Defender for Cloud's integrated Qualys vulnerability scanner for Azure and hybrid machines

A core component of every cyber risk and security program is the identification and analysis of vulnerabilities.

Defender for Cloud regularly checks your connected machines to ensure they're running vulnerability assessment tools.

When a machine is found that doesn't have vulnerability assessment solution deployed, Defender for Cloud generates the following security recommendation:

Machines should have a vulnerability assessment solution

Use this recommendation to deploy the vulnerability assessment solution to your Azure virtual machines and your Azure Arc-enabled hybrid machines.

Deploy the vulnerability assessment solution that best meets your needs and budget:

• Microsoft Defender for Endpoint's threat and vulnerability management tools - Discover vulnerabilities and misconfigurations in real time with sensors, and without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context. Learn more in Investigate weaknesses with Microsoft Defender for Endpoint's threat and vulnerability management.

• Integrated vulnerability assessment solution (powered by Qualys) - Defender for Cloud includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Defender for Cloud. This page provides details of this scanner and instructions for how to deploy it.

  Tip

  The integrated vulnerability assessment solution supports both Azure virtual machines and hybrid machines. To deploy the vulnerability assessment scanner to your on-premises and multicloud machines, connect them to Azure first with Azure Arc as described in Connect your non-Azure machines to Defender for Cloud.

  Defender for Cloud's integrated vulnerability assessment solution works seamlessly with Azure Arc. When you've deployed Azure Arc, your machines will appear in Defender for Cloud and no Log Analytics agent is required.

• Bring your own license (BYOL) solutions - Defender for Cloud supports the integration of tools from other vendors, but you'll need to handle the licensing costs, deployment, and configuration. By deploying your tool with Defender for Cloud, you'll get information about which Azure virtual machines are missing the tool. You'll also be able to view findings within Defender for Cloud. If you'd prefer to use your organization's private Qualys or Rapid7 license instead of the Qualys license included with Defender for Cloud, see How to deploy a BYOL solution.

Availability

Aspect	Details
Release state:	General availability (GA)
Machine types (hybrid scenarios):	Azure virtual machines Azure Arc-enabled machines
Pricing:	Requires Microsoft Defender for Servers Plan 2
Required roles and permissions:	Owner (resource group level) can deploy the scanner Security Reader can view findings
Clouds:	Commercial clouds National (Azure Government, Azure China 21Vianet) Connected AWS accounts

Overview of the integrated vulnerability scanner

The vulnerability scanner included with Microsoft Defender for Cloud is powered by Qualys. Qualys' scanner is one of the leading tools for real-time identification of vulnerabilities. It's only available with Microsoft Defender for Servers. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Defender for Cloud.

How the integrated vulnerability scanner works

The vulnerability scanner extension works as follows:

1. Deploy - Microsoft Defender for Cloud monitors your machines and provides recommendations to deploy the Qualys extension on your selected machine/s.

2. Gather information - The extension collects artifacts and sends them for analysis in the Qualys cloud service in the defined region.

3. Analyze - Qualys' cloud service conducts the vulnerability assessment and sends its findings to Defender for Cloud.

   Important

   To ensure the privacy, confidentiality, and security of our customers, we don't share customer details with Qualys. Learn more about the privacy standards built into Azure.

4. Report - The findings are available in Defender for Cloud.

Deploy the integrated scanner to your Azure and hybrid machines

1. From the Azure portal, open Defender for Cloud.

2. From Defender for Cloud's menu, open the Recommendations page.

3. Select the recommendation Machines should have a vulnerability assessment solution.

   

   Tip

   The machine "server16-test" above, is an Azure Arc-enabled machine. To deploy the vulnerability assessment scanner to your on-premises and multicloud machines, see Connect your non-Azure machines to Defender for Cloud.

   Defender for Cloud works seamlessly with Azure Arc. When you've deployed Azure Arc, your machines will appear in Defender for Cloud and no Log Analytics agent is required.

   Your machines will appear in one or more of the following groups:

   • Healthy resources – Defender for Cloud has detected a vulnerability assessment solution running on these machines.

   • Unhealthy resources – A vulnerability scanner extension can be deployed to these machines.

