Understanding fingerprints

runZero automatically builds fingerprints for every asset it discovers. Fingerprints describe how runZero identified a device, service, or operating system based on collected evidence. Each fingerprint includes a set of attributes that show what was matched and where it came from.

Fingerprints are a core part of how runZero normalizes your inventory, enabling accurate correlation and deduplication across multiple discovery sources.

How fingerprints work

During discovery, runZero gathers a variety of clues—such as TCP banners, mDNS names, SMB negotiation data, TLS certificates, and more. Each clue is analyzed and classified into one or more fingerprint categories.

Fingerprints are stored within the asset record using keys that follow the pattern:

fp.<category>.<attribute>

For example:

fp.os.source — identifies which source provided the operating system fingerprint
fp.os.match — shows the string or probe result matched to identify the OS
fp.hw.vendor — lists the hardware vendor name

These values are visible in exports, the API, and internal datasets.

Refingerprinting and submitting improvements

If a fingerprint appears incorrect or incomplete, you can:

Refingerprint the asset — re-run the fingerprinting process for that specific asset using the latest detection logic. This can update OS, hardware, and type fields.
Submit a fingerprint improvement — provide feedback to help enhance fingerprinting accuracy. When submitting an improvement, you can specify:
- Type (e.g., Server, Router)
- Operating System (e.g., Windows 10, Ubuntu 22.04)
- Hardware (e.g., VMware VM, Synology NAS)
- Optional comments for additional context.

These improvements help refine fingerprinting logic in future releases and improve identification accuracy for similar devices.

Fingerprint categories

Each fingerprint category corresponds to a logical area of asset identification. Common categories include:

Category	Description	Example sources
`os`	Vendor, operating system, and version detected	TCP banners, SMB, mDNS
`hw`	Hardware and vendor identification	SNMP, MAC lookup, integrations
`type`	Asset type classification	runZero service probe

Common fingerprint attributes

The table below lists fingerprint attributes observed in exports and the API.

Attribute	Meaning	Sample Values
`fp.build`	Internal fingerprinting engine build version	`v4.0.251103.0-2fd02762da549a3e87ffb5b0649e1621011872dd`
`fp.hw.certainty`	Confidence level of hardware fingerprint	`0.8`, `1.0`
`fp.hw.cpe23`	CPE 2.3 identifier for the hardware	`cpe:2.3:h:dell:optiplex_7080:-:::::::*`
`fp.hw.device`	Detected hardware device type	`Laptop`, `Server`, `Switch`
`fp.hw.match`	Raw hardware identification string	`Dell Inc. OptiPlex 7080`, `HP ProLiant DL360`
`fp.hw.product`	Hardware product name	`OptiPlex 7080`, `ProLiant DL360`, `MacBookPro18,3`
`fp.hw.serialNumber`	Serial number extracted from hardware probe	`ABC123XYZ`, `VMware-564d4a4a`
`fp.hw.source`	Source that provided the hardware fingerprint	`SNMP`, `Intune`, `CrowdStrike`, `runZero`
`fp.hw.vendor`	Vendor identified from hardware data	`Dell`, `HP`, `Apple`, `Lenovo`
`fp.hw.version`	Hardware or firmware version string	`1.0.3`, `rev A00`
`fp.os.build`	OS build number parsed from source data	`22621`, `19045`, `22D68`
`fp.os.certainty`	Confidence level of OS fingerprint	`0.95`, `1.0`
`fp.os.cpe23`	CPE 2.3 identifier for the operating system	`cpe:2.3:o:microsoft:windows_10:19045:::::::*`
`fp.os.device`	Detected OS device type	`Desktop`, `Server`, `Mobile`
`fp.os.edition`	OS edition or variant	`Pro`, `Enterprise`, `Home`
`fp.os.match`	String matched to infer the OS	`Windows 10.0`, `Ubuntu 22.04`, `macOS 14.1`
`fp.os.product`	OS product name	`Windows 10`, `Ubuntu`, `macOS`
`fp.os.source`	Source that provided OS identification	`runZero`, `MDNS`, `Intune`, `AzureAD`
`fp.os.vendor`	Vendor identified from OS data	`Microsoft`, `Canonical`, `Apple`
`fp.os.version`	OS version parsed from matched data	`10.0.19045`, `22.04`, `14.1`
`fp.type.source`	Source that provided type classification	`runZero`, `Integration`, `Hostname`, `AzureAD`

Using fingerprints in queries

During asset processing, these fp.x.y values are normalized to os, os_version, hw, and type attributes.

These are some sample searches using the normalized attributes:

Windows os assets
```
os:windows
```
Ubuntu assets running os_version less than 20.04
```
os_version:<20.04 os:ubuntu
```
Assets with Dell hardware
```
hw:dell
```
Assets with the type server
```
type:server
```

Troubleshooting fingerprints

If a fingerprint appears incorrect or incomplete:

Check which fp.*.source values contributed to the identification. Multiple integrations or probes may overlap.
Review recent discovery runs to confirm whether an updated probe result is available.
Consider enriching with integration data sources (e.g., Intune, CrowdStrike) to improve fingerprint accuracy.

By understanding and using fingerprint data, you can verify discovery accuracy, correlate results across integrations, and build more precise asset views within runZero.

Updated November 4, 2025

Previous: Understanding network segmentation Next: Managing alerts