Configure Vulnerability Management for Azure
Sysdig released a new onboarding experience for Azure in August 2024. If you onboarded your Azure tenant and/or subscription before the 6th of August, 2024, and would like to add more features, contact your Sysdig representative.
Vulnerability Host Scanning relies on the following Azure features:
- Azure LightHouse: Manages the relationship between the Sysdig Service Principal and the target subscriptions.
- Snapshot: Shares disks with Sysdig.
To configure VM, set up volume access.
Prerequisites
- You must have an Azure Subscription or Tenant already connected to Sysdig.
- Access to a User with the permissions required to install.
Set Up Volume Access
Use the following instructions to set up volume access for Vulnerability Host Scanning for your Azure instances.
- Log in to Sysdig Secure, select Integrations > Cloud Accounts > Azure.
- Select an account that is part of the tenant you would like to add features to or the individual account you onboarded. On the right panel, you will see a list of features.
- Click Setup beside a desired feature to open the wizard.
- Ensure you have the necessary permissions configured as described in the initial setup.
- Exclude or Include Resources from Vulnerability Scanning:
- You can exclude resource groups and virtual machines from scans using tags.
- For more information, see how to include/exclude resources.
- Verify the details of your tenant and the subscription where the features will be added.
- Generate and apply the Terraform code:
- Create a
volume_access.tffile in the folder that contains yourmain.tf. - Copy the snippet provided into the
volume_access.tffile. - Run the command:
terraform init && terraform apply.
- Create a
Exclude/Include Resources from Vulnerability Scanning
By default, all Resource Groups and Virtual Machines with root disks are included in scans. To manage exclusions and inclusions, use the following tags:
| Key | Value | Description |
|---|---|---|
sysdig:secure:scan | true | Include in scan |
false | Exclude from scan | |
sysdig:secure:data-volumes:scan | true | Include data volumes in scan |
false | Exclude data volumes from scan |
Usage Examples
| Tag | Level | Effect |
|---|---|---|
sysdig:secure:scan: "false" | Resource Group | Excludes all resources within that group from scanning |
sysdig:secure:scan: "false" | Virtual Machine | Excludes the VM and all its disks from scanning |
sysdig:secure:scan: "true" | Data Disk | Includes the disk for scanning |
sysdig:secure:data-volumes:scan: "true" | Resource Group | Includes all data disks in that group for scanning |
sysdig:secure:data-volumes:scan: "true" | Virtual Machine | Includes all its data disks for scanning |
sysdig:secure:data-volumes:scan: "true" | Resource Group and VM | Excludes the VM’s data-disks but includes others in the group |
Redundant Tags
| Tag | Description |
|---|---|
sysdig:secure:scan: "true" | Sysdig scans by default, so these tags are redundant. |
sysdig:secure:data-volumes:scan: "false" | Sysdig does not scan data volumes by default unless explicitly included. |
Validate
You can verify your Vulnerability Management configuration by checking your connection status:
- Log in to Sysdig Secure and select Integrations > Cloud Accounts > Azure.
- Select your account. The Detail panel appears on the right.
You will see the feature as Connected. This may take up to 5 minutes after deploying the Terraform.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.