   • Not applicable resources – these machines can't have a vulnerability scanner extension deployed. Your machine might be in this tab because it's an image in an AKS cluster, it's part of a virtual machine scale set, or it's not running one of the supported operating systems for the integrated vulnerability scanner:

     Vendor	OS	Supported versions
     Microsoft	Windows	All
     Amazon	Amazon Linux	2015.09-2018.03
     Amazon	Amazon Linux 2	2017.03-2.0.2021
     Red Hat	Enterprise Linux	5.4+, 6, 7-7.9, 8-8.5, 9 beta
     Red Hat	CentOS	5.4-5.11, 6-6.7, 7-7.8, 8-8.5
     Red Hat	Fedora	22-33
     SUSE	Linux Enterprise Server (SLES)	11, 12, 15, 15 SP1
     SUSE	openSUSE	12, 13, 15.0-15.3
     SUSE	Leap	42.1
     Oracle	Enterprise Linux	5.11, 6, 7-7.9, 8-8.5
     Debian	Debian	7.x-11.x
     Ubuntu	Ubuntu	12.04 LTS, 14.04 LTS, 15.x, 16.04 LTS, 18.04 LTS, 19.10, 20.04 LTS

4. From the list of unhealthy machines, select the ones to receive a vulnerability assessment solution and select Remediate.

   Important

   Depending on your configuration, this list might appear differently.

   • If you haven't got a third-party vulnerability scanner configured, you won't be offered the opportunity to deploy it.
   • If your selected machines aren't protected by Microsoft Defender for Servers, the Defender for Cloud integrated vulnerability scanner option won't be available.

   

5. Choose the recommended option, Deploy integrated vulnerability scanner, and Proceed.

6. You'll be asked for one further confirmation. Select Remediate.

   The scanner extension will be installed on all of the selected machines within a few minutes.

   Scanning begins automatically as soon as the extension is successfully deployed. Scans will then run every 12 hours. This interval isn't configurable.

   Important

   If the deployment fails on one or more machines, ensure the target machines can communicate with Qualys' cloud service by adding the following IPs to your allowlists (via port 443 - the default for HTTPS):

   • https://qagpublic.qg3.apps.qualys.com - Qualys' US data center

   • https://qagpublic.qg2.apps.qualys.eu - Qualys' European data center

   If your machine is in a European Azure region, its artifacts will be processed in Qualys' European data center. Artifacts for virtual machines located elsewhere are sent to the US data center.

Automate at-scale deployments

Note

All of the tools described in this section are available from Defender for Cloud's GitHub community repository. There, you can find scripts, automations, and other useful resources to use throughout your Defender for Cloud deployment.

Some of these tools only affect new machines connected after you enable at scale deployment. Others also deploy to existing machines. You can combine multiple approaches.

Some of the ways you can automate deployment at scale of the integrated scanner:

• Azure Resource Manager – This method is available from view recommendation logic in the Azure portal. The remediation script includes the relevant ARM template you can use for your automation:
• DeployIfNotExists policy – A custom policy for ensuring all newly created machines receive the scanner. Select Deploy to Azure and set the relevant parameters. You can assign this policy at the level of resource groups, subscriptions, or management groups.
• PowerShell Script – Use the Update qualys-remediate-unhealthy-vms.ps1 script to deploy the extension for all unhealthy virtual machines. To install on new resources, automate the script with Azure Automation. The script finds all unhealthy machines discovered by the recommendation and executes an Azure Resource Manager call.
• Azure Logic Apps – Build a logic app based on the sample app. Use Defender for Cloud's workflow automation tools to trigger your logic app to deploy the scanner whenever the Machines should have a vulnerability assessment solution recommendation is generated for a resource.
• REST API – To deploy the integrated vulnerability assessment solution using the Defender for Cloud REST API, make a PUT request for the following URL and add the relevant resource ID: https://management.azure.com/<resourceId>/providers/Microsoft.Security/serverVulnerabilityAssessments/default?api-Version=2015-06-01-preview​

Trigger an on-demand scan

You can trigger an on-demand scan from the machine itself, using locally or remotely executed scripts or Group Policy Object (GPO). Alternatively, you can integrate it into your software distribution tools at the end of a patch deployment job.

