Azure Security Center is constantly being enhanced with new functionality and resources as part of it. As part of Azure Security Center Standard Tier, we now have access to a new vulnerability solution powered by Qualys Cloud Service. This is essentially an extension which is installed on your virtual machines in Azure the extension communicates back to the Qualys cloud service to analyze the data that is being collected. NOTE: This feature is currently in preview.
The service reports findings back to Azure Security Center where you can see any recommendations that it finds based upon the Qualys CVE. All information can be found under the recommendations pane
Where you can see all the information about the virtual machines that have reported back information.
Each of the recommendations usually points to KB article with CVE information and also how to remidiate
If you have enabled Continious export you can also query the data directly from a log analytics workspace and also surface recommendations into Azure Sentinel.
You can also use Resource Graph to create a dashboard of the recommendations with using the following query
securityresources | where type == "microsoft.security/assessments" | where * contains "Remediate vulnerabilities found on your virtual machines (powered by Qualys)" | summarize by assessmentKey=name //the ID of the assessment | join kind=inner ( securityresources | where type == "microsoft.security/assessments/subassessments" | extend assessmentKey = extract(".*assessments/(.+?)/.*",1, id) ) on assessmentKey | project assessmentKey, subassessmentKey=name, id, parse_json(properties), resourceGroup, subscriptionId, tenantId | extend description = properties.description, displayName = properties.displayName, resourceId = properties.resourceDetails.id, resourceSource = properties.resourceDetails.source, category = properties.category, severity = properties.status.severity, code = properties.status.code, timeGenerated = properties.timeGenerated, remediation = properties.remediation, impact = properties.impact, vulnId = properties.id, additionalData = properties.additionalData
In order to get started to use this feature you need to have Azure Security Center Standard tier and installing the extension on supported virtual machines. This can be done either trough ARM/TF/Azure Policies or you can use the portal to install the extensions using the quick fix option
NOTE: The extension and this feature is not supported for on-premises machines yet, but has been confirmed by the PM that it will be coming soon
The Qualys agent supports the following OS’es
- All versions of Windows
- Red Hat Enterprise Linux 6.7, 7.6
- Ubuntu 14.04, 18.04
- CentOS 6.10, 7, 7.6
- Oracle Linux 6.8, 7.6
- SUSE Enterprise Linux 12, 15
- Debian 7, 8
And since the extension is communicating directly with the Qualys cloud service you will need to open up the firewall to allow communication with:
So if you have Qualys from before, you should note that this extension is a separate tool from your existing Qualys scanner. Licensing restrictions mean that it can only be used within Azure Security Center.
Another interesting thing is that Microsoft has Microsoft Defender Advanced Threat Protection which also includes Threat & Vulnerability Management (TVM). How is this different from that? Right now Defender ATP has been focusing on Windows but Linux support it on its way. As of now the feature is powered by Qualys. The Qualys extension ensures support for both Windows and Linux VMs. The extension also benefits from Qualys’s own knowledge of vulnerabilities that don’t yet have CVEs, but I reckon it is only a matter a time before Microsoft will provide good enough visibility that they can do it on their own.