Defender for Cloud's integrated Qualys vulnerability scanner for Azure and hybrid machines

A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Defender for Cloud regularly checks your connected machines to ensure they're running vulnerability assessment tools.

When a machine is found that doesn't have a vulnerability assessment solution deployed, Defender for Cloud generates the security recommendation: Machines should have a vulnerability assessment solution. Use this recommendation to deploy the vulnerability assessment solution to your Azure virtual machines and your Azure Arc-enabled hybrid machines.

Defender for Cloud includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Defender for Cloud. This page provides details of this scanner and instructions for how to deploy it.

Tip

The integrated vulnerability assessment solution supports both Azure virtual machines and hybrid machines. To deploy the vulnerability assessment scanner to your on-premises and multicloud machines, connect them to Azure first with Azure Arc as described in Connect your non-Azure machines to Defender for Cloud.

Defender for Cloud's integrated vulnerability assessment solution works seamlessly with Azure Arc. When you've deployed Azure Arc, your machines will appear in Defender for Cloud and no Log Analytics agent is required.

If you don't want to use the vulnerability assessment powered by Qualys, you can use Microsoft Defender Vulnerability Management or deploy a BYOL solution with your own Qualys license, Rapid7 license, or another vulnerability assessment solution.

Availability

Aspect	Details
Release state:	General availability (GA)
Machine types (hybrid scenarios):	Azure virtual machines Azure Arc-enabled machines
Pricing:	Requires Microsoft Defender for Servers Plan 2
Required roles and permissions:	Owner (resource group level) can deploy the scanner Security Reader can view findings
Clouds:	Commercial clouds National (Azure Government, Azure China 21Vianet) Connected AWS accounts

Overview of the integrated vulnerability scanner

The vulnerability scanner included with Microsoft Defender for Cloud is powered by Qualys. Qualys' scanner is one of the leading tools for real-time identification of vulnerabilities. It's only available with Microsoft Defender for Servers. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Defender for Cloud.

How the integrated vulnerability scanner works

The vulnerability scanner extension works as follows:

1. Deploy - Microsoft Defender for Cloud monitors your machines and provides recommendations to deploy the Qualys extension on your selected machine/s.

2. Gather information - The extension collects artifacts and sends them for analysis in the Qualys cloud service in the defined region.

3. Analyze - Qualys' cloud service conducts the vulnerability assessment and sends its findings to Defender for Cloud.

   Important

   To ensure the privacy, confidentiality, and security of our customers, we don't share customer details with Qualys. Learn more about the privacy standards built into Azure.

4. Report - The findings are available in Defender for Cloud.

Deploy the integrated scanner to your Azure and hybrid machines

1. From the Azure portal, open Defender for Cloud.

2. From Defender for Cloud's menu, open the Recommendations page.

3. Select the recommendation Machines should have a vulnerability assessment solution.

   

   Tip

   The machine "server16-test" above, is an Azure Arc-enabled machine. To deploy the vulnerability assessment scanner to your on-premises and multicloud machines, see Connect your non-Azure machines to Defender for Cloud.

   Defender for Cloud works seamlessly with Azure Arc. When you've deployed Azure Arc, your machines will appear in Defender for Cloud and no Log Analytics agent is required.

   Your machines will appear in one or more of the following groups:

   • Healthy resources – Defender for Cloud has detected a vulnerability assessment solution running on these machines.
   • Unhealthy resources – A vulnerability scanner extension can be deployed to these machines.
   • Not applicable resources – these machines aren't supported for the vulnerability scanner extension.

4. From the list of unhealthy machines, select the ones to receive a vulnerability assessment solution and select Remediate.

   Important

   Depending on your configuration, this list might appear differently.

   • If you haven't got a third-party vulnerability scanner configured, you won't be offered the opportunity to deploy it.
   • If your selected machines aren't protected by Microsoft Defender for Servers, the Defender for Cloud integrated vulnerability scanner option won't be available.

