Data formats
runZero consumes and produces a handful of data formats. This page provides examples of these formats and describes the fields and use cases for each.
Formats
Scan data
The raw output produced by the runZero Explorer and the runZero CLI is the scan data. This is newline-delimited JSON – JSONL – that represents the unprocessed output of the scan engine. This format is returned when downloading the task data for an Explorer-run scan and correlates to the scan.runzero.gz file created by the CLI. The runZero Inventory view is built by processing scan data in chronological order to create the current state at a given point in time.
Scan data can be imported into an existing site through the Inventory Import menu of the web console and through the --import parameter of the CLI. Each line of the file is a JSON object that specifies a type and a 64-bit Unix timestamp.
The example below is the raw scan data for a single Apple Mac Mini:
{"type":"config","ts":1597259738842951567,"probes":["arp","bacnet","dns","dtls","echo","ike","ipmi","mdns","memcache","mssql","natpmp","netbios","ntp","openvpn","pca","rdns","rpcbind","sip","snmp","ssdp","syn","tftp","ubnt","wlan-list","wsd"],"addresses":["192.168.0.1","192.168.30.1","192.168.40.1"],"networks":["192.168.0.1/24","192.168.30.1/24","192.168.40.1/24"],"params":{"arp-fast":"false","bacnet-port":"47808","clock-offset":"0","dns-port":"53","dns-resolve-name":"www.google.com","dns-trace-domain":"helper.rumble.network","dtls-ports":"443,3391,4433,5246,5349,5684","excludes":"","ike-port":"500","ipmi-port":"623","max-group-size":"4096","max-host-rate":"40","max-sockets":"512","mdns-port":"5353","memcache-port":"11211","mssql-port":"1434","nameservers":"","natpmp-port":"5351","netbios-port":"137","nopcap":"false","ntp-port":"123","openvpn-ports":"1194","passes":"1","pca-port":"5632","probes":"arp,bacnet,dns,dtls,echo,ike,ipmi,mdns,memcache,mssql,natpmp,netbios,ntp,openvpn,pca,rdns,rpcbind,sip,snmp,ssdp,syn,connect,tftp,ubnt,wlan-list,wsd","rate":"1000","rdns-max-concurrent":"64","rpcbind-port":"111","rpcbind-port-nfs":"2049","screenshots":"true","sip-port":"5060","skip-broadcast":"true","snmp-comms":"public,private","snmp-poll-interval":"300","snmp-port":"161","snmp-timeout":"5","snmp-v3-auth-passphrase":"","snmp-v3-auth-protocol":"none","snmp-v3-context":"","snmp-v3-privacy-passphrase":"","snmp-v3-privacy-protocol":"none","snmp-v3-username":"","ssdp-port":"1900","syn-max-retries":"2","syn-udp-trace-port":"65535","tcp-ports":"1300,5554,8020,20034,47001,41080,2601,2604,2638,5060,7181,10202,4679,2181,34205,13,2323,5601,18881,50070,139,1129,2199,2375,4444,902,1440,2103,32913,1311,9524,8028,8883,13364,37718,512,3200,5683,10203,81,1091,5222,8081,13838,37777,1,5672,8095,65535,21,540,548,1102,27080,28017,34443,40007,6060,6542,8300,27888,4786,9443,2049,3050,5984,46823,12221,1352,6405,26122,7210,41025,1103,1530,1883,8834,443,9100,45230,1234,3128,5432,12397,111,993,3780,5250,6112,524,5247,20031,1211,1755,5985,6070,8880,1241,3690,6002,1035,4000,8080,9081,2362,23,587,921,8903,31001,143,2598,3273,6101,8812,10628,25,113,513,1720,2533,6905,32764,38080,5040,20010,6001,6660,8471,82,2222,5093,6262,6379,8545,384,5168,20222,7579,998,3057,3217,6106,9391,9,2380,5520,9060,19300,30718,49,84,161,5900,10001,8009,19,617,2100,5580,38292,85,6667,10443,42,2121,5986,23791,515,1199,10008,16993,631,2083,8443,9527,13500,27017,30000,41523,554,5061,4659,8333,9855,5355,7001,1000,1220,5521,11234,20000,6988,3351,7547,7,1900,7778,9160,31099,1