Frictionless Assessment for Azure

Frictionless Assessment is now End of Provisioning (starting May 15, 2023), and new users will not be able to deploy Frictionless Assessment connectors. Frictionless Assessment will reach End-of-Support on December 31, 2023, and will no longer receive support or updates. However, existing Frictionless Assessment connectors will continue to function until the feature is End-of-Life on December 31, 2024. Tenable recommends that you transition to Tenable Cloud Security for scanning your cloud resources. For more information, see the Tenable Vulnerability Management Release Notes.

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the Tenable FedRAMP Moderate Product Offering.

With Frictionless Assessment, Tenable Vulnerability Management discovers and collects an inventory of data points on your Azure virtual machine (VM) instances and VM scale set instances. Then, for instances that you specify for Frictionless Assessment, Tenable Vulnerability Management assesses the hosts for vulnerabilities in the cloud, rather than running plugins locally on the hosts.

Frictionless Assessment uses a custom automation runbook to collect the required data from VMs and VM scale sets in your selected resource groups. You do not need to configure a Microsoft Azure discovery connector, scanners, Tenable Nessus Agents, scans, or scan schedules to assess hosts with Frictionless Assessment.

The Azure Frictionless Assessment runbook collects data from each VM with basic commands to gather information such as installed packages and the existence of specific files. This information is then securely sent to Tenable using Azure's Public Blob Resource API. This connection is made using a customer-specific, regularly rotating shared access signature (SAS) token. For more information about the data that the runbook collects from VMs, see Azure Runbook Information .

Note: Virtual machines scanned by Azure Frictionless Assessment need outbound network access to push information to Azure's Public Blob Resource API. This can be accomplished by adding an outbound security rule using the "Storage" service tag. Without this access, the result of Runbook collection will not be received by Tenable and no assets or vulnerabilities will be assessed.

Operating System Coverage

Frictionless Assessment has vulnerability coverage for the following:

  • Amazon Linux 1 / 2

  • CentOS 6 / 7 / 8

  • Red Hat 6 / 7 / 8

  • SUSE Linux Enterprise Server (SLES) 11.4-15.2

  • SUSE Linux Enterprise Desktop (SLED) 12-15.2

  • Ubuntu 16.04. / 18.04 / 20.04 / 20.10

  • Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022

  • Windows 7, Windows 8, Windows 10, Windows 11

Licensing Considerations

In general in Tenable Vulnerability Management, assets count towards your license when they are assessed for vulnerabilities. Therefore, hosts that are assessed by Frictionless Assessment count against your license. For more information, see Tenable Vulnerability Management Licenses.

When you select Azure tags for hosts to be assessed by Frictionless Assessment, note that all hosts with any of those tags count towards your license. Hosts that are only discovered by the connector, and not assessed by Frictionless Assessment (for example, hosts that do not have a tag you selected for Frictionless Assessment), do not count towards your license.

Limitations

  • Frictionless Assessment does not run informational plugins, run remote vulnerability plugins, or gather compliance data.
  • Frictionless Assessment in Azure does not support custom encrypted disks.
  • A connector configured with Frictionless Assessment only supports one Azure subscription. If you want to assess hosts across multiple Azure subscriptions, you must configure a separate connector for each subscription.
  • You must have the Microsoft.ContainerInstance resource provider registered for each Azure subscription you plan to deploy the ARM template to.
  • The limit for Frictionless Assessment scans is one per day, whereas existing Frictionless Assessment connectors created before May 1, 2023 transmit inventory data more frequently. Frictionless Assessment drops data exceeding the frequency limit and does not scan it.

    Note: The limitation does not apply to Tenable Container Security, Agentless Assessment, or Tenable NessusAgent-based inventory scans.

Get Started

  1. Create an Azure Connector for Frictionless Assessment.

    Note: If you delete a Frictionless Assessment Azure connector, manually delete the remaining Azure artifacts as described in Manually Delete Connector Artifacts from Azure Frictionless Assessment.
  2. Verify that the Runbook in the automation account used for Frictionless Assessment Azure completes successfully. If it does not, contact your Azure administrator or support representative to resolve the issue.

    You can find the Runbook in Microsoft Azure > Automation Accounts > Tenable FA Automation Account > Process Automation > Runbooks/Job.

For more information, see the following topics: