Understanding assets
runZero treats assets as unique network entities from the perspective of the system running the Explorer. An asset may have multiple IP addresses, MAC addresses, and hostnames and it may move around the network as these attributes are updated. runZero tries hard to follow assets by correlating new scan data with the existing inventory, using multiple attributes.
An asset is always associated with a single site. If the same system happens to be covered by multiple sites, these will be treated as different assets, and will only be correlated against assets within their respective site. This separation by site allows the same network to be scanned from multiple perspectives and compared in a single view within the organization.
After each scan, all assets within the corresponding site are updated. If a system is identified that doesn’t match an existing asset, a new asset will be created. If an asset is part of the site and it is not found during a scan, it will be marked as offline. If an asset is not correlated, due to substantial changes to the fingerprint (for example, a new network adapter was installed and the firewall was enabled), the previous asset will be marked as offline, and a new asset will be created to track the new configuration. This can lead to some level of duplication within a site, but these duplicates are usually marked as offline, and can be safely ignored or removed from the inventory by hand.
Asset fields
The following asset fields are available.
Primary addresses
runZero will report at least one and often multiple primary IP addresses for a given asset. These addresses can encompass multiple network interfaces but will only be displayed as a primary address if runZero has scanned it. This requires that the address is within the scan scope of one or more runZero scans.
Secondary addresses
runZero may report one or more secondary addresses, based on network response probes. These are IP addresses that were detected on the asset but were not within the scan scope. Secondary address detection is critical when trying to identify systems that bridge networks that should be isolated.
Hostnames
runZero may report one or more hostnames. These names can be obtained from the initial DNS lookup (when hostnames are provided in the scan scope), from DNS PTR lookups during the scan, and by extracting names advertised within network probe responses.
Operating System (OS)
runZero attempts to fingerprint, and failing that, guess at the operating system running on each asset. If limited information is available, this field may be empty.
Type
runZero attempts to determine the general device type through analysis of fingerprints and running services.
Hardware
runZero attempts to determine the physical (or virtual) hardware if enough information is present.
MAC addresses
runZero may be able to enumerate one or more MAC addresses from the asset. MAC addresses are pulled from ARP if available, but also several network services that can return MAC address information across routed segments.
Services
runZero tries to detect approximately 100 TCP services by default, along with several useful UDP services. These services are in addition to ARP and ICMP. The services field contains a list of the most recently recorded services for the asset.
Round Trip Time (RTT)
runZero records the amount of time certain probes take in order to get a rough sense of the latency between the Explorer and the asset.
Detected by
runZero records which probe was used to identify an asset. For assets that are on remote subnets and have firewalls in place, this field indicates what service was used to obtain a response.
Alive status
runZero tracks whether a given asset was found during the most recent scan where its site was in scope. If the asset was not found, it will be marked as offline until a following scan detects it again.
First seen
runZero tracks the initial timestamp when an asset was first identified.
Last seen
runZero tracks the last timestamp when an asset responded to a probe during a scan.
Outlier score
runZero computes an outlier score for all assets in your inventory. The outlier score has a value from 0 to 5 (inclusive). It is a heuristic that aims to indicate how unusual the asset is, compared to all of the others in the inventory.
Outlier scores are computed by examining key properties of the asset and its services, working out which values are unusual (infrequent) across the organization, and then computing how many unusual properties each asset has. The more unusual properties, the higher the asset’s outlier score will be.