Site and organization comparison
The Site and organization comparison feature lets you generate a side-by-side analysis of two sites, so you can understand:
- How assets change over time such as their TCP/UDP services, TCP/UDP ports, and service protocols. You can leverage this data to evaluate historical changes for assets for a specific point in time.
- How exposure changes based on scanning your network from different locations. For example, if you use public IP addresses internally and externally, you may want to scan those addresses from inside and outside your network to understand your potential exposure.
The report provides a summary view of differences. It only captures certain attributes that were added or removed from an asset, such as IP addresses, TCP ports, TCP service counts, UDP ports, UDP service counts, service protocols, and service counts. It does not track every modification to an asset, such as fingerprint or service banner changes.
After you run the report, the data presented in the report will be static. Any changes to your current inventory may result in assets no longer being accessible from the report.
Generate a site comparison
Generating the site comparison requires selecting a current site and a comparison site. The sites can be in different organizations. You can also select “All sites” to compare all sites in an organization with a different site and organization.
When the report runs it will assemble the two sets of assets specified, compare them using runZero’s asset matching algorithms, and generate a set of differences. You can then browse the summarized results in the report.
To generate a site comparison:
- Verify that your current organization is one containing an inventory of assets you want to compare.
- Go to the site comparison page.
- When the site comparison configuration page appears, the current organization will be set to the one you currently have selected. You can change the current site, if needed. For the comparison, choose the organization and site you want to run the analysis against.
- Run the report. A task will be created to perform the comparisons, and you will be taken to the task page.
- When the task is complete, the report will appear in the list of recent analysis reports at the top of the Reports page. You can then view and search the results.
View how assets change over time
To analyze how assets have changed over time, you can compare the data from an old scan task with your most recent inventory. Setting a point-in-time comparison requires creating a new project that you can import your old scan data into.
Here’s how you can set up a point-in-time analysis:
- Go to the organization or project that contains the task scan data you’d like to use.
- Go to your completed tasks and locate the task that contains the data for the point in time you’d like to compare.
- From the task page, download the task data. It will be in a file with a name starting
scan_
and ending.json.gz
. This is the file you’ll import into your new project. You don’t need to uncompress the file, unless you’re curious to look at the JSON data. - Next, create a new project for your import. You can create an organization if you intend to perform the analysis regularly.
- After you create the project, go to the Inventory page and import your scan task data into it.
Now, you’re ready to compare your current inventory with a previous version of it. Go to the site comparison page. You’ll need to select the organization and site for your current inventory as the site to compare against.
After the report runs, it shows a table that highlights the differences between the two sites, which in this case will represent two points in time, going from past to present.
You can also run the comparison by selecting your current organization first, and then choosing the project with the past data as the comparison site. The results will be the same, but with their sense reversed – that is, services which show as added when going from past to present, will show as removed when going from present to past.
View how exposure differs between networks
You can run the site comparison report to compare how exposure varies based on where you scan your network from. By comparing two inventories from two different perspectives, you can obtain better insights on your attack surface, which can help with active defense or risk reduction. For example, if you use external IPs internally and externally, you may want to scan those addresses from inside your network and outside your network. Then, you can run the site comparison report to compare the results from those two sites.
Here’s how you can set up a diff for exposures between networks:
- Set up a site with an Explorer on one network.
- Set up another site with an Explorer on a different network. This site can be in the same organization as the first site.
- Run a scan of the same address range with each Explorer. Verify you have the correct site selected for each scan.
- After the scans complete, run the site comparison to generate the diff. The report will show a table that highlights the differences between the two sites.
Analyze the results in the site comparison report
The site comparison generates a table to show how assets’ addresses, names, services, ports, and protocols differ between sites. Red text, denoted by the minus (-) sign, indicates that attributes were removed going from left to right. Green text, denoted by the plus (+) sign, indicates attributes were added.
Here are some things you should know about the results:
- Address and Other Address - The first address column contains the asset’s addresses for the organization currently selected when the report was requested. The second address column,
Other Address
, contains the asset’s addresses for the organization and site that was compared against the current organization. - Name and Other Name - The first name column contains the asset’s names in the organization currently selected when the report was generated. The second address column,
Other Name
, contains the asset’s names for the organization and site compared against. - TCP and UDP services - These columns show how the total number of TCP and UDP services differ between sites.
- TCP and UDP ports - These columns show the ports that have been added or removed between sites.
You can click on the green info (i) icon to view a more detailed comparison of the asset.
Clicking on one of the asset addresses in the report will bring up the full current asset record, if the asset still exists in the appropriate organization and site.
Search the site comparison report
You can search the report using the runZero search query language. In the following descriptions, the main set refers to the assets in the organization that was current when you generated the report (i.e., the address and name columns). The comparison set refers to the assets in the organization and site that you chose to compare against (i.e., the other address and other name columns).
Keyword | Meaning |
---|---|
address: |
Search for assets in the main set with a specified IP address. Use none to find assets that are missing from the main set. |
net: or cidr: |
Filter assets by their network CIDR range in the main set. |
other_address: |
Search for assets in the comparison set with a specified IP address. Use none to find assets that are missing from the comparison set. |
other_net: or other_cidr: |
Filter assets by their network CIDR range in the comparison set. |
id: |
Search by asset ID in the main set. |
other_id: |
Search by asset ID in the comparison set. |
tcp: |
Search for a TCP port change by number. |
udp: |
Search for a UDP port change by number. |
protocol: |
Search for a TCP or UDP port change by service name. |