Inbound integrations
Enriching runZero results with data from other tools
The runZero platform offers integrations with several sources of asset data, allowing users to enrich their asset inventory and identify assets and subnets that are not effectively managed or protected. By leveraging product APIs and export/import functionality, runZero can pull data from many IT and security tools to extend visibility across your organization’s network.
Supported integrations
Cloud and virtualization
Endpoint protection
- CrowdStrike Falcon
- Microsoft 365 Defender
- Microsoft Intune
- Miradore MDM
- SentinelOne
- Tanium API Gateway
Endpoint management
Asset and identity management
Vulnerabilities and risk
Network management
Custom integrations
If the solution you want to draw data from isn’t available as a current runZero integration, Platform users can leverage the custom integrations feature to add asset data from custom sources. Adding custom asset sources can be accomplished through the API or by leveraging the runZero Python SDK.
Scan probes or connector tasks
Most integrations can be run either as a scan probe or a connector task.
Scan probes run as part of a scan task. The scan task can be used to scan your environment and sync integrations at the same time. To run an integration as a scan probe:
- Configure a scan task from the
Scan
menu in your inventory or tasks page. - Activate the integration under the
Probes
tab. - Activate the correct credential under the
Credentials
tab. - Configure, activate, or deactivate other scan task configuration options as preferred.
Connector tasks run independent of scan tasks in order to allow more finely tuned scheduling of integration syncs and asset scans. Connector tasks are run from the runZero cloud by default, but can be configured to run from an Explorer in your organization if preferred. To run an integration as a connector task:
- Configure a connector task from the Integrations page or the
Integrate
menu in your inventory or tasks page. - Select an Explorer from the
Explorer
menu (optional). - Configure, activate, or deactivate other connector task configuration options as preferred.
Importing integration data
Some integrations can be used by importing data from that platform into runZero. For example, .nessus
files from Tenable Nessus and .xml
files from Rapid7 Nexpose can both be ingested without requiring a connection to their APIs.
Automatic asset merge
How runZero maps integration assets to assets:
- For hosts that can be matched to an existing runZero asset, asset-level attributes will be updated, and integration-specific attributes will be added.
- For hosts that cannot be matched with an existing runZero asset, a new asset will be created in the site specified when the integration task is set up.
runZero is able to merge integration data into existing assets by the following, in priority order:
- MAC address
- IP address (3-day window)
- Hostname
Assets from integrations can also be manually merged into runZero assets using the Merge
button on the Asset Inventory page.
Removing an integration data source
When an integration is removed as a data source, the associated attributes are removed from your runZero assets. Since some asset attribute fields are merged, it is possible that attributes populated by both runZero scans and the integration could be deleted. Rescanning the affected assets will resolve this issue.
Source names and IDs
The table below maps the source name to the source ID for querying assets and vulnerabilities.
ID | Name | Description |
---|---|---|
-1 | custom | Custom |
1 | runzero | runZero |
2 | miradore | Miradore |
3 | aws | AWS |
4 | crowdstrike | CrowdStrike |
5 | azure | Azure |
6 | censys | Censys |
7 | vmware | VMware |
8 | gcp | GCP |
9 | sentinelone | SentinelOne |
10 | tenable | Tenable |
11 | nessus | Nessus |
12 | rapid7 | Rapid7 |
13 | insightvm | InsightVM |
14 | qualys | Qualys |
15 | shodan | Shodan |
16 | azuread | AzureAD |
17 | ldap | LDAP |
18 | ms365defender | MS365Defender |
19 | intune | Intune |
20 | googleworkspace | GoogleWorkspace |
21 | sample | Sample |
22 | tenablesecuritycenter | TenableSecurityCenter |
23 | packet | Packet |
24 | wiz | Wiz |
25 | meraki | Meraki |
26 | mecm | MECM |
27 | tanium | Tanium |
28 | simulator | Simulator |
29 | netbox | NetBox |
30 | cip | CIP |
31 | palo-alto | Palo Alto |