Azure Defender's integrated vulnerability assessment solution for Azure and hybrid machines

A core component of every cyber risk and security program is the identification and analysis of vulnerabilities.

Security Center regularly checks your connected machines to ensure they're running vulnerability assessment tools.

When a machine is found that doesn't have vulnerability assessment solution deployed, Security Center generates the following security recommendation:

A vulnerability assessment solution should be enabled on your virtual machines

Use this recommendation to deploy the vulnerability assessment solution to your Azure virtual machines and your Azure Arc enabled hybrid machines.

Deploy the vulnerability assessment solution that best meets your needs and budget:

  • Integrated vulnerability assessment solution (powered by Qualys) - Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. This page provides details of this scanner and instructions for how to deploy it.

    Tip

    The integrated vulnerability assessment solution supports both Azure virtual machines and hybrid machines. To deploy the vulnerability assessment scanner to your on-prem and multi-cloud machines, connect them to Azure first with Azure Arc as described in Connect your non-Azure machines to Security Center.

    Security Center's integrated vulnerability assessment solution works seamlessly with Azure Arc. When you've deployed Azure Arc, your machines will appear in Security Center and no Log Analytics agent is required.

  • Bring your own license (BYOL) solutions - Security Center supports the integration of tools from other vendors, but you'll need to handle the licensing costs, deployment, and configuration. By deploying your tool with Security Center, you'll get information about which Azure virtual machines are missing the tool. You'll also be able to view findings within Security Center. If you'd prefer to use your organization's private Qualys or Rapid7 license instead of the Qualys license included with Azure Defender, see How to deploy a BYOL solution.

Availability

Aspect Details
Release state: Generally available (GA)
Machine types (hybrid scenarios): Yes Azure virtual machines
Yes Azure Arc enabled machines (Preview)
Pricing: Requires Azure Defender for servers
Required roles and permissions: Resource owner can deploy the scanner
Security reader can view findings
Clouds: Yes Commercial clouds
No National/Sovereign (US Gov, China Gov, Other Gov)

Overview of the integrated vulnerability scanner

The vulnerability scanner included with Azure Security Center is powered by Qualys. Qualys' scanner is one of the leading tools for real-time identification of vulnerabilities. It's only available with Azure Defender for servers. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center.

How the integrated vulnerability scanner works

The vulnerability scanner extension works as follows:

  1. Deploy - Azure Security Center monitors your machines and provides recommendations to deploy the Qualys extension on your selected machine/s.

  2. Gather information - The extension collects artifacts and sends them for analysis in the Qualys cloud service in the defined region.

  3. Analyze - Qualys' cloud service conducts the vulnerability assessment and sends its findings to Security Center.

    Important

    To ensure the privacy, confidentiality, and security of our customers, we don't share customer details with Qualys. Learn more about the privacy standards built into Azure.

  4. Report - The findings are available in Security Center.

Process flow diagram for Azure Security Center's built-in vulnerability scanner

Deploy the integrated scanner to your Azure and hybrid machines

  1. From the Azure portal, open Security Center.

  2. From Security Center's menu, open the Recommendations page.

  3. Select the recommendation A vulnerability assessment solution should be enabled on your virtual machines.

    The groupings of the machines in the recommendation page

    Tip

    The machine "server16-test" above, is an Azure Arc enabled machine. To deploy the vulnerability assessment scanner to your on-prem and multi-cloud machines, see Connect your non-Azure machines to Security Center.

    Security Center works seamlessly with Azure Arc. When you've deployed Azure Arc, your machines will appear in Security Center and no Log Analytics agent is required.

    Your machines will appear in one or more of the following groups:

    • Healthy resources – Security Center has detected a vulnerability assessment solution running on these machines.

    • Unhealthy resources – A vulnerability scanner extension can be deployed to these machines.

