Reviewing results

Task details

After each scan task completes, the task details page will list a summary of how many assets were affected. To understand the numbers, it’s important to remember that runZero doesn’t just rely on IP addresses. Instead, it fingerprints the assets based on how they respond to probes, and tries to catch situations where known assets change IP addresses.

The change summary box on the task details page includes the following statistics:

  • Asset changes:
    • Newly discovered assets are devices that were found during the task for which no device with matching fingerprints was previously seen.
    • Assets marked offline are assets that runZero has previously seen on the scanned network, but that didn’t respond on any of the IP addresses during this scan. When this happens, the asset is marked offline. The offline status is a flag on the asset, and doesn’t count as a change to the asset. Assets may be marked offline because the device was powered down or disconnected, or because of network problems.
    • Assets back online are assets that were marked offline at some point in the past, but the runZero Explorer got a response from them during this scan. The online status is a flag on the asset, and doesn’t count as a change to the asset.
    • Assets changed is the number of assets where some property of the asset was modified, other than its online status. Examples include changes to the device’s IP addresses or hostname, or responses from new ports or protocols.
    • Assets unchanged is the number of assets that were seen exactly where runZero found them in the last scan, with no changes to their responses.
    • Assets ignored is the number of occasions where the Explorer got a response from probing an IP address, but it turned out to be bogus in some way. This typically happens when a web proxy, stateful firewall, or SIP gateway responds as if it is the asset at every address on a subnet.
    • Assets updated by task is the total of Assets changed plus Assets unchanged. It indicates the number of asset records that are now up-to-date.
  • User changes:
    • Newly discovered users are users that were seen for the first time during the integration sync.
    • Users changed are users that had attributes change during the integration sync.
    • Users unchanged are users that did not change during the integration sync.
    • Users updated by task is the total number of Users changed and Users unchanged, indicating how many user records are now up-to-date.
  • Group changes:
    • Newly discovered groups are groups that were seen for the first time during the integration sync.
    • Groups changed are groups that had attributes change during the integration sync.
    • Groups unchanged are groups that did not change during the integration sync.
    • Groups updated by task is the total number of Groups changed and Groups unchanged, indicating how many group records are now up-to-date.

Dashboard & inventory views

The dashboard will be populated with results after the first scan completes. The dashboard provides trend data and insights that will help you assess how your inventory is changing over time. You can select a time period and site for the trend data using the selectors at the top right of the dashboard page.

The main asset trends graph shows the number of assets in each of the four main states – live, offline, scanned and unscanned. Beneath the graph are additional asset breakdowns, each of which shows a top 10 of an asset category – asset type, operating system, hardware and tags.

The service trends graph shows how many total services were found in your asset inventory, along with breakdowns for ARP, ICMP, TCP and UDP. Below the service trends graph are breakdowns of the top 10 TCP ports, UDP ports, protocols and products detected.

Clicking the menu button at the top right of each table and selecting “View more” shows a more detailed inventory by category.

Insights from queries

Queries and reports can help you gain valuable insights, but you may wonder where to get started. We recommend trying the pre-built queries in the Query Library first. Some of these queries are a result of runZero’s Rapid Response to emerging threats and are described on our blog.

runZero’s query language allows you to search and filter your asset inventory based on asset fields and value pairs. See the documentation about querying your data. Once you are familiar with the query language you can write your own queries.

You can set queries to run automatically by opening the query and setting the “Automatically track query results on the dashboard”. The query will run when scans complete, and you will be notified of any resulting insights on the dashboard page.

Sample Queries

Asset inventory

  • Equipment that is likely 8+ years old: alive:t mac_age:>8years
  • Assets with end-of-life OS: os_eol:<now
  • Virtual machines: has:virtual
  • Devices acting as a router: router:true
  • Devices that may be bridging: has_public:t and has_private:t

Service inventory

  • Protocol on a non-standard port example: protocol:ssh not port:22
  • Publicly addressed assets running RDP or VNC: has_public:t and (protocol:rdp or protocol:vnc)
  • Authenticated web services that are not encrypted: (_asset.protocol:http AND not _asset.protocol:tls) AND ( html.inputs:"password:" OR last.html.inputs:"password:" OR has:http.head.wwwAuthenticate OR has:last.http.head.wwwAuthenticate )
  • Older TLS versions in use: alive:t AND protocol:"=tls" AND ( tls.versionName:"=TLS 1.0" OR tls.versionName:"=TLS 1.1")

Some other sample queries are described in our blog entries:

Reports

After viewing the dashboard and inventory, your next stop should be the runZero Reports page.

