Focus

Prisma Cloud Compute Edition Administrator’s Guide

Agentless Scanning Results

Table of Contents

Agentless Scanning Results

Edit on GitHub

Vulnerability Scan

Compliance Scans

Pending OS Updates

Cloud Discovery Integration

Pre-flight checks

Start an Agentless Scan

Agentless scanning lets you inspect the risks and vulnerabilities of a cloud workload without having to install an agent or affecting the execution of the workload. Prisma Cloud gives you the flexibility to choose between agentless and agent-based security using Defenders. Prisma Cloud supports agentless scanning on AWS, GCP and Azure hosts, clusters, and containers for vulnerabilities and compliance. Prisma Cloud only supports agentless scanning of hosts for vulnerabilities and compliance on OCI.

See scanning modes to review the scanning options and to configure agentless scanning on your accounts.

Vulnerability Scan

Agentless scan results are cohesively integrated with Defender results throughout the Console to provide seamless experience.

Vulnerability scan rules control the data surfaced in Prisma Cloud Console, including scan reports and Radar visualizations. To modify these rules, see vulnerability scan rules.

View Scan Results

Navigate to Monitor > Vulnerabilities > Hosts
to view agentless vulnerability scan results. You can see a column named Scanned by
in the results page. On the rows where entry is Agentless
, scan results are provided by agentless scanning.

Agentless scans provide risk factors associated with each vulnerability such as package in use, exposed to internet, etc. (here). You can add tags and create policies in alert mode for exceptions. Agentless scanning is integrated with Vulnerability Explorer and Host Radar.

Compliance Scans

Navigate to Monitor > Compliance > Hosts
to view agentless compliance scan results. You can see a column named Scanned by
in the results page. On the rows where entry is Agentless
, scan results are provided by agentless scanning.

Agentless scans provide risk factors associated with each compliance issue and overall compliance rate for host benchmarks. (learn more here). You can add tags and create policies in alert mode for exceptions. Agentless scanning is integrated with Compliance Explorer and Host Radar.

Custom Compliance Scans

You can create custom compliance checks on file systems for your host and add them to your compliance policy for scanning. Follow the instructions to enable custom compliance checks in a single step for both Defenders and Agentless scans.

Pending OS Updates

Unpatched OSes lead to security risks and greater possibility of exploits. Through agentless scanning, find pending OS security updates as a compliance check.

You can search for all hosts with pending OS updates by searching for "Ensure no pending OS updates" string in Compliance explorer page (Monitor > Compliance > Compliance eExplorer tab).

Syntax:
<package name> [<current version>] (<new version available> …)

Cloud Discovery Integration

When cloud discovery is enabled, agentless scans are automatically integrated with the results to provide visibility into all regions and cloud accounts where agentless scanning is not enabled along with undefended hosts, containers, and serverless functions.

Pre-flight checks

Before scanning, Prisma Cloud performs pre-flight checks and shows any missing permissions. You can see the status of the credentials without waiting for the scan to fail. This gives you proactive visibility into errors and missing permissions allowing you to fix them to ensure successful scans. The following image shows the notification of a missing permission.

Start an Agentless Scan

Agentless scans start immediately after onboarding the cloud account. By default, agentless scans are performed every 24 hours, but you can change the interval on the Manage > System > Scan
page under Scheduling > Agentless
.