Enable vulnerability scanning with a Bring Your Own License (BYOL) solution
The Defender for Servers plan in Microsoft Defender for Cloud has a built-in vulnerability assessment tool. The vulnerability assessment tool doesn't require any external licenses and supports Azure Arc-enabled machines.
If you don't want to use the integrated vulnerability assessment tool, you can use your own privately licensed vulnerability assessment solution from Qualys or Rapid7. This article explains the steps needed to deploy one of these partner solutions on multiple VMs belonging to the same subscription (but not to Azure Arc-enabled machines).
Availability
| Aspect | Details |
|---|---|
| Release state: | General availability (GA) |
| Machine types: | 
Azure virtual machines
Azure Arc-enabled machines |
| Pricing: | Free |
| Required roles and permissions: | Resource owner can deploy the scanner Security reader can view findings |
| Clouds: |
Commercial clouds
National (Azure Government, Microsoft Azure operated by 21Vianet) |
Deploy a BYOL solution from the Azure portal
The BYOL options refer to supported third-party vulnerability assessment solutions. Currently both Qualys and Rapid7 are supported providers.
Supported solutions report vulnerability data to the partner's management platform. In turn, that platform provides vulnerability and health monitoring data back to Defender for Cloud. You can identify vulnerable VMs on the workload protection dashboard and switch to the partner management console, directly from Defender for Cloud for reports and more information.
From the Azure portal, open Defender for Cloud.
From Defender for Cloud's menu, open the Recommendations page.
Select the recommendation Machines should have a vulnerability assessment solution.
Your VMs appear in one or more of the following groups:
- Healthy resources – Defender for Cloud detected a vulnerability assessment solution running on these VMs.
- Unhealthy resources – A vulnerability scanner extension can be deployed to these VMs.
- Not applicable resources – these VMs can't have a vulnerability scanner extension deployed.
From the list of unhealthy machines, select the ones to receive a vulnerability assessment solution and select Remediate.
Important
Depending on your configuration, you might only see a subset of this list.
- If you haven't got a third-party vulnerability scanner configured, you won't be offered the opportunity to deploy it.
- If your selected VMs aren't protected by Microsoft Defender for Servers, the Defender for Cloud integrated vulnerability scanner option will be unavailable.
If you're setting up a new BYOL configuration, select Configure a new third-party vulnerability scanner, select the relevant extension, select Proceed, and enter the details from the provider as follows:
- For Resource group, select Use existing. If you later delete this resource group, the BYOL solution won't be available.
- For Location, select where the solution is geographically located.
- For Qualys, enter the license provided by Qualys into the License code field.
- For Rapid7, upload the Rapid7 Configuration File.
- In the Public key box, enter the public key information provided by the partner.
- To automatically install this vulnerability assessment agent on all discovered VMs in the subscription of this solution, select Auto deploy.
- Select OK.
If you have already set up your BYOL solution, select Deploy your configured third-party vulnerability scanner, select the relevant extension, and select Proceed.
After the vulnerability assessment solution is installed on the target machines, Defender for Cloud runs a scan to detect and identify vulnerabilities in the system and application. It might take a couple of hours for the first scan to complete. After that, it runs hourly.
Deploy a BYOL solution using PowerShell and the REST API
To programmatically deploy your own privately licensed vulnerability assessment solution from Qualys or Rapid7, use the supplied script PowerShell > Vulnerability Solution. This script uses the REST API to create a new security solution in Defender for Cloud. You need a license and a key provided by your service provider (Qualys or Rapid7).
Important
Only one solution can be created per license. Attempting to create another solution using the same name/license/key will fail.
Prerequisites
Required PowerShell modules:
- Install-module Az
- Install-module Az.security
Run the script
To run the script, you need the relevant information for the following parameters:
| Parameter | Required | Notes |
|---|---|---|
| SubscriptionId | ✔ | The subscriptionID of the Azure Subscription that contains the resources you want to analyze. |
| ResourceGroupName | ✔ | Name of the resource group. Use any existing resource group including the default ("DefaultResourceGroup-xxx"). Since the solution isn't an Azure resource, it isn't listed under the resource group, but it's still attached to it. If you later delete the resource group, the BYOL solution is unavailable. |
| vaSolutionName | ✔ | The name of the new solution. |
| vaType | ✔ | Qualys or Rapid7. |
| licenseCode | ✔ | Vendor provided license string. |
| publicKey | ✔ | Vendor provided public key. |
| autoUpdate | - | Enable (true) or disable (false) auto deploy for this VA solution. When enabled, every new VM on the subscription automatically attempts to link to the solution. (Default: False) |
Syntax:
.\New-ASCVASolution.ps1 -subscriptionId <Subscription Id> -resourceGroupName <RG Name>
-vaSolutionName <New solution name> -vaType <Qualys / Rapid7> -autoUpdate <true/false>
-licenseCode <License code from vendor> -publicKey <Public Key received from vendor>
Example (this example doesn't include valid license details):
.\New-ASCVASolution.ps1 -subscriptionId 'f4cx1b69-dtgb-4ch6-6y6f-ea2e95373d3b' -resourceGroupName 'DefaultResourceGroup-WEU' -vaSolutionName 'QualysVa001' -vaType 'Qualys' -autoUpdate 'false' `
-licenseCode 'eyJjaWQiOiJkZDg5OTYzXe4iMTMzLWM4NTAtODM5FD2mZWM1N2Q3ZGU5MjgiLCJgbTYuOiIyMmM5NDg3MS1lNTVkLTQ1OGItYjhlMC03OTRhMmM3YWM1ZGQiLCJwd3NVcmwiOiJodHRwczovL3FhZ3B1YmxpYy1wMDEuaW50LnF1YWx5cy5jb20vQ2xvdSKJY6VudC8iLCJwd3NQb3J0IjoiNDQzIn0=' `
-publicKey 'MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCOiOLXjOywMfLZIBGPZLwSocf1Q64GASLK9OHFEmanBl1nkJhZDrZ4YD5lM98fThYbAx1Rde2iYV1ze/wDlX4cIvFAyXuN7HbdkeIlBl6vWXEBZpUU17bOdJOUGolzEzNBhtxi/elEZLghq9Chmah82me/okGMIhJJsCiTtglVQIDAQAB'
Learn more about obtaining the Qualys Virtual Scanner Appliance in Azure Marketplace.
Next steps
- Remediate the findings from your vulnerability assessment solution
- Check out these common questions about vulnerability assessment.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for