    • Not applicable resources – these machines can't have a vulnerability scanner extension deployed. Your machine might be in this tab because it's an image in an AKS cluster, it's part of a virtual machine scale set, or it's not running one of the supported operating systems for the integrated vulnerability scanner:

      Vendor OS Supported versions
      Microsoft Windows All
      Red Hat Enterprise Linux 5.4+, 6, 7.0-7.8, 8.0-8.1
      Red Hat CentOS 5.4+, 6, 7.0-7.7, 8.0-8.1
      Red Hat Fedora 22-31
      SUSE Linux Enterprise Server (SLES) 11, 12, 15
      SUSE OpenSUSE 12, 13, 15.0-15.2
      SUSE Leap 42.1
      Oracle Enterprise Linux 5.11, 6, 7.0-7.5
      Debian Debian 7.x-10.x
      Ubuntu Ubuntu 12.04 LTS, 14.04 LTS, 15.x, 16.04 LTS, 18.04 LTS, 19.10, 20.04 LTS
  4. From the list of unhealthy machines, select the ones to receive a vulnerability assessment solution and select Remediate.

    Important

    Depending on your configuration, this list may appear differently.

    • If you haven't got a third-party vulnerability scanner configured, you won't be offered the opportunity to deploy it.
    • If your selected machines aren't protected by Azure Defender, the ASC integrated vulnerability scanner option won't be available.

    The options for which type of remediation flow you want to choose when responding to the recommendation **A vulnerability assessment solution should be enabled on your virtual machines** recommendation page

  5. Choose the recommended option, Deploy ASC integrated vulnerability scanner, and Proceed.

  6. You'll be asked for one further confirmation. Select Remediate.

    The scanner extension will be installed on all of the selected machines within a few minutes.

    Scanning begins automatically as soon as the extension is successfully deployed. Scans will then run at four-hour intervals. This interval isn't configurable.

    Important

    If the deployment fails on one or more machines, ensure the target machines can communicate with Qualys' cloud service on the following two IP addresses (via port 443 - the default for HTTPS):

    • 64.39.104.113 - Qualys' US data center
    • 154.59.121.74 - Qualys' European data center

    If your machine is in a European Azure region, its artifacts will be processed in Qualys' European data center. Artifacts for virtual machines located elsewhere are sent to the US data center.

Automate at-scale deployments

Note

All of the tools described in this section are available from Security Center's GitHub community repository. There, you can find scripts, automations, and other useful resources to use throughout your ASC deployment.

Some of these tools only affect new machines connected after you enable at scale deployment. Others also deploy to existing machines. You can combine multiple approaches.

Some of the ways you can automate deployment at scale of the integrated scanner:

  • Azure Resource Manager – This method is available from view recommendation logic in the Azure portal. The remediation script includes the relevant ARM template you can use for your automation: The remediation script includes the relevant ARM template you can use for your automation
  • DeployIfNotExists policyA custom policy for ensuring all newly created machines receive the scanner. Select Deploy to Azure and set the relevant parameters. You can assign this policy at the level of resource groups, subscriptions, or management groups.
  • PowerShell Script – Use the Update qualys-remediate-unhealthy-vms.ps1 script to deploy the extension for all unhealthy virtual machines. To install on new resources, automate the script with Azure Automation. The script finds all unhealthy machines discovered by the recommendation and executes an Azure Resource Manager call.
  • Azure Logic Apps – Build a logic app based on the sample app. Use Security Center's workflow automation tools to trigger your logic app to deploy the scanner whenever the A vulnerability assessment solution should be enabled on your virtual machines recommendation is generated for a resource.
  • REST API – To deploy the integrated vulnerability assessment solution using Security Center's REST API, make a PUT request for the following URL and add the relevant resource ID: https://management.azure.com/<resourceId>/providers/Microsoft.Security/serverVulnerabilityAssessments/default?api-Version=2015-06-01-preview​

Trigger an on-demand scan

You can trigger an on-demand scan from the machine itself, using locally or remotely executed scripts or GPO. Alternatively, you can integrate it into your software distribution tools at the end of a patch deployment job.

