Using the inventory

The inventory page is the heart of runZero Network Discovery and the key to understanding what is on your network. The inventory displays all assets within the Organization and can be sorted, filtered, and exported to obtain specific views of the environment.

Understanding assets

An asset within runZero is defined as a unique network entity. Assets may have multiple IP addresses and MAC addresses and these addresses may change as the environment is updated. runZero tracks assets based on several heuristics, including MAC address, IP address, hostnames, and fingerprint results for the operating system and running services.

In most cases, runZero can accurately follow assets over time in environments using DHCP, even across remote subnets. For external networks, scans that are initiated with fully qualified hostnames will consolidate assets based on the hostname, which allows for consistent asset tracking for cloud-based external systems with dynamic IP addresses.

Within an organization, assets are isolated by site, and each site can have address space that overlaps with other sites. Sorting the Inventory view based on the site column can help in these scenarios, as can filtering the Inventory based on a specific site name.

The search field allows the inventory to be filtered based on the specified criteria. Please see the search query syntax documentation for specific details.

In addition to viewing assets, the Inventory page provides data export functionality, along with the ability to select assets, and specify the comments field. The Rescan action can be used to selectively rescan specific systems from the inventory, while the Remove Assets and Purge Assets can be used to permanently remove data from the inventory view.

The Reports button provides quick access to key reports from the runZero reports page.

Loading assets

Data is loaded into the inventory using the Scan and Import buttons. The results are analyzed and merged, updating asset information as necessary.

The Scan button has two options: Standard Scan and Full RFC 1918 Discovery. The latter is an easy way to set up a fast scan of all private range IP addresses. You can then use the coverage reports to check for assets in unexpected private address ranges.

The Import button has two options. Importing runZero scan data allows you to import data. This means you can scan networks that have no connectivity to the internet, and still view the results in the runZero console. It’s also useful for reprocessing old scan data so that you can use the site compare feature to see how assets have changed over time.

Bulk asset update

The bulk asset update feature allows you to modify assets by exporting a CSV using the Export button, making changes to the data in a spreadsheet program or text editor, and then importing the result back into runZero with the Import button. This feature will update existing assets that have a matching id value in the organization.

The fields listed below can be updated through the bulk asset update:

  • Type
  • Operating system
  • OS version
  • Hardware
  • Comments
  • Tags
  • Owner
  • Names
  • Domains

The type, os, os_version, and hardware fields only accept a single value. The comments, tags, owner, names, and domains fields each accept multiple values, and a space-delimited list of field=value pairs is the standard syntax. The tags field can also be specified without tag= as just a space-delimited list of values.

Only modifications to the tags, comments, and owners fields will be retained through subsequent scans, any changes to the other supported fields will be overwritten by the latest scan data.

Connecting to other systems

Professional Community Platform

The Connect button lets you connect runZero to other systems. The integrations you’re able to connect depends on your license level, but may include tools like cloud and viritualization platforms, endpoint protection solutions, identity and access management tools, and vulnerability and risk platforms. These inbound integrations can also be configured as scan probes if required.

Viewing services

The Inventory page has a submenu labeled Services. This changes the table of data from an asset-focused view to a service-focused view. For each asset, you will see one row for each service runZero detected.

Like the main asset view, the services view has a full search interface. You can filter services by protocol, port, and many other criteria, using the runZero search language.

Viewing screenshots

If the runZero Explorer has access to Google Chrome, it will attempt to take screenshots of web pages it finds while scanning your network. (This feature can be disabled in the scan options when setting up the scan.)

You can view the screenshots for all of your assets via the Screenshots submenu, and click through to the asset records for full details.

Viewing software

The inventory page has a submenu labeled Software. This flips the table of data from an asset-focused view to a software-focused view. For each asset, you will see one row for each software detected by runZero or a supported integration.

Like the main asset view, the software view has a full search interface. You can filter software by vendor, product, and many other criteria, using the runZero search language.

Viewing vulnerabilities

The inventory page has a submenu labeled Vulnerabilities. This flips the table of data from an asset-focused view to a vulnerability-focused view. For each asset, you will see one row for each vulnerability detected by a supported integration.

Like the main asset view, the vulnerability view has a full search interface. You can filter vulnerabilities by CVSS score, name, CVE, and many other criteria, using the runZero search language.

Viewing wireless networks

If the machine running the runZero Explorer has a working WiFi adapter and appropriate system tools installed, the Explorer will attempt to scan for nearby wireless networks. The Wireless submenu will show the results of the scan.

The tools required are:

  • Windows: netsh.exe (part of modern Windows releases)
  • macOS: Airport Utility
  • Linux: iwlist, often available via the wireless-tools package.
Updated