runZero 3.1 Sync Active Directory, import assets from Shodan, and launch integrations from Explorers

What's new with runZero 3.1? #

• Sync your Active Directory users, groups, and machines with runZero
• Import assets and external services from Shodan
• Launch integrations from Explorers

Connect and sync Active Directory with runZero #

runZero Professional and Enterprise users can now enrich their inventory with asset data from Microsoft Active Directory and Azure AD. runZero Enterprise users will also be able to view, search, analyze, and export users and groups imported from Active Directory. This integration brings Active Directory context to your existing assets and simplifies the process of identifying unmanaged assets.

Once the sync completes users can query the asset inventory to identify unmanaged assets on the network. Using a query like source:runzero AND NOT (source:azuread OR source:ldap) will return a list of assets that weren’t in the integration results. Enterprise users can also leverage queries to search the attributes of users and groups. For example, to find accounts that have never logged in, you can use the following query: last_logon_at:<1.

To get started, set up a connection to Azure AD or your Active Directory domain controller.

Import public-facing asset data from Shodan Search #

runZero Enterprise users can now sync data about their public-facing assets from Shodan Search. Assets and services pulled in from Shodan can be correlated against public-facing assets in your runZero inventory. All Shodan users can craft custom queries to gather Shodan data about public assets and services, and licensed Shodan users can also add filters for more specific criteria. Licensed Shodan users can also have runZero automatically build a filtered query to search all external IP addresses in your inventory. This correlation supports cyber hygiene and attack surface management efforts across IT and security teams.

The external view of your environment provided by Shodan may not match the current state of your assets. By first importing the public data for your external IP addresses from Shodan then scanning them with runZero, you can determine what has changed. Reviewing the Assets changed section of a completed task will let you see what has changed on your public-facing assets since the last scan.

To start pulling asset and service data from Shodan, set up a connection.

Launch integrations from Explorers #

You can now run third-party integrations from your runZero Explorers as well as the runZero cloud. This feature is useful for IT and security teams that restrict the allowed network traffic connecting to the APIs of their various tools and platforms. This capability also allows integrations to on-premise tools to run as an independent connector in addition to being run as part of network scans.

To run an integration from an Explorer, use the Connect menu to choose the source and then select an available Explorer from the configuration dialog.

Add custom fingerprints to runZero #

runZero users that have a self-hosted platform or standalone scanner now have the ability to add custom asset and service fingerprints. Following the structure and format of the open-source Recog fingerprint database, users can author their own fingerprint XML files and add them to a directory that the runZero platform or scanner can access. This capability can be useful in adding new fingerprint coverage for unique or custom assets and services, such as a device prototype or a proprietary, internal-use application or service. Custom fingerprints can also be configured to override similar runZero fingerprints by using a same-or-higher certainty value.

Release notes #

The runZero 3.1 release includes a rollup of all the 3.0.x updates, which includes all of the following features, improvements, and updates.

New features #

• runZero Enterprise customers can now sync assets from Shodan.
• runZero Enterprise customers can now sync assets from Azure Active Directory.
• runZero Enterprise customers can now sync assets from Microsoft Active Directory via LDAP.
• Connector tasks now can optionally be run from an Explorer on a network.
• The Events datatable has been redesigned and is now more performant.
• The Qualys integration now provides a more descriptive error message when rate-limited by the Qualys API.
• Network File System (NFS) protocol detection on TCP ports has been improved.
• A bug that prevented editing certain probe options when configuring a scan has been resolved.
• Fingerprint updates.

Product improvements #

• Event details have been added to alert templates by default.
• Task statistics for asset counts are now included in CSV exports and can be used in task searches.
• The license-limit-exceeded event has been added to alert when the live asset count exceeds an accounts license.
• Dashboard metrics now account for unscanned assets imported from third-party integrations.
• Internal recurring tasks for metrics calculation no longer show in the recurring task count.
• A notice was added to the MFA page to inform users that they can continue to use the old rumble.run domain until they re-enroll their authenticators for the new runzero.com domain.
• Font rendering in Safari browsers now matches Firefox and Chrome.
• UI improvements were made to the queries table.
• Inventory searches now support runZero as an asset source type.