The following commands trigger an on-demand scan:

  • Windows machines: REG ADD HKLM\SOFTWARE\Qualys\QualysAgent\ScanOnDemand\Vulnerability /v "ScanOnDemand" /t REG_DWORD /d "1" /f
  • Linux machines: sudo /usr/local/qualys/cloud-agent/bin/cloudagentctl.sh action=demand type=vm

FAQ - Integrated vulnerability scanner (powered by Qualys)

Are there any additional charges for the Qualys license?

No. The built-in scanner is free to all Azure Defender users. The recommendation deploys the scanner with its licensing and configuration information. No additional licenses are required.

What prerequisites and permissions are required to install the Qualys extension?

You'll need write permissions for any machine on which you want to deploy the extension.

The Azure Security Center Vulnerability Assessment extension (powered by Qualys), like other extensions, runs on top of the Azure Virtual Machine agent. So it runs as Local Host on Windows, and Root on Linux.

During setup, Security Center checks to ensure that the machine can communicate with the following two Qualys's data centers (via port 443 - the default for HTTPS):

  • 64.39.104.113 - Qualys' US data center
  • 154.59.121.74 - Qualys' European data center

The extension doesn't currently accept any proxy configuration details.

Can I remove the Security Center Qualys extension?

If you want to remove the extension from a machine, you can do it manually or with any of your programmatic tools.

You'll need the following details:

  • On Linux, the extension is called "LinuxAgent.AzureSecurityCenter" and the publisher name is "Qualys"
  • On Windows, the extension is called "WindowsAgent.AzureSecurityCenter" and the provider name is "Qualys"

How does the extension get updated?

Like the Azure Security Center agent itself and all other Azure extensions, minor updates of the Qualys scanner may automatically happen in the background. All agents and extensions are tested extensively before being automatically deployed.

Why does my machine show as "not applicable" in the recommendation?

The recommendation details page groups your machines into the following lists: healthy, unhealthy, and not applicable.

If you have machines in the not applicable resources group, it means Security Center can't deploy the vulnerability scanner extension on those machines.

Your machine might be in this tab because:

  • It's not protected by Azure Defender - As explained above, the vulnerability scanner included with Azure Security Center is only available for machines protected by Azure Defender for servers.

  • It's an image in an AKS cluster or part of a virtual machine scale set - This extension doesn't support VMs that are PaaS resources.

  • It's not running one of the supported operating systems:

    Vendor OS Supported versions
    Microsoft Windows All
    Red Hat Enterprise Linux 5.4+, 6, 7.0-7.8, 8.0-8.1
    Red Hat CentOS 5.4+, 6, 7.0-7.7, 8.0-8.1
    Red Hat Fedora 22-31
    SUSE Linux Enterprise Server (SLES) 11, 12, 15
    SUSE OpenSUSE 12, 13, 15.0-15.2
    SUSE Leap 42.1
    Oracle Enterprise Linux 5.11, 6, 7.0-7.5
    Debian Debian 7.x-10.x
    Ubuntu Ubuntu 12.04 LTS, 14.04 LTS, 15.x, 16.04 LTS, 18.04 LTS, 19.10, 20.04 LTS

What is scanned by the built-in vulnerability scanner?

The scanner runs on your machine to look for vulnerabilities of the machine itself. From the machine, it can't scan your network.

Does the scanner integrate with my existing Qualys console?

The Security Center extension is a separate tool from your existing Qualys scanner. Licensing restrictions mean that it can only be used within Azure Security Center.

Microsoft Defender Advanced Threat Protection also includes Threat & Vulnerability Management (TVM). How is the Security Center Vulnerability Assessment extension different?

We're actively developing a world-class vulnerability management service with Microsoft Defender ATP's Threat & Vulnerability Management solution, built into Windows.

Today, Azure Security Center's Vulnerability Assessment extension is powered by Qualys. The Qualys extension ensures support for both Windows and Linux machines. The extension also benefits from Qualys's own knowledge of vulnerabilities that don't yet have CVEs.

How quickly will the scanner identify newly disclosed critical vulnerabilities?

Within 48 hrs of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines.

Next steps

Security Center also offers vulnerability analysis for your: