iCompaas Support

Description:

The Vulnerability Assessment for Machines component in Microsoft Defender for Cloud provides continuous scanning and assessment of your virtual machines (VMs) to identify security vulnerabilities and misconfigurations. Enabling this feature ensures that all supported VMs are automatically evaluated for known vulnerabilities, compliance issues, and potential security risks, providing you with insights and recommendations to improve the security posture of your environment.

Rationale:

Enabling Vulnerability Assessment for Machines ensures proactive monitoring and risk identification. This tool automatically scans for common vulnerabilities such as missing patches, insecure configurations, and outdated software. It also provides recommendations for remediation, helping to reduce the risk of exploitation. By having vulnerability assessments enabled, organizations can comply with security best practices and regulatory requirements, mitigating potential threats before they can be exploited.

Impact:

Enabling the Vulnerability Assessment for Machines component enhances security by continuously scanning and identifying vulnerabilities within your VM environment. This can increase the security visibility across your infrastructure and prompt timely actions to remediate detected issues. However, this might add some resource overhead for scanning, depending on the number of machines and the frequency of scans. It may also generate a higher volume of alerts and recommendations, which should be managed and triaged appropriately.

Default Value:

By default, Vulnerability Assessment for Machines is not enabled in Microsoft Defender for Cloud. This feature needs to be manually configured for your virtual machines.

Pre-requisites:

• Microsoft Defender for Cloud subscription.
  

• Azure Virtual Machines (VMs) need to be in place.
  

• The user must have Owner, Contributor, or Security Admin role permissions.
  

• Microsoft Defender for Cloud should be enabled for your subscription.
  

Audit:

1. Sign in to Azure portal as a Global Administrator or Security Admin.
   

2. Navigate to Microsoft Defender for Cloud > Environment Settings.
   

3. Verify that the Vulnerability Assessment for Machines component is set to On for your virtual machines.
   

Implementation Steps (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Owner, Contributor, or Security Admin privileges.
     

2. Navigate to Microsoft Defender for Cloud:
   

   • In the Azure portal, go to Microsoft Defender for Cloud (formerly Azure Security Center).
     

3. Enable Vulnerability Assessment:
   

   • In Microsoft Defender for Cloud, go to Environment Settings under the Security Policy section.
     

   • In the Defender plans section, ensure that Microsoft Defender for Servers and Vulnerability Assessment are enabled.
     

   • This will enable the Vulnerability Assessment tool for your virtual machines.
     

4. Install Qualys VM Extension:
   

   • Microsoft Defender for Cloud uses Qualys as the vulnerability scanner for machines. To activate vulnerability scanning, ensure that the Qualys VM extension is installed on your virtual machines.
     

   • In Microsoft Defender for Cloud, navigate to Security Policy > Defender for Servers.
     

   • Enable Qualys vulnerability scanning for the specific subscription or region.
     

   • If not already installed, the Qualys extension will be automatically deployed to your VMs.
     

5. Configure Assessment Frequency:
   

   • Once vulnerability assessment is enabled, configure the frequency of scans and the specific vulnerabilities or compliance checks you want to prioritize (e.g., missing patches, insecure configurations).
     

   • You can manage these settings from within Microsoft Defender for Cloud > Vulnerability Assessment.
     

6. Verify and Review Vulnerability Findings:
   

   • After enabling the vulnerability assessment, navigate to Security Center > Vulnerability Assessment to review any findings for your virtual machines.
     

   • Review the recommended actions for any vulnerabilities detected and prioritize them based on their risk level.
     

7. Monitor Alerts and Remediation:
   

   • Once the scans are active, you can monitor alerts and vulnerability reports for each machine.
     

   • Review the recommendations provided by Defender for Cloud and ensure that necessary patches or fixes are applied to mitigate risks.
     

8. Test the Configuration:
   

   • To verify that the Vulnerability Assessment is working, you can run a manual scan or trigger a new scan by modifying or testing configurations in the VM.
     

   • Ensure that results are being reported and that you receive actionable alerts or recommendations.
     

Backout Plan (Manual):

1. Sign in to the Azure portal:
   

   • Use an account with Owner, Contributor, or Security Admin privileges.
     

2. Navigate to Microsoft Defender for Cloud:
   

   • Go to Microsoft Defender for Cloud.
     

3. Disable Vulnerability Assessment:
   

   • In Microsoft Defender for Cloud, go to Environment Settings > Defender plans.
     

   • Toggle off the Vulnerability Assessment setting to disable the vulnerability scanning for your VMs.
     

4. Uninstall Qualys VM Extension:
   

   • To fully disable vulnerability scanning, you can also uninstall the Qualys VM extension from the virtual machines.
     

   • This can be done via the Azure portal or by running the Azure CLI commands.
     

5. Test and Verify:
   

   • After disabling the vulnerability assessment, ensure that no further vulnerability scans are triggered for the machines.
     

   • Review Microsoft Defender for Cloud to confirm that the vulnerability reports are no longer generated for the VMs.
     

References:

• Microsoft Defender for Cloud - Vulnerability Assessment
  Azure Security Center - Vulnerability Assessment