Setting up Agentless Scanning using Azure Resource Manager

If you’ve already set up Cloud Security Management and want to add a new Azure subscription or enable Agentless Scanning on an existing integrated Azure subscription, you can use either Terraform or Azure Resource Manager. This article provides detailed instructions for the Azure Resource Manager approach.

Running Agentless scanners incurs additional costs. To optimize these costs while still ensuring reliable 12-hour scans, Datadog recommends setting up Agentless Scanning with Terraform as the default template.

Enable Agentless Scanning

    Set up the Datadog Azure integration

    Follow the instructions for setting up the Datadog Azure integration.

    Enable Agentless Scanning for your Azure subscriptions

    Complete the following steps to enable Agentless Scanning for your Azure subscriptions:

    Cloud Security Management Setup page

    1. On the Cloud Security Management Setup page, click Cloud Integrations > Azure.
    2. Locate the tenant ID of your subscription.
    3. (Optional) To enable detection of misconfigurations, toggle Resource Scanning to the on position.
    4. Expand the list of Azure subscriptions and locate the subscription where you want to deploy the Agentless scanner.
    5. Click the Enable button under Vulnerability Scanning.
    6. The Vulnerability Scanning dialog is displayed. Toggle Vulnerability Scanning to the on position.
    7. Under How would you like to set up Agentless Scanning?, select Azure Resource Manager.
    8. Click Launch Azure Resource Manager to be redirected to the Azure portal.

    Azure portal

    1. Log in to the Azure portal. The template creation form is displayed.
    2. Select the subscription and the resource group in which the Agentless scanners are to be deployed. Datadog recommends that you deploy the Datadog Agentless Scanner in a dedicated resource group.
    3. In Subscriptions to scan, select all the subscriptions you want to scan.
    4. Enter your Datadog API Key, select your Datadog Site, and fill out the remainder of the form.
    5. Click on Review + create.

    Enable Agentless Scanning for your Azure subscriptions

    Complete the following steps to enable Agentless Scanning for your Azure subscriptions:

    Cloud Security Management Setup page

    1. On the Cloud Security Management Setup page, click Cloud Integrations > Azure.
    2. Locate the tenant ID of your subscription.
    3. (Optional) To enable detection of misconfigurations, toggle Resource Scanning to the on position.
    4. Expand the list of Azure subscriptions and locate the subscription where you want to deploy the Agentless scanner.
    5. Click the Enable button under Vulnerability Scanning.
    6. The Vulnerability Scanning dialog is displayed. Toggle Vulnerability Scanning to the on position.
    7. Under How would you like to set up Agentless Scanning?, select Azure Resource Manager.
    8. Click Launch Azure Resource Manager to be redirected to the Azure portal.

    Azure portal

    1. Log in to the Azure portal. The template creation form is displayed.
    2. Select the subscription and the resource group in which the Agentless scanners are to be deployed. Datadog recommends that you deploy the Datadog Agentless Scanner in a dedicated resource group.
    3. In Subscriptions to scan, select all the subscriptions you want to scan.
    4. Enter your Datadog API Key, select your Datadog Site, and fill out the remainder of the form.
    5. Click on Review + create.

    Exclude resources from scans

    To exclude hosts, containers, and functions from scans, apply the tag DatadogAgentlessScanner:false to each resource. For detailed instructions, refer to the Resource Filters documentation.

    Disable Agentless Scanning

    1. On the Cloud Security Management Setup page, click Cloud Integrations > Azure.
    2. Locate your subscription’s tenant, expand the list of subscriptions, and identify the subscription for which you want to disable Agentless Scanning.
    3. Click the Edit button and toggle Vulnerability Scanning to the off position.
    4. Click Done.

    Uninstall with Azure Resource Manager

    To uninstall Agentless Scanning, log in to your Azure subscription. If you created a dedicated resource group for the Agentless scanner, delete this resource group along with the following Azure role definitions:

    • Datadog Agentless Scanner Role
    • Datadog Agentless Scanner Delegate Role

    If you did not use a dedicated resource group, you must manually delete the scanner resources, which can be identified by the tags Datadog:true and DatadogAgentlessScanner:true.

    Further Reading

    Additional helpful documentation, links, and articles:

    Cloud Security Management Agentless ScanningDOCUMENTATION more more Setting up Agentless Scanning using TerraformDOCUMENTATION more more