners' 7. Click Save",
-      "Url": "https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-enable"
+      "Text": "Enable VA email alerts for admins/owners (`Also send...`) so findings reach accountable staff promptly.\n\n- Route to a monitored security group and SIEM\n- Review recipients regularly; remove stale accounts\n- Apply **least privilege** and maintain recurring scans for **defense in depth**",
+      "Url": "https://hub.prowler.com/check/sqlserver_va_emails_notifications_admins_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "Enabling the Microsoft Defender for SQL features will incur additional costs for each SQL server."

prowler/providers/azure/services/sqlserver/sqlserver_va_periodic_recurring_scans_enabled/sqlserver_va_periodic_recurring_scans_enabled.metadata.json

@@ -1,29 +1,42 @@
 {
   "Provider": "azure",
   "CheckID": "sqlserver_va_periodic_recurring_scans_enabled",
-  "CheckTitle": "Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server",
+  "CheckTitle": "SQL Server has Vulnerability Assessment periodic recurring scans enabled",
   "CheckType": [],
   "ServiceName": "sqlserver",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "SQLServer",
-  "Description": "Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases.",
-  "Risk": "VA setting 'Periodic recurring scans' schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Periodic and regular vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment",
+  "ResourceType": "microsoft.sql/servers",
+  "Description": "**Azure SQL servers** are evaluated for **Vulnerability Assessment** configuration and whether **periodic recurring scans** are scheduled (e.g., weekly) for the server and its databases.\n\nServers with Vulnerability Assessment missing or scans not scheduled are identified.",
+  "Risk": "Without scheduled scans, new misconfigurations and vulnerable settings can persist unnoticed, weakening **confidentiality** and **integrity**. Attackers can exploit stale permissions, unsafe firewall rules, or unpatched features to read or alter data and pivot to other resources.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-va-setting-periodic-recurring-scans-is-enabled-on-a-sql-server#terraform",
+    "https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment",
+    "https://www.pulumi.com/registry/packages/azure/api-docs/mssql/servervulnerabilityassessment/",
+    "https://docs.datadoghq.com/security/default_rules/def-000-s27/",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Sql/periodic-vulnerability-scans.html",
+    "https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-enable",
+    "https://faun.pub/enable-azure-sql-server-vulnerability-assessment-using-terraform-abdffc6307a6",
+    "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-va-setting-periodic-recurring-scans-is-enabled-on-a-sql-server/",
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Sql/periodic-vulnerability-scans.html#"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Sql/periodic-vulnerability-scans.html#",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-va-setting-periodic-recurring-scans-is-enabled-on-a-sql-server#terraform"
+      "CLI": "az rest --method put --url https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Sql/servers/<SERVER_NAME>/vulnerabilityAssessments/Default?api-version=2023-08-01-preview --body '{\"properties\":{\"storageContainerPath\":\"https://<STORAGE_ACCOUNT>.blob.core.windows.net/<CONTAINER>/\",\"storageAccountAccessKey\":\"<ACCESS_KEY>\",\"recurringScans\":{\"isEnabled\":true}}}'",
+      "NativeIaC": "```bicep\n// Enable classic VA with recurring scans on an existing SQL Server\nresource sqlServer 'Microsoft.Sql/servers@2023-08-01-preview' existing = {\n  name: '<example_resource_name>'\n}\n\nresource va 'Microsoft.Sql/servers/vulnerabilityAssessments@2023-08-01-preview' = {\n  name: 'Default'\n  parent: sqlServer\n  properties: {\n    storageContainerPath: 'https://<example_storage_account>.blob.core.windows.net/<example_container>/' // CRITICAL: Required so VA is considered configured\n    storageAccountAccessKey: '<example_access_key>'\n    recurringScans: {\n      isEnabled: true // CRITICAL: Enables periodic recurring scans\n    }\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to SQL servers > select <your server>\n2. Under Security, open Vulnerability assessment (classic configuration)\n3. Set Storage container to an existing blob container and Save\n4. Turn Recurring scans to On\n5. Click Save to apply",
+      "Terraform": "```hcl\n# Server VA with periodic recurring scans enabled\nresource \"azurerm_mssql_server_vulnerability_assessment\" \"<example_resource_name>\" {\n  server_security_alert_policy_id = \"<example_resource_id>\"\n  storage_container_path          = \"https://<example_storage_account>.blob.core.windows.net/<example_container>/\" # Required so VA is configured\n  storage_account_access_key      = \"<example_access_key>\"\n\n  recurring_scans {\n    enabled = true # CRITICAL: Enables periodic recurring scans\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "1. Go to SQL servers 2. For each server instance 3. Click on Security Center 4. In Section Vulnerability Assessment Settings, set Storage Account if not already 5. Toggle 'Periodic recurring scans' to ON. 6. Click Save",
-      "Url": "https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-enable"
+      "Text": "Enable **recurring Vulnerability Assessment scans** at server scope and ensure results are retained securely (*express configuration or secured storage*). Apply **least privilege**, maintain baselines, and promptly remediate findings. Automate alerting and periodic reviews as part of **defense in depth** and change management.",
+      "Url": "https://hub.prowler.com/check/sqlserver_va_periodic_recurring_scans_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "Enabling the Azure Defender for SQL feature will incur additional costs for each SQL server."