   

5. Choose the recommended option, Deploy integrated vulnerability scanner, and Proceed.

6. You'll be asked for one further confirmation. Select Remediate.

   The scanner extension will be installed on all of the selected machines within a few minutes.

   Scanning begins automatically as soon as the extension is successfully deployed. Scans will then run every 12 hours. This interval isn't configurable.

   Important

   If the deployment fails on one or more machines, ensure the target machines can communicate with Qualys' cloud service by adding the following IPs to your allowlists (via port 443 - the default for HTTPS):

   • https://qagpublic.qg3.apps.qualys.com - Qualys' US data center

   • https://qagpublic.qg2.apps.qualys.eu - Qualys' European data center

   If your machine is in a region in an Azure European geography (such as Europe, UK, Germany), its artifacts will be processed in Qualys' European data center. Artifacts for virtual machines located elsewhere are sent to the US data center.

Automate at-scale deployments

Note

All of the tools described in this section are available from Defender for Cloud's GitHub community repository. There, you can find scripts, automations, and other useful resources to use throughout your Defender for Cloud deployment.

Some of these tools only affect new machines connected after you enable at scale deployment. Others also deploy to existing machines. You can combine multiple approaches.

Some of the ways you can automate deployment at scale of the integrated scanner:

• Azure Resource Manager – This method is available from view recommendation logic in the Azure portal. The remediation script includes the relevant ARM template you can use for your automation:
• DeployIfNotExists policy – A custom policy for ensuring all newly created machines receive the scanner. Select Deploy to Azure and set the relevant parameters. You can assign this policy at the level of resource groups, subscriptions, or management groups.
• PowerShell Script – Use the Update qualys-remediate-unhealthy-vms.ps1 script to deploy the extension for all unhealthy virtual machines. To install on new resources, automate the script with Azure Automation. The script finds all unhealthy machines discovered by the recommendation and executes an Azure Resource Manager call.
• Azure Logic Apps – Build a logic app based on the sample app. Use Defender for Cloud's workflow automation tools to trigger your logic app to deploy the scanner whenever the Machines should have a vulnerability assessment solution recommendation is generated for a resource.
• REST API – To deploy the integrated vulnerability assessment solution using the Defender for Cloud REST API, make a PUT request for the following URL and add the relevant resource ID: https://management.azure.com/<resourceId>/providers/Microsoft.Security/serverVulnerabilityAssessments/default?api-Version=2015-06-01-preview​

Trigger an on-demand scan

You can trigger an on-demand scan from the machine itself, using locally or remotely executed scripts or Group Policy Object (GPO). Alternatively, you can integrate it into your software distribution tools at the end of a patch deployment job.

The following commands trigger an on-demand scan:

• Windows machines: REG ADD HKLM\SOFTWARE\Qualys\QualysAgent\ScanOnDemand\Vulnerability /v "ScanOnDemand" /t REG_DWORD /d "1" /f
• Linux machines: sudo /usr/local/qualys/cloud-agent/bin/cloudagentctl.sh action=demand type=vm

FAQ

• Are there any additional charges for the Qualys license?
• What prerequisites and permissions are required to install the Qualys extension?
• Can I remove the Defender for Cloud Qualys extension?
• How can I check that the Qualys extension is properly installed?
• How does the extension get updated?
• Why does my machine show as "not applicable" in the recommendation?
• Can the built-in vulnerability scanner find vulnerabilities on the VMs network?
• Does the scanner integrate with my existing Qualys console?
• How quickly will the scanner identify newly disclosed critical vulnerabilities?

Are there any additional charges for the Qualys license?

No. The built-in scanner is free to all Microsoft Defender for Servers users. The recommendation deploys the scanner with its licensing and configuration information. No additional licenses are required.

What prerequisites and permissions are required to install the Qualys extension?

You'll need write permissions for any machine on which you want to deploy the extension.

