Deploy a bring your own license (BYOL) vulnerability assessment solution
If you've enabled Azure Defender for servers, you're able to use Azure Security Center's built-in vulnerability assessment tool as described in Integrated vulnerability scanner for virtual machines. This tool is integrated into Azure Defender and doesn't require any external licenses - everything's handled seamlessly inside Security Center. In addition, the integrated scanner supports Azure Arc enabled machines.
Alternatively, you might want to deploy your own privately licensed vulnerability assessment solution from Qualys or Rapid7. You can install one of these partner solutions on multiple VMs belonging to the same subscription (but not to Azure Arc enabled machines).
|Release state:||General availability (GA)|
Azure virtual machines
Azure Arc enabled machines
|Required roles and permissions:||Resource owner can deploy the scanner
Security reader can view findings
National/Sovereign (Azure Government, Azure China 21Vianet)
Deploy a BYOL solution from the Azure portal
The BYOL options refer to supported third-party vulnerability assessment solutions. Currently both Qualys and Rapid7 are supported providers.
Supported solutions report vulnerability data to the partner's management platform. In turn, that platform provides vulnerability and health monitoring data back to Security Center. You can identify vulnerable VMs on the Security Center dashboard and switch to the partner management console directly from Security Center for reports and more information.
From the Azure portal, open Security Center.
From Security Center's menu, open the Recommendations page.
Select the recommendation A vulnerability assessment solution should be enabled on your virtual machines.
Your VMs will appear in one or more of the following groups:
- Healthy resources – Security Center has detected a vulnerability assessment solution running on these VMs.
- Unhealthy resources – A vulnerability scanner extension can be deployed to these VMs.
- Not applicable resources – these VMs can't have a vulnerability scanner extension deployed.
From the list of unhealthy machines, select the ones to receive a vulnerability assessment solution and select Remediate.
Depending on your configuration, you might only see a subset of this list.
- If you haven't got a third-party vulnerability scanner configured, you won't be offered the opportunity to deploy it.
- If your selected VMs aren't protected with Azure Defender, the ASC integrated vulnerability scanner option will be unavailable.
If you're setting up a new BYOL configuration, select Configure a new third-party vulnerability scanner, select the relevant extension, select Proceed, and enter the details from the provider as follows:
- For Resource group, select Use existing. If you later delete this resource group, the BYOL solution won't be available.
- For Location, select where the solution is geographically located.
- For Qualys, enter the license provided by Qualys into the License code field.
- For Rapid7, upload the Rapid7 Configuration File.
- In the Public key box, enter the public key information provided by the partner.
- To automatically install this vulnerability assessment agent on all discovered VMs in the subscription of this solution, select Auto deploy.
- Select OK.
If you've already set up your BYOL solution, select Deploy your configured third-party vulnerability scanner, select the relevant extension, and select Proceed.
After the vulnerability assessment solution is installed on the target machines, Security Center runs a scan to detect and identify vulnerabilities in the system and application. It might take a couple of hours for the first scan to complete. After that, it runs hourly.
Deploy a BYOL solution using PowerShell and the REST API
To programmatically deploy your own privately licensed vulnerability assessment solution from Qualys or Rapid7, use the supplied script PowerShell > Vulnerability Solution. This script uses the REST API to create a new security solution in ASC. You'll need a license and a key provided by your service provider (Qualys or Rapid7).
Only one solution can be created per license. Attempting to create another solution using the same name/license/key will fail.
Required PowerShell modules:
- Install-module Az
- Install-module Az.security
Run the script
To run the script, you'll need the relevant information for the parameters below.
|SubscriptionId||✔||The subscriptionID of the Azure Subscription that contains the resources you want to analyze.|
|ResourceGroupName||✔||Name of the resource group. Use any existing resource group including the default ("DefaultResourceGroup-xxx").
Since the solution isn't an Azure resource, it won't be listed under the resource group, but it's still attached to it. If you later delete the resource group, the BYOL solution will be unavailable.
|vaSolutionName||✔||The name of the new solution.|
|vaType||✔||Qualys or Rapid7.|
|licenseCode||✔||Vendor provided license string.|
|publicKey||✔||Vendor provided public key.|
|autoUpdate||-||Enable (true) or disable (false) auto deploy for this VA solution. When enabled, every new VM on the subscription will automatically attempt to link to the solution.
.\New-ASCVASolution.ps1 -subscriptionId <Subscription Id> -resourceGroupName <RG Name> -vaSolutionName <New solution name> -vaType <Qualys / Rapid7> -autoUpdate <true/false> -licenseCode <License code from vendor> -publicKey <Public Key received from vendor>
Example (this example doesn't include valid license details):
.\New-ASCVASolution.ps1 -subscriptionId 'f4cx1b69-dtgb-4ch6-6y6f-ea2e95373d3b' -resourceGroupName 'DefaultResourceGroup-WEU' -vaSolutionName 'QualysVa001' -vaType 'Qualys' -autoUpdate 'false' ` -licenseCode 'eyJjaWQiOiJkZDg5OTYzXe4iMTMzLWM4NTAtODM5FD2mZWM1N2Q3ZGU5MjgiLCJgbTYuOiIyMmM5NDg3MS1lNTVkLTQ1OGItYjhlMC03OTRhMmM3YWM1ZGQiLCJwd3NVcmwiOiJodHRwczovL3FhZ3B1YmxpYy1wMDEuaW50LnF1YWx5cy5jb20vQ2xvdSKJY6VudC8iLCJwd3NQb3J0IjoiNDQzIn0=' ` -publicKey 'MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCOiOLXjOywMfLZIBGPZLwSocf1Q64GASLK9OHFEmanBl1nkJhZDrZ4YD5lM98fThYbAx1Rde2iYV1ze/wDlX4cIvFAyXuN7HbdkeIlBl6vWXEBZpUU17bOdJOUGolzEzNBhtxi/elEZLghq9Chmah82me/okGMIhJJsCiTtglVQIDAQAB'
FAQ - BYOL vulnerability scanner
- If I deploy a Qualys agent, what communications settings are required?
- Why do I have to specify a resource group when configuring a BYOL solution?
If I deploy a Qualys agent, what communications settings are required?
The Qualys Cloud Agent is designed to communicate with Qualys's SOC at regular intervals for updates, and to perform the various operations required for product functionality. To allow the agent to communicate seamlessly with the SOC, configure your network security to allow inbound and outbound traffic to the Qualys SOC CIDR and URLs.
There are multiple Qualys platforms across various geographic locations. The SOC CIDR and URLs will differ depending on the host platform of your Qualys subscription. To identify your Qualys host platform, use this page https://www.qualys.com/platform-identification/.
Why do I have to specify a resource group when configuring a BYOL solution?
When you set up your solution, you must choose a resource group to attach it to. The solution isn't an Azure resource, so it won't be included in the list of the resource group’s resources. Nevertheless, it's attached to that resource group. If you later delete the resource group, the BYOL solution will be unavailable.
Security Center also offers vulnerability analysis for your:
- SQL databases - see Explore vulnerability assessment reports in the vulnerability assessment dashboard
- Azure Container Registry images - see Use Azure Defender for container registries to scan your images for vulnerabilities