prowler/providers/azure/services/sqlserver/sqlserver_va_scan_reports_configured/sqlserver_va_scan_reports_configured.metadata.json

@@ -1,29 +1,36 @@
 {
   "Provider": "azure",
   "CheckID": "sqlserver_va_scan_reports_configured",
-  "CheckTitle": "Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server",
+  "CheckTitle": "SQL server has Vulnerability Assessment enabled and scan report recipients configured",
   "CheckType": [],
   "ServiceName": "sqlserver",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "SQLServer",
-  "Description": "Configure 'Send scan reports to' with email addresses of concerned data owners/stakeholders for a critical SQL servers.",
-  "Risk": "Vulnerability Assessment (VA) scan reports and alerts will be sent to email addresses configured at 'Send scan reports to'. This may help in reducing time required for identifying risks and taking corrective measures",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment",
+  "ResourceType": "microsoft.sql/servers",
+  "Description": "**Azure SQL Server** vulnerability assessment uses **recurring scans** and emails results to designated recipients. This evaluates that VA is enabled and that `Send scan reports to` (or subscription admin notifications) is configured so scan reports are delivered.",
+  "Risk": "If VA reports aren't sent to responsible owners, findings can be missed, delaying fixes. Attackers may exploit misconfigurations, excessive permissions, or outdated settings, leading to data exposure (C), unauthorized changes (I), and potential service disruption (A).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-enable",
+    "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-va-setting-send-scan-reports-to-is-configured-for-a-sql-server#terraform",
+    "https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-va-setting-send-scan-reports-to-is-configured-for-a-sql-server#terraform"
+      "NativeIaC": "```bicep\n// Configure VA (classic) on a SQL Server and set recipients\nresource sqlServer 'Microsoft.Sql/servers@2021-11-01' existing = {\n  name: '<example_resource_name>'\n}\n\nresource va 'Microsoft.Sql/servers/vulnerabilityAssessments@2021-11-01' = {\n  name: 'Default'\n  parent: sqlServer\n  properties: {\n    storageContainerPath: 'https://<example_storage_account>.blob.core.windows.net/<example_container>' // CRITICAL: enables VA classic by setting storage container\n    storageAccountAccessKey: '<example_storage_key>'\n    recurringScans: {\n      isEnabled: true\n      emailSubscriptionAdmins: true // CRITICAL: configures scan report recipients (subscription admins)\n    }\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to SQL servers and select <your server>\n2. Under Security, open Vulnerability assessment\n3. Select a Storage account and Container, then Save\n4. In Recurring scans, turn On and enable Send to subscription admins (or add at least one email)\n5. Save",
+      "Terraform": "```hcl\n# Enable VA (classic) on a SQL Server and configure recipients\nresource \"azurerm_mssql_server_vulnerability_assessment\" \"<example_resource_name>\" {\n  server_id                = \"<example_resource_id>\"\n  storage_container_path   = \"https://<example_storage_account>.blob.core.windows.net/<example_container>\" # CRITICAL: enables VA classic by setting storage container\n  storage_account_access_key = \"<example_storage_key>\"\n\n  recurring_scans {\n    enabled                   = true\n    email_subscription_admins = true # CRITICAL: configures scan report recipients (subscription admins)\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "1. Go to SQL servers 2. Select a server instance 3. Select Microsoft Defender for Cloud 4. Select Configure next to Enablement status 5. Set Microsoft Defender for SQL to On 6. Under Vulnerability Assessment Settings, select a Storage Account 7. Set Periodic recurring scans to On 8. Under Send scan reports to, provide email addresses for data owners and stakeholders 9. Click Save",
-      "Url": "https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-enable"
+      "Text": "Enable **Vulnerability Assessment**, keep **recurring scans** active, and configure `Send scan reports to` with accountable security owners or subscription admins. Integrate notifications with central alerting, apply **least privilege** to recipients, and enforce SLAs to triage and remediate findings promptly.",
+      "Url": "https://hub.prowler.com/check/sqlserver_va_scan_reports_configured"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "Enabling the Microsoft Defender for SQL features will incur additional costs for each SQL server."

