Azure Internal Cloud scans use Qualys Internal Scanners, located at Qualys Cloud Platform.
Internal Cloud scans are DNS or IP-based scans launched using the target instances' public DNS or Public IP. If your assets have both public DNS and public IP addresses, we will launch a scan on public DNS.
These scans are supported in VM/VMDR for vulnerability scanning and PC/SCA for compliance scanning.
See Internal Cloud Scan Settings below for help with the settings that appear in the Internal Cloud Scan.
You must have Azure Cloud VM internal scan enabled for your account.
Your account must have a Manager, Unit Manager, or Scanner User role. This applies to both VM and PC.
Azure connector is required. Learn more about connectors.
All internal cloud scans are scheduled - either for Now (a one-time scan job) or Recurring. Once saved, you can see the scan job on the Schedules list. When the scan job starts, it is displayed on your Scans list.
Follow these steps to create or edit an Internal Cloud Scan:
1) Go to Scans > Scans.
2) Take one of these actions:
2a - To create a new Internal cloud scan, select New > Internal Cloud Scan. You can also see this option on the Schedules tab.
2b - To make changes to an existing Internal cloud scan , select a record in the list and choose Edit from the Quick Actions menu.
The New Cloud Internal Scan or Edit Internal Cloud Scan window appears (depending on the action taken). This is where you make your record settings.
3) Choose a tab on the left side of the Cloud Internal Scan window to see the settings available. Provide the necessary inputs on each tab, then click Create Scan Job (for a new scan) or Update (when updating an existing scan).
See the help below for the settings that appear on each of the tabs within the Internal Cloud Scan.
Cloud InformationCloud Information
This section has the basic settings to select your cloud provider - Microsoft Azure. See the requirements above.
This section is where you assign a scan name, select a scan profile, set a priority for processing, and define the scan job status.
Title - Give your Internal Scan a title for easy identification.
Option Profile—Select the option profile. The profile you select determines the scan settings used.
Processing Priority -Select a priority level. Set priority in order to have this scan processed ahead of other scans. You can choose from nine priority levels with the highest priority being 1 – Emergency and the lowest priority being 9-Low. Scans with no priority will be processed after scans with priority.
Scan Job Status - Select this option to prevent the scan from running at its scheduled time. Clear this option to re-activate the schedule.
This section has target host settings where you can select the connector and target host for the internal scan.
Connector - Select the connector you configured. The connector is displayed in the list as per your subscription.
Platform - You can select either available locations or available virtual networks.
Select Asset Tags - You must add the tags to specify the hosts to be scanned. Select All to include hosts that match all the tags listed. Select Any to include hosts that match at least one of the tags listed.
Note: If you want to exclude the hosts from the scan, add the tags to the Do not include hosts section.
Scan specific Virtual machine - Enable this option to filter your target host selection (connectors, Platform, Asset Tags, VNet/Region) to scan only specific VM instances. You can enter up to 10 VM IDs separated by commas. VM IDs can be specified with or without tags.
Note: If you do not specify the platform, region code, VNet ID, or asset tags, we will launch the scan on the assets resolved from the connector.
Choose a scanner appliance from the list. This field displays all the scanners with respect to available locations and virtual networks.
You can select any of the following options from the list of Scanner Appliances:
Note: This option is disabled until you select a connector and a platform.
Schedule and NotificationSchedule and Notification
Tell us when you want the scan to run - Now or Recurring.
Note that when you choose Now, your scan may not start immediately. We check for new scan requests every few minutes. If a scanner is available and you have not reached your concurrent scan limit then, we launch the scan. If scanners are not available or you have reached your limit then the scan will be launched at the next opportunity.
When you choose Recurring, you must set the scheduling and notification options.
Start - Select the starting date and time for this schedule and your local time zone (GMT shift and location). If you select a time zone that observes Daylight Saving Time, the Auto adjust during Daylight Saving Time option is selected by default. The start time will be adjusted automatically during time changes, so you do not have to make any edits to your schedule.
Duration - Set a maximum run time for the scan. You can pause or cancel the scan If it runs longer than the number of hours/minutes.
Resume Days - You can choose to have the scan resumed manually or automatically after a set number of days/hours. The value you set for pause determines the minimum value you can set for resume.
Occurs - Run the scan daily, weekly, or monthly (or every 2 days, every 3 weeks, etc.). When this feature is enabled for your account, you can choose Relaunch on Finish for continuous scanning.
Ends after - Your scan runs indefinitely unless you tell us how many times to run the scan. The schedule will be deactivated when the set number of occurrences is reached.
You can identify the assets to scan based on your settings.
You can see the following asset counts:
Assets Identified / Synced from Connector - The number of assets discovered by the connector that you selected for this scan job.
Assets Qualified for scan - The number of assets discovered by the connector that match the selected platform, region, and asset tags.
Assets Submitted to scan - The number of assets that we submit in the scan job.
After reviewing the settings and confirming the asset count, click Create Scan Job.
Note: When creating a scan job, a warning message that no scannable assets are found is shown if no assets are resolved from the connector and for the optional platform and asset tags selections. You can find such scan jobs under Scans > Schedules tab.
Your new scan job will appear on the Schedules list.
When your scan starts it appears on the Scans list. Like with other scans, you can take actions like cancel or pause the scan, view the scan status, and download the results.
Want to run the scan again? Choose New Scan Job from the Quick Actions menu. We retain certain scan settings from the original scan job and schedule the scan to run Now.