Create an Azure Connector for Frictionless Assessment

Frictionless Assessment is now End of Provisioning (starting May 15, 2023), and new users will not be able to deploy Frictionless Assessment connectors. Frictionless Assessment will reach End-of-Support on December 31, 2023, and will no longer receive support or updates. However, existing Frictionless Assessment connectors will continue to function until the feature is End-of-Life on December 31, 2024. Tenable recommends that you transition to Tenable Cloud Security with Agentless Assessment for scanning your cloud resources. For more information, see the Tenable Vulnerability Management Release Notes.

The following feature is not supported in Tenable FedRAMP Moderate environments. For more information, see the Tenable FedRAMP Moderate Product Offering.

Required User Role: Administrator

When you configure an Azure cloud connector for Frictionless Assessment, Tenable Vulnerability Management uses an Azure Resource Manager (ARM) template. ARM is Azure's method for organizing, updating, provisioning resources in an Azure resource group or subscription. It allows users to define resources, dependencies, and networking for their application or use cases.

Follow the steps below to create a Microsoft Azure Frictionless Assessment connector in Tenable Vulnerability Management. This process also creates the ARM template that you will need to deploy to each of your Azure subscriptions that you want to evaluate for Frictionless Assessment.

Before you begin:

  • In another window or tab of the same browser with which you are accessing Tenable Vulnerability Management, log in to the Azure console with the Azure account that you want to target with Frictionless Assessment.

Note: To use Tenable Cloud Security Preview or Tenable Cloud Security, you must update or create new roles that support Tenable Cloud Security. Tenable Vulnerability Management cloud connector roles do not support Agentless Assessment.

Create the Microsoft Azure Frictionless Assessment connector and ARM template:

  1. In the upper-left corner, click the Menu button.

    The left navigation plane appears.

  2. In the left navigation plane, click Settings.

    The Settings page appears.

  3. Click the Cloud Connectors tile.

    The Cloud Connectors page appears and displays the configured connectors table.

  4. Click Create Cloud Connector.

    The Select a Cloud Connector panel appears.

  5. In the Cloud Connectors list, select Microsoft Azure Frictionless Assessment.

    The Connector Setup pop-up appears.

  6. In the Cloud Provider step, enter a Connector Name.

    Click Next.

  7. In the Enable Features step, ensure the check box to Identify vulnerabilities using frictionless assessment is selected.

    Click Next.

  8. In the Configuration step, either select the Scan all check box, or select specific target parameters.

    Note: To target a more specific subset of resources, you can target your connector on a specific resource group, a specific tag key, a specific tag value, or a combination of all three.

    Note: Use the ANY input from the drop-down as a wild card to target all values for a resource group, tag key, or tag value.

    Note: Multiple targets with specific parameters can be selected.

    Click Next.

  9. In the Apply Choices step, click Download and Finish.

    The new ARM template downloads in .json format, and the new connector shows on the Cloud Connectors page.

Deploy the connector using the ARM template:

Deploy the ARM template you downloaded in the previous section to your Azure subscription(s).

For deployment guidance, refer to Microsoft Azure documentation.

Note: You must have the Microsoft.ContainerInstance resource provider registered for each Azure subscription you are deploying the ARM template.

Note: When deploying Azure Frictionless Assessment through the Azure CLI, use subscription deployment with the ARM template produced by the steps above.

Example:

az deployment sub create --location eastus --template-file /path/to/arm-template.json

You can add --debug to the command generate verbose logging during deployment.

az deployment sub create --location eastus --template-file /path/to/arm-template.json --debug