A fundamental aspect of any robust cyber risk and security program is the ability to identify and analyze vulnerabilities. Microsoft Defender for Cloud proactively assesses your connected machines to ensure they are equipped with vulnerability assessment tools.
When a machine is detected without a vulnerability assessment solution, Defender for Cloud generates a security recommendation: Machines should have a vulnerability assessment solution. This recommendation serves as a guide to deploy a suitable solution to your Azure virtual machines and Azure Arc-enabled hybrid machines.
Defender for Cloud offers built-in vulnerability scanning capabilities, eliminating the need for a separate Qualys license or account. This seamless integration simplifies the process of deploying and managing vulnerability scans. This article provides a detailed overview of this integrated scanner, often referred to as the Qualys Security Scan Tool, and step-by-step instructions for its deployment.
Tip: The integrated vulnerability assessment solution is compatible with both Azure virtual machines and hybrid environments. To extend vulnerability scanning to your on-premises and multicloud machines, first connect them to Azure using Azure Arc, as detailed in Connect your non-Azure machines to Defender for Cloud. Defender for Cloud’s integration with Azure Arc ensures seamless operation, and no Log Analytics agent is required once Azure Arc is deployed.
If the integrated vulnerability assessment, powered by Qualys, does not meet your specific requirements, consider exploring Microsoft Defender Vulnerability Management as an alternative.
Availability of Qualys Scanner in Defender for Cloud
| Aspect | Details |
|---|---|
| Release state: | General availability (GA) |
| Machine types (hybrid scenarios): | Azure virtual machines Azure Arc-enabled machines |
| Pricing: | Requires Microsoft Defender for Servers Plan 2 |
| Required roles and permissions: | Owner (resource group level) for scanner deployment, Security Reader for viewing findings |
| Clouds: | Commercial clouds National (Azure Government, Microsoft Azure operated by 21Vianet) Connected AWS accounts |
Understanding the Integrated Qualys Vulnerability Scanner
The vulnerability scanner embedded within Microsoft Defender for Cloud is powered by Qualys, a recognized leader in real-time vulnerability identification. This Qualys security scan tool is exclusively available with Microsoft Defender for Servers. Importantly, no separate Qualys licensing or account management is needed – the entire process is streamlined within Defender for Cloud.
How the Qualys Security Scan Tool Operates
The integrated vulnerability scanner extension functions through these stages:
-
Deployment: Microsoft Defender for Cloud monitors your machines and recommends deploying the Qualys extension to selected machines.
-
Information Gathering: The extension gathers necessary artifacts and securely transmits them to the Qualys cloud service within the designated region for analysis.
-
Analysis: Qualys’ cloud service performs the vulnerability assessment, leveraging its sophisticated scanning engine, and relays the findings back to Defender for Cloud.
Important: Customer privacy, confidentiality, and security are paramount. Microsoft does not share any customer-identifiable details with Qualys. Learn more about Azure’s built-in privacy standards.
-
Reporting: The vulnerability findings are then readily accessible within the Defender for Cloud interface, providing a centralized view of your security posture.
Deploying the Integrated Qualys Scanner to Azure and Hybrid Machines
To enable the Qualys security scan tool on your machines, follow these steps:
- Navigate to the Azure portal and open Defender for Cloud.
- From Defender for Cloud’s menu, access the Recommendations page.
- Select the recommendation titled Machines should have a vulnerability assessment solution.
Tip: The machine labeled
server16-testin the image exemplifies an Azure Arc-enabled machine. For deploying the Qualys security scan tool to your on-premises and multicloud environments, refer to Connect your non-Azure machines to Defender for Cloud. Defender for Cloud’s seamless integration with Azure Arc simplifies management, and no Log Analytics agent is required after Azure Arc deployment.
Your machines will be categorized into these groups:
- Healthy resources: Machines where Defender for Cloud has detected an active vulnerability assessment solution.
- Unhealthy resources: Machines where the Qualys security scan tool extension can be deployed.
- Not applicable resources: Machines that are not compatible with the vulnerability scanner extension.
-
From the list of unhealthy machines, choose the machines you want to equip with the vulnerability assessment solution and click Remediate.
Important: The appearance of this list may vary based on your current configuration.
- If you haven’t configured a third-party vulnerability scanner, you won’t see an option to deploy one.
- If your selected machines are not protected by Microsoft Defender for Servers, the integrated Qualys security scan tool option will not be available.
-
Select the recommended option Deploy integrated vulnerability scanner, and then click Proceed.
-
A final confirmation prompt will appear. Click Remediate to initiate the deployment.
The scanner extension will be installed on all selected machines within minutes. Vulnerability scans will commence automatically upon successful extension deployment and will run every 12 hours. This scan interval is not user-configurable.
Important: If deployment fails on any machine, ensure that the target machines can establish communication with Qualys’ cloud service. Add the following IPs to your allowlists (via port 443, the default HTTPS port):
https://qagpublic.qg3.apps.qualys.com– Qualys’ US data centerhttps://qagpublic.qg2.apps.qualys.eu– Qualys’ European data center
Machines located in Azure European geographies (Europe, UK, Germany) will have their artifacts processed in Qualys’ European data center. Artifacts from virtual machines in other regions are sent to the US data center.
Automating Large-Scale Deployments of Qualys Scanner
Note: The tools mentioned in this section are accessible from Defender for Cloud’s GitHub community repository. This repository contains scripts, automation examples, and other valuable resources to enhance your Defender for Cloud deployment.
Some automation methods apply only to newly connected machines post-enablement, while others extend to existing machines as well. You can utilize a combination of these approaches for comprehensive coverage.
Several methods are available to automate the deployment of the integrated Qualys security scan tool at scale:
- Azure Policy: Leverage Azure Policy to automatically deploy the Qualys extension to new and existing machines within specified scopes.
- PowerShell scripts: Utilize PowerShell scripts to deploy the extension across multiple machines programmatically.
- REST API: Integrate the deployment process with your existing automation workflows using the Defender for Cloud REST API.
Initiating On-Demand Scans with Qualys Security Scan Tool
Beyond scheduled scans, you can trigger on-demand scans directly from a machine. This can be achieved using locally or remotely executed scripts or Group Policy Objects (GPO). Integrating on-demand scans into your software distribution tools at the conclusion of patch deployment cycles is also a valuable practice.
Use these commands to trigger an on-demand scan:
- Windows machines:
REG ADD HKLMSOFTWAREQualysQualysAgentScanOnDemandVulnerability /v "ScanOnDemand" /t REG_DWORD /d "1" /f - Linux machines:
sudo /usr/local/qualys/cloud-agent/bin/cloudagentctl.sh action=demand type=vm
Next Steps After Deploying Qualys Security Scan Tool
After deploying the Qualys security scan tool and performing vulnerability assessments, the next crucial step is to address the identified vulnerabilities.
Remediate the findings from your vulnerability assessment solution
Defender for Cloud also provides vulnerability analysis for:
