Microsoft Defender for Cloud improves compute posture for Azure, AWS and GCP environments with machine scanning. For requirements and support, see the compute support matrix in Defender for Cloud.
Agentless scanning for virtual machines (VM) provides:
Broad, frictionless visibility into your software inventory using Microsoft Defender Vulnerability Management.
Deep analysis of operating system configuration and other machine meta data.
Agentless scanning assists you in the identification process of actionable posture issues without the need for installed agents, network connectivity, or any effect on machine performance. Agentless scanning is available through both the Defender Cloud Security Posture Management (CSPM) plan and Defender for Servers P2 plan.
Azure Commercial clouds
Azure Government
Microsoft Azure operated by 21Vianet
Connected AWS accounts
Connected GCP projects
Operating systems:
Windows
Linux
Instance and disk types:
Azure
Standard VMs
Unmanaged disks
Maximum total disk size allowed: 4TB (the sum of all disks) Maximum number of disks allowed: 6 Virtual machine scale set - Flex
Virtual machine scale set - Uniform
AWS
EC2
Auto Scale instances
Instances with a ProductCode (Paid AMIs)
GCP
Compute instances
Instance groups (managed and unmanaged)
Encryption:
Azure
Unencrypted
Encrypted – managed disks using Azure Storage encryption with platform-managed keys (PMK)
Encrypted – other scenarios using platform-managed keys (PMK)
Encrypted – customer-managed keys (CMK) (preview)
Agentless scanning for VMs uses cloud APIs to collect data. Whereas agent-based methods use operating system APIs in runtime to continuously collect security related data. Defender for Cloud takes snapshots of VM disks and performs an out-of-band, deep analysis of the operating system configuration and file system stored in the snapshot. The copied snapshot remains in the same region as the VM. The VM isn't affected by the scan.
After acquiring the necessary metadata is acquired from the copied disk, Defender for Cloud immediately deletes the copied snapshot of the disk and sends the metadata to Microsoft engines to detect configuration gaps and potential threats. For example, in vulnerability assessment, the analysis is done by Defender Vulnerability Management. The results are displayed in Defender for Cloud, which consolidates both the agent-based and agentless results on the Security alerts page.
The scanning environment where disks are analyzed is regional, volatile, isolated, and highly secure. Disk snapshots and data unrelated to the scan aren't stored longer than is necessary to collect the metadata, typically a few minutes.
Related content
This article explains how agentless scanning works and how it helps you collect data from your machines.
Discover how to set up and integrate a Log Analytics agent with a workspace in Defender for Cloud using the Azure portal, enhancing security data analysis capabilities.
Frequently asked questions about data collection, agents, and workspaces for Microsoft Defender for Cloud. Data collection agents are a product that helps you prevent, detect, and respond to threats