Azure Policy for checking if VM is covered by a vulnerability assessment solution

Heikki Salo 5 Reputation points
2023-03-28T15:13:31.1466667+00:00

Hello,

I'm checking for ways to monitor if a VM is running a vulnerability assessment solution.

There exists a built-in policy with a title "A vulnerability assessment solution should be enabled on your virtual machines"

This policy is checking if there is an assessment related to a VM of type "Microsoft.Security/assessments" and has a name of "ffff0522-1e88-47fc-8382-2a80ba848f5d".

However, I cannot find any documentation for "ffff0522-1e88-47fc-8382-2a80ba848f5d", except that it is a key related somehow to vulnerability management.

Would be grateful for any pointers!

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
867 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,807 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,349 questions
0 comments No comments
{count} vote

3 answers

Sort by: Most helpful
  1. Limitless Technology 44,221 Reputation points
    2023-03-29T10:52:51.4266667+00:00

    Hello there,

    To assess your machines for vulnerabilities, you can use one of the following solutions:

    Microsoft Defender Vulnerability Management solution (included with Microsoft Defender for Servers)

    Built-in Qualys agent (included with Microsoft Defender for Servers)

    A Qualys or Rapid7 scanner that you've licensed separately and configured within Defender for Cloud (this scenario is called the Bring Your Own License, or BYOL, scenario)

    https://learn.microsoft.com/en-us/azure/defender-for-cloud/auto-deploy-vulnerability-assessment

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments

  2. Janne Kujanpää 236 Reputation points
    2023-04-02T10:54:09.31+00:00

    Some good pointers were already provided.

    Microsoft.Security/assessments resources are automatically updated by Azure background processes.

    To enable vulnerability assessment you can turn it on on subscription level: https://learn.microsoft.com/en-us/azure/defender-for-cloud/auto-deploy-vulnerability-assessment

    • If you select Defender-based then following resource is created on subscription level
       resource ServerVulnerabilityAssessmentsSettings 'Microsoft.Security/serverVulnerabilityAssessmentsSettings@2022-01-01-preview' = if (VATool == 'MdeTvm') {
         name: 'AzureServersSetting'
         properties: {
           selectedProvider: 'MdeTvm'
         }
       }
    
    • If you select qualys then policy assignment of 13ce0167-8ca6-4048-8e6b-f996402e3c1b[1] with VaType=default is done on subscription level. This policy just creates Microsoft.Compute/virtualMachines/providers/serverVulnerabilityAssessments extension resource on all VMs

    Using defender findind Fix button just deploys Microsoft.Compute/virtualMachines/providers/serverVulnerabilityAssessments on both VA cases (IIRC).

    Those resource turns on some automated undocumented processed on Azure/Virtual Machines and then the magic happens if everything works.

    Related thread if you have onboarding issues: https://learn.microsoft.com/en-us/answers/questions/1195459/defender-for-cloud-vulnerability-assessment-soluti

    [1] https://www.azadvertizer.net/azpolicyadvertizer/13ce0167-8ca6-4048-8e6b-f996402e3c1b.html

    0 comments No comments

  3. Ryan Hill 27,771 Reputation points Microsoft Employee
    2023-04-05T17:56:57.35+00:00

    This policy is checking if there is an assessment related to a VM of type "Microsoft.Security/assessments" and has a name of "ffff0522-1e88-47fc-8382-2a80ba848f5d".

    This assessment is Azure Defender for SQL - SQL Vulnerability Assessment, which can you read more about on Enable vulnerability assessment on your Azure SQL databases. You should be able to pull metadata for Microsoft.Security/assessments by

    1. Opening Azure Resource Graph Explorer from the portal
    2. Change the scope to the subscription you want to query
    3. Run the following query
    SecurityResources
    | where type == 'Microsoft.Security/assessments'
    
    
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.