Performance improvements #

• The Events datatable has been redesigned and is now more performant.
• The Asset Route Pathing Report is now more performant due to improved algorithm cycle detection.
• Web screenshots are now limited to a maximum of 16 concurrent processes.
• Web screenshots will now run concurrently on arm64 macOS systems.
• Improved error handling for the GCP integration.
• Improved parsing of input hostnames.
• Dashboard insights have been limited to a maximum of three rows.
• Processing performance for foreign asset data has been improved.

Fingerprinting changes #

• Improved Network File System (NFS) protocol detection on TCP ports.
• Added OS fingerprinting support for our new Active Directory and Azure AD integrations.
• Added a new ldap.notes attribute for assets with exposed LDAP/ActiveDirectory services, decoding well-known oids into a user-friendly representation to help with asset hunting.
• Improved Endpoint Mapper (EPM) fingerprinting, including new service/configuration coverage and support for Unix domain sockets.
• Improved VMware guest asset fingerprinting coverage.
• Improved GitLab fingerprinting to include version information, when available.
• A bug where a TLS common name (CN) field could contain more than the hostname has been resolved.
• A bug where a Pegasystems version fingerprint could capture additional data has been resolved.
• Additional support added for products by Amcrest, Aruba, ASUS, AudioCodes, Avaya, Bosch, Brother, CAREL, Continia Software, D-Link, Datapath, Dell, Epiphan Video, ESET, eufy, HikVision, Honeywell, HP, IBM, iRobot, KE2, Kirk Telecom, Kong, Lenovo, Lorex, Meross, MSB Technology, Netgear, NVIDIA, Panasonic, Proofpoint, Roku, Saia-Burgess Controls, Samsung, Soundweb London, Spectrum Instrumentation, TP-LINK, TRENDnet, Uniview, Vikylin, VMware, XAC Automation, Yamaha, and Zyxel.

Integration improvements #

• The Qualys integration now provides a more descriptive error message when rate limited by the Qualys API.
• A new optional filter has been added to the CrowdStrike connector.
• The performance of the Qualys connector has been improved.
• The Tenable integration now excludes terminated and deleted assets.
• The timeout for Qualys connection tasks has been increased from 60 seconds to 5 minutes.

Bug fixes #

• A bug that prevented editing certain probe options when configuring a scan has been resolved.
• A bug where a TLS common name (CN) field could contain more than the hostname has been resolved.
• A bug where a Pegasystems version fingerprint could capture additional data has been resolved.
• A bug that could cause the browser to freeze when viewing assets with many attributes has been resolved.
• A bug that could prevent rendering dashboard insights has been resolved.
• A bug that could result in minimal assets being skipped has been resolved.
• A bug that could result in the wrong insight counts on the dashboard has been resolved.
• A bug that could cause attributes and screenshots to be removed from offline assets has been resolved.
• A bug that prevented using certain organization and export tokens has been resolved.
• A bug that caused the token to be missing from password reset emails has been resolved.
• A bug that could cause query timeouts has been resolved.
• A bug that could cause large Qualys imports to timeout has been resolved.
• A bug that prevented Qualys from being fully imported from large sites has been resolved.
• A bug that led to slow exports and job processing has been resolved.
• A bug that affected formatting of _asset.match values has been resolved.
• A bug that caused internal tasks for metrics calculation to generate scan-completed events has been resolved.
• A bug that prevented reports for specific asset attributes has been resolved.
• A bug that could prevent exporting asset attributes has been resolved.
• A bug that could prevent CrowdStrike tasks from processing has been resolved.
• A bug that could prevent the generation of some asset attribute reports has been resolved.
• A bug that could cause offline self-hosted platform updates to fail has been resolved.
• A bug that could prevent exporting selected assets and asset search results has been resolved.
• A bug that could prevent starter accounts from setting up recurring tasks has been resolved.
• A bug affecting organization selection when a default organization is set has been resolved.
• A bug that could cause SSH probes to occasionally deadlock has been resolved.
• A bug that prevented WebAuthn from registering correctly on console.runzero.com has been resolved.
• A bug that could cause the topology in the asset details page to be mangled has been resolved.
• A bug that could affect the default probes selector functionality has been resolved.