Merge pull request #239192 from dcurwin/image-scan-may24-2023

Identifying pull events

Author: prmerger-automator[bot]

articles/defender-for-cloud/defender-for-containers-vulnerability-assessment-azure.md

@@ -3,7 +3,7 @@ title: Identify vulnerabilities in Azure Container Registry with Microsoft Defen
 description: Learn how to use Defender for Containers to scan images in your Azure Container Registry to find vulnerabilities.
 author: dcurwin
 ms.author: dacurwin
-ms.date: 05/14/2023
+ms.date: 05/28/2023
 ms.topic: how-to
 ms.custom: ignite-2022, build-2023
 ---
@@ -29,17 +29,18 @@ The triggers for an image scan are:
   - Continuous scan for running images. This scan is performed every seven days for as long as the image runs. This mode runs instead of  the above mode when the Defender profile, or extension is running on the cluster.
 
 Once a scan is triggered, scan results will typically appear in the Defender for Cloud recommendations after a few minutes, but in some cases it may take up to an hour.
+
 ## Prerequisites
 
 Before you can scan your ACR images:
 
 - You must enable one of the following plans on your subscription:
 
-    - [Defender CSPM](concept-cloud-security-posture-management.md). When you enable this plan, ensure you enable the **Container registries vulnerability assessments (preview)** extension.
-    - [Defender for Containers](defender-for-containers-enable.md).
+  - [Defender CSPM](concept-cloud-security-posture-management.md). When you enable this plan, ensure you enable the **Container registries vulnerability assessments (preview)** extension.
+  - [Defender for Containers](defender-for-containers-enable.md).
 
-        >[!NOTE]
-        > This feature is charged per image. Learn more about the [pricing](https://azure.microsoft.com/pricing/details/defender-for-cloud/)
+    >[!NOTE]
+    > This feature is charged per image. Learn more about the [pricing](https://azure.microsoft.com/pricing/details/defender-for-cloud/).
 
 To find vulnerabilities in images stored in other container registries, you can import the images into ACR and scan them.
 
@@ -71,8 +72,6 @@ For a list of the types of images and container registries supported by Microsof
 
     :::image type="content" source="media/defender-for-containers-vulnerability-assessment-azure/container-registry-details.png" alt-text="Screenshot showing select specific image to see vulnerabilities." lightbox="media/defender-for-containers-vulnerability-assessment-azure/container-registry-details.png":::
 
-
-
     The repository details page opens. It lists the vulnerable images together with an assessment of the severity of the findings.
 
 1. Select a specific image to see the vulnerabilities.
@@ -146,15 +145,14 @@ To create a rule:
         :::image type="content" source="./media/remediate-vulnerability-findings-vm/modify-rule.png" alt-text="Screenshot showing the scope list.":::
     1. To view or delete the rule, select the ellipsis menu ("...").
 
-## View vulnerabilities for images running on your AKS clusters 
+## View vulnerabilities for images running on your AKS clusters
 
 Defender for Cloud gives its customers the ability to prioritize the remediation of vulnerabilities in images that are currently being used within their environment using the [Running container images should have vulnerability findings resolved-(powered by Qualys)](https://portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/KubernetesRuntimeVisibilityRecommendationDetailsBlade/assessmentKey/41503391-efa5-47ee-9282-4eff6131462c/showSecurityCenterCommandBar~/false) recommendation.
 
 To provide findings for the recommendation, Defender for Cloud collects the inventory of your running containers that are collected by the Defender agent installed on your AKS clusters. Defender for Cloud correlates that inventory with the vulnerability assessment scan of images that are stored in ACR. The recommendation shows your running containers with the vulnerabilities associated with the images that are used by each container and provides vulnerability reports and remediation steps.
 
 :::image type="content" source="media/defender-for-containers-vulnerability-assessment-azure/view-running-containers-vulnerability.png" alt-text="Screenshot of recommendations showing your running containers with the vulnerabilities associated with the images used by each container." lightbox="media/defender-for-containers-vulnerability-assessment-azure/view-running-containers-vulnerability.png":::
 
-
 ## FAQ
 
 ### How does Defender for Containers scan an image?
@@ -163,9 +161,17 @@ Defender for Containers pulls the image from the registry and runs it in an isol
 
 Defender for Cloud filters and classifies findings from the scanner. When an image is healthy, Defender for Cloud marks it as such. Defender for Cloud generates security recommendations only for images that have issues to be resolved. By only notifying you when there are problems, Defender for Cloud reduces the potential for unwanted informational alerts.
 
+### How can I identify pull events performed by the scanner?
+
+To identify pull events performed by the scanner, do the following steps:
+
+1. Search for pull events with the UserAgent of *AzureContainerImageScanner*.
+1. Extract the identity associated with this event.
+1. Use the extracted identity to identify pull events from the scanner.
+
 ### What is the difference between Not Applicable Resources and Unverified Resources?
 
-- **Not applicable resources** are resources for which the recommendation can't give a definitive answer. The not applicable tab includes reasons for each resource that could not be assessed. 
+- **Not applicable resources** are resources for which the recommendation can't give a definitive answer. The not applicable tab includes reasons for each resource that could not be assessed.
 - **Unverified resources** are resources that have been scheduled to be assessed, but have not been assessed yet.
 
 ### Does Microsoft share any information with Qualys in order to perform image scans?