Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Built-in vulnerability assessment for VMs in Microsoft Defender for Cloud
Published Aug 10 2020 05:30 AM 47.9K Views
Microsoft

What is the built-in vulnerability assessment tool in Microsoft Defender for Cloud?

There are several options for deploying a vulnerability assessment solutions for Azure VMs. If you're using Microsoft Defender for Cloud’s standard tier for VMs, you can quickly deploy a vulnerability assessment solution powered by Qualys with no additional configuration or extra costs. In this blog post, I will focus on a the built-in capabilities as you can see on the left side in the image below.

 

 

asc-va-options.PNG

(Please note that since this article was written, Azure Security Center was renamed to Microsoft Defender for Cloud)

 

Qualys’s scanner is the leading tool for identifying vulnerabilities in your Azure virtual machines. Once this integration is enabled, Qualys continually assesses all the installed applications on a virtual machine to find vulnerabilities and presents its findings in the Microsoft Defender for Cloud console. This offering is available to all commercial Azure customers that have enabled Microsoft Defender for Cloud standard pricing tier for VMs. In this post, I will focus on vulnerability scanning of virtual machines, although standard tier also offers scanning for both containers and container registries - learn more here.

 

How does the integration work?

Our integrated vulnerability scanner is based on 5 different stages: from discovery to findings.

 

asc-va-integration.png

 

[1] Discovery – To make this integration work, a policy named “vulnerability assessment should be enabled on virtual machines” which is part of the “ASC default” initiative must be enabled. Upon Azure Policy evaluation, we get the compliance data to identify potential and supported virtual machines which don’t have a vulnerability assessment solution deployed. Based on the result, we propagate the data into the recommendation so you can see all relevant virtual machines. Based on compliance data, we categorize the virtual machines as one of the following:

  • “healthy” - VMs that have the extension installed and report data.
  • “unhealthy” - VMs which could support the extension, but which currently don’t have it.
  • "not applicable” - Where the OS type/image is not supported (for example, a virtual machine running Network Virtual Appliance (NVA), Databricks/AKS instances or Classic VMs).

 

[2] Deployment - This is the step where you can enable the integrated Defender for Cloud vulnerability scanner by deploying the extension on your selected virtual machine/s either by using Defender for Cloud console and quick fix button, or by using an automated method (see a reference below for deployment at scale).

Prerequisites for deploying the extension:

  1. Running VM with a supported operating system version as mentioned here.
  2. Azure VM agent installed and in healthy state.

To install using the quick fix option, you'll need write permissions for any VM on which you want to deploy the extension. Like any other extension, this one runs on top of the Azure Virtual Machine agent.

Once all prerequisites are met, you should use our newly and consolidated recommendation “A vulnerability assessment solution should be enabled on your virtual machines”. In this recommendation, you can choose to deploy Defender for Cloud integrated vulnerability scanner or 3rd party scanner (BYOL).

 

asc-va-recommendation.png

 

This recommendation installs the extension on unhealthy machines. Review the heathy and not applicable lists too.

 

asc-va-recommendation-list.png

 

Once the extension is deployed, you can see if it exists, by navigating to the VM page of the Azure portal, and selecting “extensions”:

  • On Windows, the extension is called “WindowsAgent.AzureSecurityCenter” and the provider name is "Qualys”
  • On Linux, the extension is called LinuxAgent.AzureSecurityCenter and the provider name is "Qualys”

asc-va-extension.png

 

Like the Log Analytics agent itself and all other Azure extensions, minor updates of the vulnerability scanner may automatically happen in the background; the VA agent is self-healing and self-updating to counter common issues. All agents and extensions are tested extensively before being automatically deployed. On a virtual machine (on Windows for example), you will see a process QualysAgent.exe and service “Qualys Cloud Agent” running:

 

asc-va-agent.png

 

When deploying a vulnerability assessment solution, Microsoft Defender for Cloud previously performed a validation check before deploying. The check was to confirm a marketplace SKU of the destination virtual machine.
Recently, the check was removed and you can now deploy vulnerability assessment tools to 'custom' Windows and Linux machines. Custom images are ones that you've modified from the marketplace defaults.