The Microsoft Defender for Cloud vulnerability assessment extension (powered by Qualys), like other extensions, runs on top of the Azure Virtual Machine agent. So it runs as Local Host on Windows, and Root on Linux.

During setup, Defender for Cloud checks to ensure that the machine can communicate over HTTPS (default port 443) with the following two Qualys data centers:

• https://qagpublic.qg3.apps.qualys.com - Qualys' US data center
• https://qagpublic.qg2.apps.qualys.eu - Qualys' European data center

The extension doesn't currently accept any proxy configuration details. However, you can configure the Qualys agent's proxy settings locally in the Virtual Machine. Please follow the guidance in the Qualys documentation:

• Windows proxy configuration
• Linux proxy configuration

Can I remove the Defender for Cloud Qualys extension?

If you want to remove the extension from a machine, you can do it manually or with any of your programmatic tools.

You'll need the following details:

• On Linux, the extension is called "LinuxAgent.AzureSecurityCenter" and the publisher name is "Qualys".
• On Windows, the extension is called "WindowsAgent.AzureSecurityCenter" and the provider name is "Qualys".

How can I check that the Qualys extension is properly installed?

You can use the curl command to check the connectivity to the relevant Qualys URL. A valid response would be: {"code":404,"message":"HTTP 404 Not Found"}

In addition, make sure that the DNS resolution for these URLs is successful and that everything is valid with the certificate authority that is used.

How does the extension get updated?

Like the Microsoft Defender for Cloud agent itself and all other Azure extensions, minor updates of the Qualys scanner might automatically happen in the background. All agents and extensions are tested extensively before being automatically deployed.

Why does my machine show as "not applicable" in the recommendation?

If you have machines in the not applicable resources group, Defender for Cloud can't deploy the vulnerability scanner extension on those machines because:

• The vulnerability scanner included with Microsoft Defender for Cloud is only available for machines protected by Microsoft Defender for Servers.

• It's a PaaS resource, such as an image in an AKS cluster or part of a virtual machine scale set.

• It's not running one of the supported operating systems:

  Vendor	OS	Supported versions
  Microsoft	Windows	All
  Amazon	Amazon Linux	2015.09-2018.03
  Amazon	Amazon Linux 2	2017.03-2.0.2021
  Red Hat	Enterprise Linux	5.4+, 6, 7-7.9, 8-8.6, 9 beta
  Red Hat	CentOS	5.4-5.11, 6-6.7, 7-7.8, 8-8.5
  Red Hat	Fedora	22-33
  SUSE	Linux Enterprise Server (SLES)	11, 12, 15, 15 SP1
  SUSE	openSUSE	12, 13, 15.0-15.3
  SUSE	Leap	42.1
  Oracle	Enterprise Linux	5.11, 6, 7-7.9, 8-8.5
  Debian	Debian	7.x-11.x
  Ubuntu	Ubuntu	12.04 LTS, 14.04 LTS, 15.x, 16.04 LTS, 18.04 LTS, 19.10, 20.04 LTS

Can the built-in vulnerability scanner find vulnerabilities on the VMs network?

No. The scanner runs on your machine to look for vulnerabilities of the machine itself, not for your network.

Does the scanner integrate with my existing Qualys console?

The Defender for Cloud extension is a separate tool from your existing Qualys scanner. Licensing restrictions mean that it can only be used within Microsoft Defender for Cloud.

How quickly will the scanner identify newly disclosed critical vulnerabilities?

Within 48 hrs of the disclosure of a critical vulnerability, Qualys incorporates the information into their processing and can identify affected machines.

Next steps

Remediate the findings from your vulnerability assessment solution

Defender for Cloud also offers vulnerability analysis for your:

• SQL databases - Explore vulnerability assessment reports in the vulnerability assessment dashboard
• Azure Container Registry images - Use Defender for Containers to scan your ACR images for vulnerabilities