prowler/providers/azure/services/sqlserver/sqlserver_vulnerability_assessment_enabled/sqlserver_vulnerability_assessment_enabled.metadata.json

@@ -1,29 +1,37 @@
 {
   "Provider": "azure",
   "CheckID": "sqlserver_vulnerability_assessment_enabled",
-  "CheckTitle": "Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account",
+  "CheckTitle": "SQL server has vulnerability assessment enabled with storage container configured",
   "CheckType": [],
   "ServiceName": "sqlserver",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "SQLServer",
-  "Description": "Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases.",
-  "Risk": "The Vulnerability Assessment service scans databases for known security vulnerabilities and highlights deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. Additionally, an assessment report can be customized by setting an acceptable baseline for permission configurations, feature configurations, and database settings.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment",
+  "ResourceType": "microsoft.sql/servers",
+  "Description": "**Azure SQL Server** has **Vulnerability Assessment** configured with a defined location to persist assessment reports and scan results",
+  "Risk": "Without **Vulnerability Assessment**, misconfigurations and excessive permissions can go unnoticed.\n\nAdversaries may exploit weak server or database settings to escalate privileges, exfiltrate data, or alter records, degrading confidentiality and integrity.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Sql/vulnerability-assessment-sql-servers.html#",
+    "https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-enable",
+    "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-vulnerability-assessment-va-is-enabled-on-a-sql-server-by-setting-a-storage-account",
+    "https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "Update-AzSqlServerVulnerabilityAssessmentSetting -ResourceGroupName resource_group_name -ServerName Server_Name -StorageAccountName Storage_Name_from_same_subscription_and_same_Location -ScanResultsContainerName vulnerability-assessment -RecurringScansInterval Weekly -EmailSubscriptionAdmins $true -NotificationEmail @('mail1@mail.com' , 'mail2@mail.com')",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Sql/vulnerability-assessment-sql-servers.html#",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-vulnerability-assessment-va-is-enabled-on-a-sql-server-by-setting-a-storage-account"
+      "CLI": "Update-AzSqlServerVulnerabilityAssessmentSetting -ResourceGroupName <RESOURCE_GROUP> -ServerName <SERVER_NAME> -StorageAccountName <STORAGE_ACCOUNT_NAME> -ScanResultsContainerName <CONTAINER_NAME>",
+      "NativeIaC": "```bicep\n// Configure VA (classic) at the SQL Server level\nresource sqlServerVA 'Microsoft.Sql/servers/vulnerabilityAssessments@2021-11-01' = {\n  name: '<example_resource_name>/default'\n  properties: {\n    storageContainerPath: 'https://<example_resource_name>.blob.core.windows.net/<example_resource_name>' // CRITICAL: sets the storage container path to enable VA\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to SQL servers and open <SERVER_NAME>\n2. Under Security, select Microsoft Defender for SQL (or Defender for Cloud > Microsoft Defender for SQL)\n3. In Vulnerability assessment settings, click Configure\n4. Select the Storage account and the target Container\n5. Save\n\nVerification: Open the server's Vulnerability assessment blade and confirm a storage container is shown.",
+      "Terraform": "```hcl\n# Enable server security alert policy (required by VA)\nresource \"azurerm_mssql_server_security_alert_policy\" \"<example_resource_name>\" {\n  resource_group_name = \"<example_resource_name>\"\n  server_name         = \"<example_resource_name>\"\n  state               = \"Enabled\"\n}\n\n# Configure VA (classic) with storage container\nresource \"azurerm_mssql_server_vulnerability_assessment\" \"<example_resource_name>\" {\n  server_security_alert_policy_id = azurerm_mssql_server_security_alert_policy.<example_resource_name>.id\n  storage_container_path          = \"https://<example_resource_name>.blob.core.windows.net/<example_resource_name>\" # CRITICAL: sets storage container path so the check passes\n  storage_account_access_key      = \"<example_resource_name>\"\n}\n```"
     },
     "Recommendation": {
-      "Text": "1. Go to SQL servers 2. Select a server instance 3. Click on Security Center 4. Select Configure next to Enabled at subscription-level 5. In Section Vulnerability Assessment Settings, Click Select Storage account 6. Choose Storage Account (Existing or Create New). Click Ok 7. Click Save",
-      "Url": "https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-enable"
+      "Text": "Enable and standardize **Vulnerability Assessment** across SQL servers and databases, retaining scan results in a secure repository. Run scans routinely, review findings, set `baselines`, and remediate promptly. Apply **least privilege** to report access and integrate results into change management for **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/sqlserver_vulnerability_assessment_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "Enabling the Microsoft Defender for SQL features will incur additional costs for each SQL server."