 

[3] Scan - The gathered data collected by the agent includes many things for the baseline snapshot like network posture, operating system version, open ports, installed software, registry info, what patches are installed, environment variables, and metadata associated with files. The agent stores a snapshot on the agent host to quickly determine differences to the host metadata it collects. Such scans occur every 4 hours and are performed per VM, where artifacts are collected and sent for analysis to the Qualys Cloud service in the defined region. For virtual machines created within European regions, the gathered information is sent securely to Qualys Cloud Service in the Netherlands. For all non-EU resources, data is sent for processing in the Qualys Cloud Service in the US.

The sent artifacts are considered as metadata and the same as the ones collected by Qualys’ standalone cloud agent - Microsoft doesn't share customer details or any sensitive data with Qualys.

 

[4] Analysis – Qualys analyzes the metadata, registry keys, and other information and builds the findings per VM. Findings are sent to Microsoft Defender for Cloud matching customer’s ID and are removed from the Qualys Cloud.

 

[5] Findings – You can monitor vulnerabilities on your virtual machines as discovered by the ASC vulnerability scanner using a recommendation named “Vulnerabilities in virtual machines should be remediated” found under the recommendations list. This recommendation is divided to the affected resources and security checks (also known as nested recommendations or sub-assessments).

 

asc-va-findings.png

 

On the affected resources section, you will find virtual machines categorized as unhealthy, healthy, and not applicable. The section named “Security Checks” shows the vulnerabilities found on the unhealthy resource. Findings are categorized by severity (high, medium, and low). Below, you can see the matching between ASC severity on the left and Qualys’ severities on the right:

 

Severities.png

 

 

If you are looking for a specific vulnerability, you can use the search field to filter the items based on ID or security check title. Selecting a security check, will open a window containing the vulnerability name, description, the impact on your resources, severity, if this could be resolved by applying patch, the CVSS base score (when the highest is the most severe one), relevant CVEs. Then, you will also find the threat, remediation steps, additional references (if applicable) and the affected resource. Once you remediate the vulnerability on the affected resource, it will be removed from the recommendation page.

 

Deployment at scale

If you have large number of virtual machines and would like to automate deployment at scale of the ASC integrated scanner, we’ve got you covered! There are several ways to accomplish such deployment based on your business requirements. Some customers prefer to automate deployment by executing an ARM template, others prefer automation using Azure Automation or Azure Logic Apps and others by using Azure Policy for both automation and compliance. For all these scenarios and even beyond, we encourage you to visit our ASC GitHub community repository. There, you can find scripts, automations and other useful resources you can leverage throughout your ASC deployment. Some of the methods will deploy the extension on new machines, others cover existing ones as well. There are other scenarios where customers prefer to make API calls to trigger an installation. This is also possible by executing a PUT call to one of our REST APIs, passing the resource ID to the URL. You can also decide to combine multiple approaches.

  • ARM Deployment – This method is available on the “view recommendation logic” if you decide to remediate unhealthy resources using Azure portal. The automatic recommendation script content includes the relevant ARM template you can leverage for your automation.
  • DeployIfNotExists policy definition – We recently added a custom Azure Policy definition which can easily be deployed into your Azure environment and assigned at the relevant scope (resource group/subscription/management group).
  • PowerShell Script – This script can be used to deploy the extension for all unhealthy virtual machines and can be automated using Azure Automation for installation on new resources. The script finds all unhealthy machines discovered by the recommendation and executes an ARM call as mentioned in the first bullet.
  • Azure Logic Apps – This sample leverages another functionality available as part of Defender for Cloud’s standard tier: workflow automation. Once a new security recommendation is generated for a resource, a trigger calls a Logic App to install the agent.
  • REST API – Calling an API for agent deployment is available as well. Perform a PUT request for the following URL by adding the relevant resource ID: 
    https://management.azure.com/resourceId/providers/Microsoft.Security/serverVulnerabilityAssessments/default?api-Version=2015-06-01-preview​

 

Troubleshooting

Below you will find a checklist for your initial troubleshooting if you experience issues related to the ASC vulnerability scanner:

  • Are you running a supported OS version? Use the following list to quickly identify if your VMs are running a supported operating system version.
  • Is the extension successfully deployed? Monitor VA extension health across subscriptions using Azure Resource Graph (ARG). ARG becomes handy if you want to validate the extension status across subscriptions is heathy for both Linux and Windows machines. Use the following query:

 

 

where type == "microsoft.compute/virtualmachines/extensions"
| where name matches regex "AzureSecurityCenter"
| extend ExtensionStatus = tostring(properties.provisioningState), 
        ExtensionVersion = properties.typeHandlerVersion,
        ResourceId = id, 
        ExtensionName = name, 
        Region = location, 
        ResourceGroup = resourceGroup
| project ResourceId, ExtensionName, Region, ResourceGroup, ExtensionStatus, ExtensionVersion

 

 

 

 

asc-va-extension-status.png

 

              Results can be exported into CSV or used to build an Azure Monitor workbook.