030,10616,7902,8090,12174,1533,135,5631,623,5038,9300,19888,14330,109,1433,15672,1581,3790,5632,9999,80,2381,4840,7800,61616,1101,1128,1494,3311,9092,11000,110,995,1098,5800,523,8087,10098,28784,407,7777,9090,19810,34963,50000,502,1100,8161,8180,9152,11099,2379,8023,88,1582,20101,16102,16992,1583,5814,5938,20111,11211,636,27000,1158,5400,5920,7443,9530,20171,8800,9099,7474,8222,10000,2082,8902,50013,689,771,7080,8098,8686,22,1024,12345,105,9080,9111,47002,4433,44818,4848,6080,7071,8303,62078,705,873,6000,7077,8503,9495,34964,5666,17200,5433,7801,11333,12401,12203,25025,264,2525,3628,9809,26000,50090,9000,2967,137,4730,5051,8899,10050,52302,8400,53,389,402,4443,7700,62514,1090,5353,6082,6661,40317,8089,17185,912,5405,28222,465,4445,6503,8014,57772,23472,1080,7021,8088,22222,5000,9084,18264,8888,6050,7144,41524,69,1811,44334,102,6502,1521,2809,9471,888,5351,5498,123,34962,8205,9042,2947,3389,5555,10080,10162,9200,500,1089,7510,15200,2207,3500,8008,9418,3460,6504,7770,25000,55553,179,783,8012,9595,46824,7580,5560,49152,83,903,1604,3632,4322,4567,445,8030,9390,3817,8901,10051,9002,27019,910,1099,3000,3299,222,7787,37,2000,3306,48899,7879,79,1723,3037,3312,8000,23943","tftp-ports":"69","ubnt-port":"10001","verbose":"true","wlan-list-poll-interval":"300","wsd-port":"3702"},"scan_targets":{"networks":["192.168.0.5/32"],"enable_dns":true,"enable_ip6":false,"inputs":["192.168.0.5"],"dns_timeout":2000000000,"concurrency":24},"version":"1.10.0 (build 20200804052508) [eae4e551f9f0ce5ab3bf0a1410b2ed5098db097e]"}
{"type":"status","ts":1597259758851278069,"level":"info","source":"connect","msg":"waiting on TCP probes to complete"}
{"type":"stats","ts":1597259769858733899,"stats":{"elapsed":31,"progress":94,"rateLimitTime":24246445895,"recv":546,"recvBytes":37404,"recvError":10,"recvRate":17,"resultCount":22,"secondsLeft":1,"sent":503,"sentBytes":36833,"sentError":0,"sentRate":16,"startTime":1597259738843056937}}
{"type":"result","ts":1597259738844372618,"host":"192.168.0.5","port":"0","proto":"icmp","probe":"echo","info":{"icmp.addrs":"192.168.0.5","icmp.rtts":"541214","ip.flags":"DF","ip.id":"0","ip.tos":"0","ip.ttl":"64"}}
{"type":"result","ts":1597259739077542717,"host":"192.168.0.5","port":"137","name":"MACMINI-EE7C7B","proto":"udp","probe":"netbios","info":{"netbios.domain":"WORKGROUP","netbios.mac":"f0:18:98:ee:7c:7b","netbios.macDateAdded":"2017-12-23","netbios.macVendor":"Apple, Inc."}}
{"type":"result","ts":1597259739219939211,"host":"192.168.0.5","port":"137","proto":"udp","probe":"netbios","info":{"netbios.addrs":"192.168.0.5"}}
{"type":"result","ts":1597259739471688048,"host":"192.168.0.5","port":"0","proto":"arp","probe":"arp","info":{"arp.mac":"f0:18:98:ee:7c:7b","arp.macDateAdded":"2017-12-23","arp.macVendor":"Apple, Inc.","source":"arp"}}
{"type":"result","ts":1597259739826114224,"host":"192.168.0.5","port":"5353","name":"Developers-Mac-mini","proto":"udp","probe":"mdns","info":{"mdns.replies":"5.0.168.192.in-addr.arpa.=PTR,Developers-Mac-mini.local."}}
{"type":"result","ts":1597259740197709484,"host":"192.168.0.5","port":"445","proto":"tcp","probe":"connect","info":{"ntlmssp.dnsComputer":"Developers-Mac-mini.local","ntlmssp.dnsDomain":"local","ntlmssp.negotiationFlags":"0x62898235","ntlmssp.netbiosComputer":"DEVELOPERS-MAC-MINI","ntlmssp.netbiosDomain":"MACMINI-EE7C7B","ntlmssp.ntlmRevision":"15","ntlmssp.targetName":"MACMINI-EE7C7B","ntlmssp.timestamp":"0x01d670dd06500880","ntlmssp.version":"6.1.7600","protocol":"smb1\tsmb2\tsmb3","smb.capabilities":"0x00000066","smb.dialect":"0x0302","smb.guid":"ff12583f-5ba1-53b8-8ff3-a48a394056f7","smb.nativeLM":"@(#)PROGRAM:smbd PROJECT:smbx-499.60.1","smb.nativeOS":"Darwin","smb.sessionID":"0x9551b7cb00000001","smb.signing":"required","source":"mdns"}}
The data contains four types of object:
-
Scan config: The
{"type":"config"}object contains the full set of parameters for the scan as well as the version of the scan engine, and on Windows, the version of npcap installed. This record is used to determine the scan targets, which is used by the analysis engine to determine whether a given IP address was in scope. -
Scan status: The
{"type":"status"}object contains diagnostic output from the scan engine. This can highlight issues that occurred while the scan was running. -
Scan stats: The
{"type":"stats"}object represents point in time statistics for the scan. This will include the number of packets sent, received, and the progress estimate. -
Scan result: The
{"type":"result"}object is target response for a specific probe. This can include TCP SYN+ACK replies, ICMP replies, or the result of application-layer probes, such as SNMP query responses, or HTTP screenshots. Scan Results are analyzed and correlated to create to the Asset Data format.
The scan stats sub-fields are defined below:
| Field | Description |
|---|---|
| cpu | CPU Core Percent * 100. 100% of one core would be 100000. |
| elapsed | The number of seconds since the scan started. |
| fdcount | The number of open file descriptors. |
| memory | The current memory usage in bytes. |
| progress | The estimated progress as a percentage (90 = 90%). |
| rateLimitTime | The number of Unix nanoseconds spent idling in the rate limiter. |
| recv | The number of packets received from the network. |
| recvBytes | The number of bytes received from the network. |
| recvError | The number of errors receiving from the network. |
| recvRate | The average packet receive rate for the scan. |
| resultCount | The total number of findings from the scan. |
| routines | The number of internal goroutines in the scan engine. |
| secondsLeft | The estimated seconds left to complete the scan. |
| sent | The number of packets sent the network. |
| sentBytes | The number of bytes sent the network. |
| sentError | The number of errors sending to the network. |
| sentRate | The average packet send rate for the scan. |
| startTime | The Unix timestamp in nanoseconds of when the scan started. |
The scan result object type contains the following fields in addition to type and ts:
| Field | Description |
|---|---|
| host | The IP address associated with the response. |
| name | An optional hostname returned as part of this response. |
| port | The TCP or UDP port or zero for other protocols. |
| proto | The transport protocol, one of arp, icmp, tcp, or udp. |
| probe | The specific internal probe name that returned this response. |
| info | The result details object where all keys and values are strings. |
The info object contains probe-specific response data. The key names are typically in the format of probe.subfield, with a few exceptions, and the values are always strings, even for numeric and array content. Multiple values for a key are represented as a tab-delimited array. Empty values are never reported for info keys. A given scan may return multiple result objects for a single probe, sometimes with duplicate values. These responses are correlated, deduplicated, and merged during the next phase of processing.
Asset data
The correlated and fingerprinted assets shown in the web console Inventory view and in the assets.jsonl file produced by the runZero CLI are the asset data. This data represents the state of each unique asset at a point in time and is built up by processing one or more sets of scan data.
runZero supports a few variants of the asset data, including line-delimited JSON (JSONL), standard JSON documents, and a simplified CSV export. The JSONL format is the easiest to work with as it supports incremental processing without having to load the entire response into memory.
The example below is the correlated asset data for a scan of a single Apple Mac Mini:
{"id":"b73f8e09-78a6-4d2b-979d-e63908f28251","created_at":1597259778,"updated_at":1597259778,"organization_id":"b7fb13a7-701d-4ca5-b0e6-6f28f06cc866","site_id":"52d60c51-8dee-4f09-94e5-2dee30050a25","alive":true,"last_seen":1597259750,"first_seen":1597259738,"detected_by":"arp","type":"Desktop","os":"Apple macOS","os_version":"10.15","hw":"Apple Mac Mini (Late 2018)","addresses":["192.168.0.5"],"addresses_extra":["fe80::1c9d:c567:8db1:d79b"],"macs":["f0:18:98:ee:7c:7b"],"mac_vendors":["Apple, Inc."],"names":["MACMINI-EE7C7B","DEVELOPERS-MAC-MINI","DEVELOPERS-MAC-MINI.LOCAL"],"tags":{},"domains":[],"services":{"192.168.0.5/0/arp/":{"arp.mac":"f0:18:98:ee:7c:7b","arp.macDateAdded":"2017-12-23","arp.macVendor":"Apple, Inc.","source":"arp","ts":"1597259739"},"192.168.0.5/0/icmp/":{"icmp.addrs":"192.168.0.5","icmp.rtts":"541214","ip.flags":"DF","ip.id":"0","ip.tos":"0","ip.ttl":"64","ts":"1597259738"},"192.168.0.5/137/udp/":{"netbios.addrs":"192.168.0.5","netbios.domain":"WORKGROUP","netbios.mac":"f0:18:98:ee:7c:7b","netbios.macDateAdded":"2017-12-23","netbios.macVendor":"Apple, Inc.","protocol":"netbios","ts":"1597259739"},"192.168.0.5/22/tcp/":{"banner":"SSH-2.0-OpenSSH_7.9","ip.flags":"DF","ip.id":"0","ip.tos":"0","ip.ttl":"64","protocol":"ssh","service.cpe23":"cpe:/a:openbsd:openssh:7.9","service.family":"OpenSSH","service.vendor":"OpenBSD","service.version":"7.9","source":"mdns","ssh.hostKey.data":"AAAAB3NzaC1yc2EAAAADAQABAAABAQCjGYTFcSp2Fs/R8dboLYiQ6PPrulZYanYH3SCYYr5QgC1SIF3AURGYTMnUDAS+tTI/Pquwowkgiq3rtfsQMAsCrahbPahwiOLTupsuLNp3evXYYSf8ZQFyBN8iz5cys06u+yczqWG7Fu8mgpS8zwCwN7yRrbFWd8+Hp6GgfUU4Z6jUQoZu7iajpbSXlTA9OYKXQIZOm8qc4mPLT/uHw9nxNmExWA1V/2ZeoS59NGSV8zFMKb52SOXKhkvHAIUVh5NJDAudxK4uP4eG6dxr8btYtVKIOYKlsLdSBSfHvSCvVVlb7DKJBiMXG+qspt33Zd73o4S9ICh2OaSbVt7h/NZ3","ssh.hostKey.md5":"75:9b:a2:e6:10:da:72:8a:11:91:3f:a1:43:14:7f:2e","ssh.hostKey.sha256":"SHA256:xVJfddKBJ9E5jstVCj0zY8763Rnxy2pqpzaLZXO+cHc","ssh.hostKey.type":"ssh-rsa","syn.rtt":"542019","tcp.options":"MSS:05b4","tcp.ts":"2009546838","tcp.urg":"0","tcp.win":"65535","ts":"1597259740"},"192.168.0.5/3031/tcp/":{"source":"mdns","ts":"1597259740"},"192.168.0.5/3283/tcp/":{"source":"mdns","ts":"1597259740"},"192.168.0.5/445/tcp/":{"ip.flags":"DF","ip.id":"0","ip.tos":"0","ip.ttl":"64","ntlmssp.dnsComputer":"Developers-Mac-mini.local","ntlmssp.dnsDomain":"local","ntlmssp.negotiationFlags":"0x62898235","ntlmssp.netbiosComputer":"DEVELOPERS-MAC-MINI","ntlmssp.netbiosDomain":"MACMINI-EE7C7B","ntlmssp.ntlmRevision":"15","ntlmssp.targetName":"MACMINI-EE7C7B","ntlmssp.timestamp":"0x01d670dd06500880","ntlmssp.version":"6.1.7600","protocol":"smb1\tsmb2\tsmb3","smb.capabilities":"0x00000066","smb.dialect":"0x0302","smb.guid":"ff12583f-5ba1-53b8-8ff3-a48a394056f7","smb.nativeLM":"@(#)PROGRAM:smbd PROJECT:smbx-499.60.1","smb.nativeOS":"Darwin","smb.sessionID":"0x9551b7cb00000001","smb.signing":"required","source":"mdns","syn.rtt":"624414","tcp.options":"MSS:05b4","tcp.ts":"2009544186","tcp.urg":"0","tcp.win":"65535","ts":"1597259740"},"192.168.0.5/5353/udp/":{"hw.device":"Desktop","hw.family":"Mac mini","hw.product":"Mac mini (Late 2018)","hw.vendor":"Apple","mdns.addrs":"fe80::1c9d:c567:8db1:d79b\t192.168.0.5","mdns.device.model":"Macmini8,1","mdns.device.osxvers":"19","mdns.ports":"eppc/tcp=3031\tnet-assistant/udp=3283\trfb/tcp=5900\tsftp-ssh/tcp=22\tsmb/tcp=445\tssh/tcp=22","mdns.replies":"5.0.168.192.in-addr.arpa.=PTR,Developers-Mac-mini.local.\tDeveloper\\226\\128\\153s\\ Mac\\ mini._device-info._tcp.local.=TXT,model=Macmini8,1 osxvers=19\tDevelopers-Mac-mini.local.=A,192.168.0.5\tDevelopers-Mac-mini.local.=AAAA,fe80::1c9d:c567:8db1:d79b\t_eppc._tcp.local.=PTR,Developer\\226\\128\\153s\\ Mac\\ mini._eppc._tcp.local.\t_net-assistant._udp.local.=PTR,Developer\\226\\128\\153s\\ Mac\\ mini._net-assistant._udp.local.\t_rfb._tcp.local.=PTR,Developer\\226\\128\\153s\\ Mac\\ mini._rfb._tcp.local.\t_sftp-ssh._tcp.local.=PTR,Developer\\226\\128\\153s\\ Mac\\ mini._sftp-ssh._tcp.local.\t_smb._tcp.local.=PTR,Developer\\226\\128\\153s\\ Mac\\ mini._smb._tcp.local.\t_ssh._tcp.local.=PTR,Developer\\226\\128\\153s\\ Mac\\ mini._ssh._tcp.local.","mdns.services":"ssh/tcp\tsftp-ssh/tcp\teppc/tcp\trfb/tcp\tsmb/tcp\tnet-assistant/udp","os.cpe23":"cpe:/o:apple:mac_os_x:10.15","os.family":"Mac OS X","os.product":"Mac OS X","os.vendor":"Apple","os.version":"10.15","protocol":"mdns","ts":"1597259740"},"192.168.0.5/5900/tcp/":{"ip.flags":"DF","ip.id":"0","ip.tos":"0","ip.ttl":"64","protocol":"vnc","source":"mdns","syn.rtt":"625419","tcp.options":"MSS:05b4","tcp.ts":"2009549134","tcp.urg":"0","tcp.win":"65535","ts":"1597259749","vnc.version":"RFB 003.889"}},"credentials":{},"rtts":{"icmp/echo":[541214]},"attributes":{"_macs.ipmap":"f0:18:98:ee:7c:7b=192.168.0.5","ip.ttl.hops":"0","ip.ttl.host":"192.168.0.5","ip.ttl.port":"22","ip.ttl.source":"64","ip.ttl.source.icmp":"64","ip.ttl.win":"65535","match.db":"mdns-device-info-txt","match.score":"90","ntlmssp.dnsComputer":"Developers-Mac-mini.local","ntlmssp.dnsDomain":"local","ntlmssp.version":"6.1.7600","os.cpe23":"cpe:/o:apple:mac_os_x:10.15","os.family":"Mac OS X","os.product":"Mac OS X","os.vendor":"Apple","os.version":"10.15","smb.guid":"ff12583f-5ba1-53b8-8ff3-a48a394056f7","smb.nativeLM":"@(#)PROGRAM:smbd PROJECT:smbx-499.60.1","smb.nativeOS":"Darwin"},"service_count":9,"service_count_tcp":5,"service_count_udp":2,"service_count_arp":1,"service_count_icmp":1,"lowest_ttl":0,"lowest_rtt":541214,"last_agent_id":"ca811190-329c-4da3-8cbe-3fd2ddff2663","last_task_id":"de5a4176-3614-4b71-8939-95b9108124aa","newest_mac":"f0:18:98:ee:7c:7b","newest_mac_vendor":"Apple, Inc.","newest_mac_age":1513987200000000000,"comments":null,"service_ports_tcp":["22","445","3031","3283","5900"],"service_ports_udp":["137","5353"],"service_protocols":["mdns","netbios","smb1","smb2","smb3","ssh","vnc"],"service_products":["openbsd openssh"],"org_name":"Test Lab","site_name":"MAC","agent_name":"TENTACULAR"}
Asset Data uses a number of data types for top-level fields, including string arrays, objects, strings, and integers. runZero tracks multiple IP addresses and MACs per asset and these are represented as arrays. For asset-level attributes and services, these are stored as objects with additional structure. Assets are uniquely identified by the id field (a V4 UUID) and nearly every other field can be changed between scans, as assets move around the network, change IPs, and open and close services.
