Enable vulnerability scanning with a Bring Your Own License (BYOL) solution

Note

For all customers who have Defender for Servers enabled and are still using Qualys capability for vulnerability management, please migrate to either Microsoft Defender vulnerability management or utilize the connectors available in the Exposure Management platform. The Defender for Servers plan in Microsoft Defender for Cloud has a built-in vulnerability assessment tool. The vulnerability assessment tool doesn't require any external licenses and supports Azure Arc-enabled machines.

If you don't want to use the integrated vulnerability assessment tool, you can use your own privately licensed vulnerability assessment solution from Qualys or Rapid7. This article explains the steps needed to deploy one of these partner solutions on multiple VMs belonging to the same subscription (but not to Azure Arc-enabled machines).

Availability

Aspect Details
Release state: General availability (GA)
Machine types: Azure virtual machines
Azure Arc-enabled machines
Pricing: Free
Required roles and permissions: Resource owner can deploy the scanner
Security reader can view findings
Clouds: Commercial clouds
National (Azure Government, Microsoft Azure operated by 21Vianet)

Deploy a BYOL solution from the Azure portal

The BYOL options refer to supported third-party vulnerability assessment solutions. Currently both Qualys and Rapid7 are supported providers.

Supported solutions report vulnerability data to the partner's management platform. In turn, that platform provides vulnerability and health monitoring data back to Defender for Cloud. You can identify vulnerable VMs on the workload protection dashboard and switch to the partner management console, directly from Defender for Cloud for reports and more information.

  1. From the Azure portal, open Defender for Cloud.

  2. From Defender for Cloud's menu, open the Recommendations page.

  3. Select the recommendation Machines should have a vulnerability assessment solution.

    The groupings of the machines in the **A vulnerability assessment solution should be enabled on your virtual machines** recommendation page

    Your VMs appear in one or more of the following groups:

    • Healthy resources – Defender for Cloud detected a vulnerability assessment solution running on these VMs.
    • Unhealthy resources – A vulnerability scanner extension can be deployed to these VMs.
    • Not applicable resources – these VMs can't have a vulnerability scanner extension deployed.
  4. From the list of unhealthy machines, select the ones to receive a vulnerability assessment solution and select Remediate.

    Important

    Depending on your configuration, you might only see a subset of this list.

    • If you haven't got a third-party vulnerability scanner configured, you won't be offered the opportunity to deploy it.
    • If your selected VMs aren't protected by Microsoft Defender for Servers, the Defender for Cloud integrated vulnerability scanner option will be unavailable.

    Screenshot of the solutions screen after you select the fix button for your resource.

  5. If you're setting up a new BYOL configuration, select Configure a new third-party vulnerability scanner, select the relevant extension, select Proceed, and enter the details from the provider as follows:

    1. For Resource group, select Use existing. If you later delete this resource group, the BYOL solution won't be available.
    2. For Location, select where the solution is geographically located.
    3. For Qualys, enter the license provided by Qualys into the License code field.
    4. For Rapid7, upload the Rapid7 Configuration File.
    5. In the Public key box, enter the public key information provided by the partner.
    6. To automatically install this vulnerability assessment agent on all discovered VMs in the subscription of this solution, select Auto deploy.
    7. Select OK.
  6. If you have already set up your BYOL solution, select Deploy your configured third-party vulnerability scanner, select the relevant extension, and select Proceed.

After the vulnerability assessment solution is installed on the target machines, Defender for Cloud runs a scan to detect and identify vulnerabilities in the system and application. It might take a couple of hours for the first scan to complete. After that, it runs hourly.

Deploy a BYOL solution using PowerShell and the REST API

To programmatically deploy your own privately licensed vulnerability assessment solution from Qualys or Rapid7, use the supplied script PowerShell > Vulnerability Solution. This script uses the REST API to create a new security solution in Defender for Cloud. You need a license and a key provided by your service provider (Qualys or Rapid7).

Important

Only one solution can be created per license. Attempting to create another solution using the same name/license/key will fail.

Prerequisites

Required PowerShell modules:

  • Install-module Az
  • Install-module Az.security

Run the script

To run the script, you need the relevant information for the following parameters:

Parameter Required Notes
SubscriptionId The subscriptionID of the Azure Subscription that contains the resources you want to analyze.
ResourceGroupName Name of the resource group. Use any existing resource group including the default ("DefaultResourceGroup-xxx").
Since the solution isn't an Azure resource, it isn't listed under the resource group, but it's still attached to it. If you later delete the resource group, the BYOL solution is unavailable.
vaSolutionName The name of the new solution.
vaType Qualys or Rapid7.
licenseCode Vendor provided license string.
publicKey Vendor provided public key.
autoUpdate - Enable (true) or disable (false) auto deploy for this VA solution. When enabled, every new VM on the subscription automatically attempts to link to the solution.
(Default: False)

Syntax:

.\New-ASCVASolution.ps1 -subscriptionId <Subscription Id> -resourceGroupName <RG Name>
-vaSolutionName <New solution name> -vaType <Qualys / Rapid7> -autoUpdate <true/false>
-licenseCode <License code from vendor> -publicKey <Public Key received from vendor>

Example (this example doesn't include valid license details):

.\New-ASCVASolution.ps1 -subscriptionId 'f4cx1b69-dtgb-4ch6-6y6f-ea2e95373d3b' -resourceGroupName 'DefaultResourceGroup-WEU' -vaSolutionName 'QualysVa001' -vaType 'Qualys' -autoUpdate 'false' `
-licenseCode 'eyJjaWQiOiJkZDg5OTYzXe4iMTMzLWM4NTAtODM5FD2mZWM1N2Q3ZGU5MjgiLCJgbTYuOiIyMmM5NDg3MS1lNTVkLTQ1OGItYjhlMC03OTRhMmM3YWM1ZGQiLCJwd3NVcmwiOiJodHRwczovL3FhZ3B1YmxpYy1wMDEuaW50LnF1YWx5cy5jb20vQ2xvdSKJY6VudC8iLCJwd3NQb3J0IjoiNDQzIn0=' `
-publicKey 'MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCOiOLXjOywMfLZIBGPZLwSocf1Q64GASLK9OHFEmanBl1nkJhZDrZ4YD5lM98fThYbAx1Rde2iYV1ze/wDlX4cIvFAyXuN7HbdkeIlBl6vWXEBZpUU17bOdJOUGolzEzNBhtxi/elEZLghq9Chmah82me/okGMIhJJsCiTtglVQIDAQAB'

Learn more about obtaining the Qualys Virtual Scanner Appliance in Azure Marketplace.

Next steps