  • Is the service running? On Windows VMs, make sure “Qualys Cloud Agent” is running. On Linux, run the command sudo service qualys-cloud-agent
  • Unable to communicate with Qualys? To communicate with the Qualys Cloud, the agent host should reach the service platform over HTTPS port 443 for the following IP addresses:
    • 64.39.104.113
    • 154.59.121.74

Check network access and ensure to accept the platform URL listed.

  • Looking for logs? Both agent and extension logs can be used during troubleshooting. However, Windows and Linux logs can be found in different places. Here are the paths:

Windows:

  • Qualys extension:
    • C:\Qualys.WindowsAgent.AzureSecurityCenter
    • C:\WindowsAzure\Logs\Plugins\Qualys.WindowsAgent.AzureSecurityCenter
  • Qualys agent:
    • %ProgramData%\Qualys\QualysAgent

Linux:

  • Qualys extension:
    • /var/log/azure/Qualys.LinuxAgent.AzureSecurityCenter
  • Qualys agent:
    • /var/log/qualys/qualys-cloud-agent.log

 

Advanced scenarios

Qualys assessment and sub-assessments (security checks) are stored and available for query in Azure Resource Graph (ARG) as well as through the API. A great example for that is available in this blog post. Moreover, you can also build and customize your own dashboards using Azure Monitor workbooks and create such dashboard for more insights. You can easily deploy a Qualys dashboard leveraging ARG queries and workbooks which is available . Soon, you will be able to use Continuous Export feature to send nested recommendations for Qualys into Event Hub or Log Analytics workspaces.

 

On the roadmap

  • Availability for non-Azure virtual machines - Available, the vulnerability assessment extension can be deployed on on-premise machine via Azure Arc agent.
  • Filtering vulnerability assessment findings by different criteria (e.g. exclude all low severity findings / exclude non-patchable findings / excluded by CVE / and more) - Available, use the disable specific vulnerability findings capability.
  • More items are work in progress.

 

Frequently asked questions

Question: Does the built-in integration support both Azure VMs and non-Azure VMs?
Answer: Our current integration only supports Azure VMs. As mentioned in the roadmap section, we do have plans to support non-Azure virtual machines in the future.

 

Question: Does the built-in vulnerability assessment as part of standard pricing tier also integrate into the Qualys Dashboard offering?
Answer: Vulnerability assessments performed by our built-in integration is only available through Azure portal and Azure Resource Graph.

 

Question: Is it possible to initiate a manual/on-demand scan?
Answer: Scan on Demand is a single use execution that is initiated manually on the VM itself, using locally or remotely executed scripts or GPO, or from software distribution tools at the end of a patch deployment job. To do so, the following command will trigger an on-demand metadata sync:

 

 

 

REG ADD HKLM\SOFTWARE\Qualys\QualysAgent\ScanOnDemand\Vulnerability /v "ScanOnDemand" /t REG_DWORD /d "1" /f

 

 

 

Question: I purchased a separate Qualys/Rapid 7 license, which recommendation should I use?

Answer: We provide additional method for customers who have purchased VA scanner separately and do not use the integrated solution. To enable 3rd-party integration, use “A vulnerability assessment solution should be enabled on your virtual machines” - this recommendation appears for both standard and free tiers. Then, select “Configure a new third-party vulnerability scanner (BYOL - requires a separate license)”. For this kind of integration, you'll need to purchase a license for your chosen solution separately. Supported solutions report vulnerability data to the partner's management platform. In turn, that platform provides vulnerability and health monitoring data back to Microsoft Defender for Cloud.

 

Question: Can I combine two Qualys installation approaches so that the same VM has both the integrated scanner and the BYOL agent installed?

Answer: No, this is not supported. You can’t combine additional deployment approaches of VA while using the built-in VA capabilities provided by ASC.

 

Reviewers:

  • Melvyn Mildiner - Senior Content Developer
  • Ben Kliger - Senior PM Manager
  • Aviv Mor - Senior Program Manager
  • Nomi Gorovoy - Software Engineer
5 Comments
Co-Authors
Version history
Last update:
‎Jun 20 2022 12:15 AM
Updated by: