Frictionless Assessment for Azure

The following feature is not supported in Tenable.io Federal Risk and Authorization Management Program (FedRAMP) environments. For more information, see the FedRAMP Product Offering.

With Frictionless Assessment, Tenable.io discovers and collects an inventory of data points on your Azure virtual machine (VM) instances and VM scale set instances. Then, for instances that you specify for Frictionless Assessment, Tenable.io assesses the hosts for vulnerabilities in the cloud, rather than running plugins locally on the hosts.

Frictionless Assessment uses a custom automation runbook to collect the required data from VMs and VM scale sets in your selected resource groups. You do not need to configure a Microsoft Azure discovery connector, scanners, Nessus Agents, scans, or scan schedules to assess hosts with Frictionless Assessment.

The Azure Frictionless Assessment runbook collects data from each VM with basic commands to gather information such as installed packages and the existence of specific files. This information is then securely sent to Tenable using Azure's Public Blob Resource API. This connection is made using a customer-specific, regularly rotating shared access signature (SAS) token. For more information about the data that the runbook collects from VMs, see Azure Runbook Information .

Note: Virtual machines scanned by Azure Frictionless Assessment need outbound network access to push information to Azure's Public Blob Resource API. This can be accomplished by adding an outbound security rule using the "Storage" service tag. Without this access, the result of Runbook collection will not be received by Tenable and no assets or vulnerabilities will be assessed.

Operating System Coverage

Frictionless Assessment has vulnerability coverage for the following:

  • Amazon Linux 1 / 2

  • CentOS 6 / 7 / 8

  • Red Hat 6 / 7 / 8

  • SUSE Linux Enterprise Server (SLES) 11.4-15.2

  • SUSE Linux Enterprise Desktop (SLED) 12-15.2

  • Ubuntu 16.04. / 18.04 / 20.04 / 20.10

  • Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022

  • Windows 7, Windows 8, Windows 10, Windows 11

Licensing Considerations

In general in Tenable.io, assets count towards your license when they are assessed for vulnerabilities. Therefore, hosts that are assessed by Frictionless Assessment count against your license. For more information, see Vulnerability Management Licenses.

When you select Azure tags for hosts to be assessed by Frictionless Assessment, note that all hosts with any of those tags count towards your license. Hosts that are only discovered by the connector, and not assessed by Frictionless Assessment (for example, hosts that do not have a tag you selected for Frictionless Assessment), do not count towards your license.

Limitations

  • Frictionless Assessment does not run informational plugins, run remote vulnerability plugins, or gather compliance data.
  • Frictionless Assessment in Azure does not support custom encrypted disks.
  • A connector configured with Frictionless Assessment only supports one Azure subscription. If you want to assess hosts across multiple Azure subscriptions, you must configure a separate connector for each subscription.
  • You must have the Microsoft.ContainerInstance resource provider registered for each Azure subscription you plan to deploy the ARM template to.

Get Started

  1. Create an Azure Connector for Frictionless Assessment .

    Note: If you delete a Frictionless Assessment Azure connector, manually delete the remaining Azure artifacts as described in Manually Delete Connector Artifacts from Azure Frictionless Assessment.
  2. Verify that the Runbook in the automation account used for Frictionless Assessment Azure completes successfully. If it does not, contact your Azure administrator or support representative to resolve the issue.

    You can find the Runbook in Microsoft Azure > Automation Accounts > Tenable FA Automation Account > Process Automation > Runbooks/Job.