Configure Vulnerability Management for Azure
Sysdig released a new onboarding experience for Azure in August 2024. If you onboarded your Azure tenant and/or subscription before the 6th of August, 2024, and would like to add more features, contact your Sysdig representative.
Vulnerability Host Scanning relies on the following Azure features:
- Azure LightHouse: Manages the relationship between the Sysdig Service Principal and the target subscriptions.
- Snapshot: Shares disks with Sysdig.
To configure VM, set up volume access.
Prerequisites
You must have an Azure Subscription or Tenant already connected to Sysdig.
Access to a User with the permissions required to install.
Enable Microsoft Managed Services (Lighthouse) in each subscription using agentless scanning:
for sub in $(az account list --query "[].id" -o tsv); do echo "Registering MMS in $sub" az provider register --namespace Microsoft.ManagedServices --subscription "$sub" doneFor more details, see Missing Microsoft.ManagedServices Namespace Registration.
Set Up Volume Access
Use the following instructions to set up volume access for Vulnerability Host Scanning for your Azure instances.
- Log in to Sysdig Secure, select Integrations > Cloud Accounts > Azure.
- Select an account that is part of the tenant you would like to add features to or the individual account you onboarded. On the right panel, you will see a list of features.
- Click Setup beside a desired feature to open the wizard.
- Ensure you have the necessary permissions configured as described in the initial setup.
- Exclude or Include Resources from Vulnerability Scanning:
- You can exclude resource groups and virtual machines from scans using tags.
- For more information, see how to include/exclude resources.
- Verify the details of your tenant and the subscription where the features will be added.
- Generate and apply the Terraform code:
- Create a
volume_access.tffile in the folder that contains yourmain.tf. - Copy the snippet provided into the
volume_access.tffile. - Run the command:
terraform init && terraform apply.
- Create a
Exclude/Include Resources from Vulnerability Scanning
By default, all Resource Groups and Virtual Machines with root disks are included in scans. To manage exclusions and inclusions, use the following tags:
| Key | Value | Description |
|---|---|---|
sysdig:secure:scan | true | Include in scan |
false | Exclude from scan | |
sysdig:secure:data-volumes:scan | true | Include data volumes in scan |
false | Exclude data volumes from scan |
Usage Examples
| Tag | Level | Effect |
|---|---|---|
sysdig:secure:scan: "false" | Resource Group | Excludes all resources within that group from scanning |
sysdig:secure:scan: "false" | Virtual Machine | Excludes the VM and all its disks from scanning |
sysdig:secure:scan: "true" | Data Disk | Includes the disk for scanning |
sysdig:secure:data-volumes:scan: "true" | Resource Group | Includes all data disks in that group for scanning |
sysdig:secure:data-volumes:scan: "true" | Virtual Machine | Includes all its data disks for scanning |
sysdig:secure:data-volumes:scan: "true" | Resource Group and VM | Excludes the VM’s data-disks but includes others in the group |
Redundant Tags
| Tag | Description |
|---|---|
sysdig:secure:scan: "true" | Sysdig scans by default, so these tags are redundant. |
sysdig:secure:data-volumes:scan: "false" | Sysdig does not scan data volumes by default unless explicitly included. |
Check the Connection Status
You can verify your Vulnerability Management configuration by checking your connection status:
Log in to Sysdig Secure and select Integrations > Cloud Accounts > Azure.
Select your account.
The detail drawer appears on the right.
If the connection is successful, you will see the feature as Connected. This may take up to 5 minutes after deploying the Terraform.
Given below are the possible health statuses for Vulnerability Management Host Scanning and Workload Scanning:
Host Scanning
Health status of Host scanning is checked every 8 hours.
| Status | Description |
|---|---|
| Healthy ✅ | The account has been successfully connected, and all the resources have been scanned. |
| Warning ⚠ |
|
| Error ❌ | Failed the scanning. |
Workload Scanning
Health status of Workload scanning is checked every 3 hours.
| Status | Description |
|---|---|
| Healthy ✅ | The account has been successfully connected, and all the resources have been scanned. |
| Warning ⚠ | Discovered no workloads. |
| Error ❌ | Failed the scanning. |
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
