New-SqlVulnerabilityAssessmentBaseline
Creates a new instance of Microsoft.SQL.VulnerabilityAssessment.SecurityCheckBaseline.
Syntax
New-SqlVulnerabilityAssessmentBaseline
[-SecurityCheckId] <String>
-ExpectedResult <String[][]>
[-Severity <SecurityCheckSeverity>]
[<CommonParameters>] Description
The New-SqlVulnerabilityAssessmentBaseline cmdlet creates a new instance of Microsoft.SQL.VulnerabilityAssessment.SecurityCheckBaseline.
As you review your assessment results, you can mark specific results of a security check as being an acceptable Baseline in your environment.
The baseline is essentially a customization of how the results of a specific security check are evaluated.
If the results of a security check match those that are expected according to the baseline, this check will be evaluated as passing.
Baselines should be added to a Baseline set, and you should run the scan with it to receive applicable results.
Module requirements: version 21+ on PowerShell 5.1; version 22+ on PowerShell 7.x.
Examples
Example 1: Create a new security check baseline using a Vulnerability Assessment scan results
PS C:\> $scanResult = Invoke-SqlVulnerabilityAssessmentScan -ServerInstance "MyComputer\MainInstance" -Database some_database
PS C:\> $result2010 = $scanResult.Results.VA2010
PS C:\> $baseline2010 = New-SqlVulnerabilityAssessmentBaseline -SecurityCheckId $result2010.SecurityCheckId -ExpectedResult $result2010.QueryResults -Severity MediumIn this example we run a Vulnerability Assessment scan, and search for failed security checks. We see that we have two failed security checks - VA2042 and VA2109. We decide that we want to set a baseline for security check VA2109, so we create a new SecurityCheckBaseline with the security check id and query results that we got from the scan result object.
Example 2: Create a new security check baseline manually
PS C:\> [string[][]]$expectedResults = ("guest", "db_datareader", "SQLUSER", "NONE"), ("guest", "db_owner", "SQLUSER", "NONE")
PS C:\> $baseline = New-SqlVulnerabilityAssessmentBaseline -SecurityCheckId "VA2109" -ExpectedResult $expectedResults
SecurityCheckId Severity ExpectedResults
--------------- -------- ---------------
VA2109 {guest db_datareader SQLUSER NONE, guest db_owner SQLUSER NONE}In this example we create a baseline for security check 'VA2109' manually. We first create the expected results which contains two rows. Then we create the baseline with the expected results.
Parameters
-ExpectedResult
The baseline expected result for the security check query. This expected result overrides the security check original expected results.
| Type: | String[][] |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SecurityCheckId
The security check id which the baseline applies to.
| Type: | String |
| Position: | 0 |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Severity
The new severity for the security check. This severity overrides the security check original severity.
| Type: | SecurityCheckSeverity |
| Accepted values: | High, Medium, Low |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Inputs
None
Outputs
System.Object