Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Automatic Provisioning of Vulnerability Assessment for Virtual Machines

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: SecurityCenter-039

Ensure that a vulnerability assessment solution is automatically provisioned for your Azure virtual machines (VM) servers using Microsoft Defender for Cloud. The automatic provisioning of vulnerability assessment can be enabled on both Azure VMs and hybrid (multicloud and on-premises) virtual machines.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Microsoft Defender for Cloud uses vulnerability assessment services to continuously monitor Azure virtual machine (VM) servers for OS security misconfigurations, applications, and environment settings, to identify potential security vulnerabilities and recommends remediation strategies to mitigate them. By default, Defender for Cloud collects data from virtual machines (Azure VMs and hybrid machines) using agents and extensions. To avoid the process of manually installing and configuring this type of software, you can enable automatic provisioning of vulnerability assessment for virtual machines so that Microsoft Defender for Cloud can reduce the management overhead by automatically installing all the required agents and extensions on existing and new VMs.

Note: To use the automatic provisioning feature, Microsoft Defender for Cloud must be enabled for your virtual machine (VM) servers at the account/subscription level.


Audit

To determine if the automatic provisioning of vulnerability assessment solutions is enabled for your virtual machines, perform the following actions:

Note: Getting the vulnerability assessment auto provisioning configuration in Microsoft Defender for Cloud using Azure CLI/PowerShell is not currently supported.

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to examine.

05 In the navigation panel, under Settings, choose Defender plans to access the Microsoft Defender for Cloud plans available for the selected subscription.

06 For Servers, choose Settings > in the Monitoring coverage column to access the Defender for Cloud components available for virtual machine servers.

07 Check the configuration status of the Vulnerability assessment for machines component, available in the Status column. If the component status is set to Off, the automatic provisioning of vulnerability assessment solutions is not enabled for the virtual machine (VM) servers managed by the selected Azure subscription.

08 Repeat step no. 4 – 7 for each Microsoft Azure subscription available within your cloud account.

Remediation / Resolution

To enable the automatic provisioning of vulnerability assessment solutions for your virtual machine servers (Azure VMs and hybrid machines), perform the following actions:

Note: Enabling vulnerability assessment auto provisioning for virtual machines using Azure CLI/PowerShell is not currently supported.

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to configure.

05 In the navigation panel, under Settings, choose Defender plans to access the Microsoft Defender for Cloud plans available for the selected subscription.

06 For Servers, choose Settings > in the Monitoring coverage column to access the Defender for Cloud components available for virtual machine (VM) servers.

07 Choose On for the Vulnerability assessment for machines component, select the vulnerability assessment solution to deploy to your virtual machines, and choose Apply to confirm the changes.

08 Select Continue from the blade top menu and choose Save to apply the changes.

09 Repeat step no. 4 – 8 for each Microsoft Azure subscription available within your cloud account.

References

Publication date Oct 18, 2022