Every asset belongs to an organization and a site within that organization.
The core asset data fields are defined below.
| Field | Description |
|---|---|
| id | The unique ID of this asset defined as a v4 UUID. |
| created_at | The asset created time represented as a 64-bit Unix timestamp in seconds. |
| updated_at | The asset last update time represented as a 64-bit Unix timestamp in seconds. |
| organization_id | The organization identifier defined as a v4 UUID. |
| site_id | The site identifier defined as a v4 UUID. |
| alive | A boolean indicating whether this asset was found during the last scan of the site. |
| last_seen | The time the asset last responded represented as a 64-bit Unix timestamp in seconds. |
| first_seen | The time the asset first responded represented as a 64-bit Unix timestamp in seconds. |
| detected_by | The protocol used to first detect that this asset was alive during the last scan. |
| type | A classification that represents a guess of the asset’s purpose. |
| os_vendor | The operating system vendor name as determined by the fingerprinting engine. |
| os_product | The operating system product name as determined by the fingerprinting engine. |
| os_version | The operating system version as determined by the fingerprinting engine. |
| os | The operating system name as determined by the fingerprinting engine. |
| hw_vendor | The hardware vendor name as determined by the fingerprinting engine. |
| hw_product | The hardware product name as determined by the fingerprinting engine. |
| hw_version | The hardware version as determined by the fingerprinting engine. |
| hw | The hardware definition as determined by the fingerprinting engine. |
| addresses | An array of IP (v4/v6) addresses for the asset that were within the scan scope. |
| addresses_extra | An array of IP (v4/v6) addresses for the asset that were outside the scan scope. |
| macs | An array of MAC addresses associated with this asset. |
| mac_vendors | An array of MAC address vendors associated with this asset. |
| names | An array of unique hostnames associated with this asset (uppercase). |
| domains | An array of unique domain names associated with this asset (uppercase). |
| tags | A text representation of the user-specified tags associated with this asset. |
| attributes | An object containing a map of key-value string attributes for this asset. |
| services | An object containing each associated service with the key representing the service description. |
| credentials | An object containing a map of any associated credentials (SNMP v2/v3). |
| rtts | An object containing a map of round-trip measurement times in milliseconds. |
| service_count | A count of TCP, UDP, ARP, and ICMP services. |
| service_count_tcp | A count of TCP services. |
| service_count_udp | A count of UDP services. |
| service_count_arp | A count of ARP services (0 or 1). |
| service_count_icmp | A count of ICMP services. |
| software_count | A count of software results. |
| vulnerability_count | A count of vulnerability results. |
| lowest_ttl | The lowest observed source TTL for this asset. |
| lowest_rtt | The lowest observed source RTT for this asset. |
| last_agent_id | The v4 UUID of the Explorer responsible for the last scan of this asset. |
| last_task_id | The v4 UUID of the task responsible associated with the last scan of this asset. |
| last_task_id | The v4 UUID of the task responsible associated with the last scan of this asset. |
