Microsoft AzureOverview
Enable vulnerability assessment for machines on both Azure and hybrid (Arc-enabled) machines.
Rationale
Vulnerability assessment for machines scans for various security-related configurations and events such as system updates, OS vulnerabilities, and endpoint protection, then produces alerts on threat and vulnerability findings.
Impact
Microsoft Defender for Servers plan 2 licensing is required, and the configuration of Azure Arc introduces complexity beyond this recommendation.
Remediation guidance
Remediate from Azure Portal
- Open Microsoft Defender for Cloud | Environment settings
- Select a subscription
- Click on
Settings & Monitoring - Set the
StatusofVulnerability assessment for machinestoOn - Click
Continue
Repeat the above for any additional subscriptions.
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Azure
Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Azure Connectors without server vulnerability providers
Connectors
Covered asset types
Expected check: eq []
{
connectors(where: { azureServersSettings_SOME: null }) {
...AssetFragment
}
}