Switch topology

This report uses SNMP information to map how the switches on your network are connected. Each switch displays its IP address, name, and the number of assets connected to it. If runZero detected MAC addresses that were not found as part of the scan scope, you will see a number of unmapped assets indicated below the switch.

You can click on a switch to see a pop-up with the number of identified and unmapped assets. From there, you can click to view the unmapped assets, and be taken to a table of unmapped MACs by switch port.

Double-clicking on a switch will expand that part of the diagram and show the individual assets connected to the switch.

The switch topology report won’t always be entirely accurate as it’s based on which switch claims to have seen each MAC address, and this may not always be the nearest access switch. Our algorithm looks for the switch port with the least number of shared MACs to find the best match, but this may not give the answer you expect, depending on switch cache timeouts and how the switches were scanned.

Subnet utilization

The subnet utilization report lists the subnets scanned on your network, and what percentage of each is in use. For example, if you have scanned 10.0.1.0/24 and found 25 assets, the report will show that 10% of the available IP addresses in the subnet are in use.

Network bridges

The network bridges report is a way to find devices that bridge multiple network segments. It can be useful to locate unintentional bridging between your internal networks and the Internet.

The report shows your internal networks in green, and external networks in red. It then shows you the multihomed assets which bridge an internal network to an external one.

RFC 1918 coverage

The RFC 1918 coverage report is a way to view how much of the private internal network address space has been scanned for assets. It can help you discover rogue assets, unscanned subnets, and secondary interfaces on scanned devices. More information is in the section on coverage reports.

Unmapped MACs

This report uses SNMP information to list MAC addresses runZero found evidence for, but which weren’t encountered as addresses of assets during the network scan. The MAC addresses are grouped by the switch that reported them, along with information about the vendor, manufacture date and switch port of the possible asset, to help identify them.

Outliers

The outliers reports allow you to obtain a summary of how often different values occur in specific attributes of assets and services. The values are sorted from most frequent to least frequent.

For example, the HTTP servers outliers report will list all of the HTTP servers encountered by runZero, starting with the most common.

As well as the one-click outliers reports, you can produce an outliers report for any asset or service attribute.

  • Switch topology to identify how your assets are connected and find “unmapped” MAC addresses (in red) that were not included in your scan scope (a summary of which is in the Unmapped MACs report)
  • Bridging to visualize what hosts may have both public and private connections
  • RFC 1918 coverage that can identify potential blindspots on your network like missing (unscanned) subnets, rogue devices, and “hinted” IPs that are secondary interfaces on unscanned network ranges.
  • See the “View all” button at the top right for a list of other reports to investigate outliers

Domain membership report

The domain membership report lists the Active Directory domains encountered by runZero, and lists how many assets are in each.

Analysis reports

Platform

Analysis reports are more advanced reports. They may run as tasks, rather than being generated on-the-fly.

The first analysis report is Compare Sites, which generates searchable reports of the differences between two sites.

The Outlier Overview Report analyzes assets across the organization and summarizes the most unusual values for an assortment of key attributes such as hardware type and SNMP enterprise ID.

The Specific Outlier Report allows you to select an attribute which has outlying values and get a detailed breakdown of those values.

The Organization Overview Report builds a high level summary report of the entire organization. It can optionally include lists of assets found.

Alerts

Platform

As well as manually generated reports and queries, runZero also supports automatic alerts to designated channels for post-scan inventory queries, asset changes, Explorer and scan issues, security operations, or API events.

Available channels are internal notifications in the runZero web console, email, or webhooks that can enable integration with services such as Slack or Mattermost. Alerts use the same query language as the sample queries above, so this is a good way to automate proactive notification for critical events.

Updated