| newest_mac | The “newest” MAC address by registration date. |
| newest_mac_vendor | The “newest” MAC address vendor by registration date. |
| newest_mac_age | The “newest” MAC address registration date as a Unix timestamp in nanoseconds. |
| comments | User-specified comments associated with this asset. |
| service_ports_tcp | An array of strings representing the unique TCP ports found on this asset. |
| service_ports_udp | An array of strings representing the unique UDP ports found on this asset. |
| service_protocols | An array of strings representing the unique protocols found on this asset. |
| service_products | An array of strings representing the unique products found on this asset. |
| scanned | A TRUE or FALSE value indicating whether the asset has been scanned by runZero. |
| source_ids | The ID of the data source, mapped to this table. |
| eol_os | The operating system End-of-Life time represented as a 64-bit Unix timestamp in seconds. |
| eol_os_ext | The operating system extended End-of-Life time represented as a 64-bit Unix timestamp in seconds. |
| outlier_score | The 0-5 score range indicating how unusual an asset is compared to the rest of the inventory. |
| outlier_raw | The heuristic score indicating how unusual an asset is compared to the rest of the inventory. |
| sources | The name of the data source, mapped to this table. |
| org_name | The name of the organization associated with this asset. |
| site_name | The name of the site associated with this asset. |
| agent_name | The name of the Explorer associated with this asset. |
| agent_external_ip | The external IP address of the Explorer associated with this asset. |
| hosted_zone_name | The name of the hosted zone associated with this asset. |
| subnets | The registered subnets associated with the site this asset is in. |
The services field contains string keys that contain the unique service identifier with values stored as strings. Multiple values may be stored as tab-delimited strings in the service values. A typical service key looks like 192.168.0.5/22/tcp/.
The components of the service key name consist of address, port, transport, and virtual host (which can be blank).
Change reports
The runZero platform calculates a change report after processing each scan. This is a JSON document available for download from the Task Details page with the following structure.
{
"assets":{
"new":{ "<asset-UUID>": { "Asset Data Fields":"" } },
"online":{ "<asset-UUID>": { "Asset Data Fields":"" } },
"offline":{ "<asset-UUID>": { "Asset Data Fields":"" } },
"changed":{ "<asset-UUID>": { "Asset Data Fields":"" } },
"summary":{
"changed":#,
"new":#,
"total":#,
"unchanged":#
} },
"directory_users":{
"new":{ "<user-UUID>": { "User Data Fields":"" }},
"changed":{ "<user-UUID>": { "User Data Fields":"" }},
"summary":{
"changed":#,
"new":#,
"total":#,
"unchanged":#
} },
"directory_groups":{
"new":{ "<group-UUID>": { "Group Data Fields":"" } },
"changed":{ "<group-UUID>": { "Group Data Fields":"" } },
"summary":{
"changed":#,
"new":#,
"total":#,
"unchanged":#
} },
"truncated": <true/false>
}
The new, online, offline, and changed objects each contain keys consisting of the modified asset IDs with the values represented in the asset data format.
The summary field indicates overall change statistics for this task.
The truncated field is set to true if the change report is incomplete due to reaching the maximum change threshold (1000 asset changes today).
Updated