The following commands trigger an on-demand scan:

• Windows machines: REG ADD HKLM\SOFTWARE\Qualys\QualysAgent\ScanOnDemand\Vulnerability /v "ScanOnDemand" /t REG_DWORD /d "1" /f
• Linux machines: sudo /usr/local/qualys/cloud-agent/bin/cloudagentctl.sh action=demand type=vm

FAQ - Integrated vulnerability scanner (powered by Qualys)

Are there any additional charges for the Qualys license?

No. The built-in scanner is free to all Microsoft Defender for Servers users. The recommendation deploys the scanner with its licensing and configuration information. No additional licenses are required.

What prerequisites and permissions are required to install the Qualys extension?

You'll need write permissions for any machine on which you want to deploy the extension.

The Microsoft Defender for Cloud vulnerability assessment extension (powered by Qualys), like other extensions, runs on top of the Azure Virtual Machine agent. So it runs as Local Host on Windows, and Root on Linux.

During setup, Defender for Cloud checks to ensure that the machine can communicate with the following two Qualys data centers (via port 443 - the default for HTTPS):

• https://qagpublic.qg3.apps.qualys.com - Qualys' US data center
• https://qagpublic.qg2.apps.qualys.eu - Qualys' European data center

The extension doesn't currently accept any proxy configuration details.

Can I remove the Defender for Cloud Qualys extension?

If you want to remove the extension from a machine, you can do it manually or with any of your programmatic tools.

You'll need the following details:

• On Linux, the extension is called "LinuxAgent.AzureSecurityCenter" and the publisher name is "Qualys"
• On Windows, the extension is called "WindowsAgent.AzureSecurityCenter" and the provider name is "Qualys"

How does the extension get updated?

Like the Microsoft Defender for Cloud agent itself and all other Azure extensions, minor updates of the Qualys scanner might automatically happen in the background. All agents and extensions are tested extensively before being automatically deployed.

Why does my machine show as "not applicable" in the recommendation?

The recommendation details page groups your machines into the following lists: healthy, unhealthy, and not applicable.

If you have machines in the not applicable resources group, it means Defender for Cloud can't deploy the vulnerability scanner extension on those machines.

Your machine might be in this tab because:

• It's not protected by Defender for Cloud - As explained above, the vulnerability scanner included with Microsoft Defender for Cloud is only available for machines protected by Microsoft Defender for Servers.

• It's an image in an AKS cluster or part of a virtual machine scale set - This extension doesn't support VMs that are PaaS resources.

• It's not running one of the supported operating systems:

  Vendor	OS	Supported versions
  Microsoft	Windows	All
  Amazon	Amazon Linux	2015.09-2018.03
  Amazon	Amazon Linux 2	2017.03-2.0.2021
  Red Hat	Enterprise Linux	5.4+, 6, 7-7.9, 8-8.5, 9 beta
  Red Hat	CentOS	5.4-5.11, 6-6.7, 7-7.8, 8-8.5
  Red Hat	Fedora	22-33
  SUSE	Linux Enterprise Server (SLES)	11, 12, 15, 15 SP1
  SUSE	openSUSE	12, 13, 15.0-15.3
  SUSE	Leap	42.1
  Oracle	Enterprise Linux	5.11, 6, 7-7.9, 8-8.5
  Debian	Debian	7.x-11.x
  Ubuntu	Ubuntu	12.04 LTS, 14.04 LTS, 15.x, 16.04 LTS, 18.04 LTS, 19.10, 20.04 LTS

What is scanned by the built-in vulnerability scanner?

The scanner runs on your machine to look for vulnerabilities of the machine itself. From the machine, it can't scan your network.

Does the scanner integrate with my existing Qualys console?

The Defender for Cloud extension is a separate tool from your existing Qualys scanner. Licensing restrictions mean that it can only be used within Microsoft Defender for Cloud.

How quickly will the scanner identify newly disclosed critical vulnerabilities?

Within 48 hrs of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines.

Next steps

Remediate the findings from your vulnerability assessment solution

Defender for Cloud also offers vulnerability analysis for your:

• SQL databases - see Explore vulnerability assessment reports in the vulnerability assessment dashboard
• Azure Container Registry images - see Use Defender for Containers to scan your ACR images for vulnerabilities