Vulnerability scanning plays a crucial role in any enterprise security program, providing visibility into assets that are unpatched, misconfigured, or vulnerable to known exploits. Customers tell us that they can take action on their vulnerability scan results most effectively when paired with comprehensive asset and network context.

runZero’s vulnerability management integrations let Enterprise users:

• Add asset and network context to their vulnerability data
• Identify gaps in vulnerability scan coverage
• Expedite response to new vulnerabilities

Adding context to your vulnerability data

Just like the other inventory views, the vulnerability inventory supports the use of queries to filter your results. You can craft a query using the supported tags, Boolean operators, and numeric comparison operators. A query like this one will list the critical vulnerability results found on your Cisco hardware: hw:Cisco AND severity:critical. Try this one to identify vulnerabilities with a CVSSv2 score of 6.5 or more on EOL assets: os_eol:6.5.

Some organizations find it helpful to prioritize remediating vulnerabilities on public-facing assets. With runZero you can easily find them by querying your vulnerability results using fields related to IP addresses. Not only can you use filters like cidr: to include or exclude particular address ranges, but you can also use has_public:t to find results on assets with public IP addresses. Just like in the other inventories, these query parameters can be combined to find exactly the results you need.

Closing vulnerability scan gaps

Being able to track down assets impacted by newly disclosed vulnerabilities is great, but how can you be sure you’re scanning everything by addressing gaps in your scan policies? As a starting point, you can evaluate the assets that have been identified by runZero but are not included in your vulnerability results. You can leverage the source column to identify assets that are known by runZero but are not included in your vulnerability scan results. Try out this query in your asset inventory to see which IP addresses you may not be vulnerability scanning (if you changed the minimum severity setting in your integration configuration, this may not be as accurate for you): source:runZero AND NOT source:[VM vendor]. Swap [VM vendor] with the name of your integrated vulnerability management vendor in any query to find the right results:

• Qualys: source:runZero AND NOT source:qualys
• Rapid7: source:runZero AND NOT source:rapid7
• Tenable: source:runZero AND NOT source:tenable

The same logic can be used to find high-value assets or subnets that are not covered by your vulnerability scanning. If you’ve been using sites or tags to organize your assets, you could use the site: or tag: query fields with AND NOT source:[VM vendor] to find matching assets that have not been vulnerability scanned. You can also search for services or protocols that might be a cause for concern, such as protocol:smb AND NOT source:[VM vendor] to find SMB services on assets that haven’t been vulnerability scanned. The query logic also supports filtering by IP address ranges or subnets, meaning you could use cidr:192.168.30.0/24 AND NOT source:[VM vendor] to find unscanned assets in that subnet.

Since many vulnerability management solutions support importing a line-delimited list of IP addresses into a scan policy, you could use the results of these queries as a scan range. Simply export them to a CSV from the runZero Console then copy the address column into a text file. Or, if you’d prefer to use the export API, the following command will pull the results into JSONL format, filter for the address field, and clean up the extra characters. Just switch [VM vendor] in the URL to the right value and you’ll be left with a line-delimited text file of all the addresses that you might not be vulnerability scanning.

curl --location --request GET 'https://console.runzero.com/api/v1.0/export/org/assets.jsonl?search=source%3A%22runzero%22%20AND%20NOT%20source%3A%22[VM vendor]%22&fields=addresses' \
 --header 'Authorization: Bearer ' \
 |  jq -r ".addresses[]?" | sort | uniq > IPsNotVulnScanned.txt

Expediting your response

When the latest vulnerability hits the news, you can use runZero in many cases to quickly check for impacted assets. runZero’s Rapid Response series is a great way for readers to stay on top of breaking security news and track down affected assets. The ability to query across vulnerability and asset details can help you find impacted assets while you’re getting your vulnerability scanner ready for a full analysis. This is just one example of how a comprehensive asset inventory can work in tandem with your vulnerability management tools.

runZero’s rich datasets of devices, manufacturers, and operating systems, coupled with our highly-tuned scanning and processing logic, provides high quality and high confidence asset and service fingerprints. Pulling your vulnerability data into runZero lets you leverage our extensive fingerprinting capabilities to enrich your vulnerability scan results with the asset and network data being gathered by your runZero Explorers, letting you find vulnerabilities impacting specific operating systems, hardware, or services.

With the data already collected by your runZero Explorers, you can quickly identify vulnerable or exploitable assets based on various datapoints, like vendor name and service version. For example, you can use the following query to find BIG-IP assets that might be vulnerable to authentication bypass without having to run a new scan.

_asset.protocol:http AND protocol:http AND (service.vendor:F5 OR html.title:"=BIG-IP%" OR html.copyright:"F5 Networks, Inc" OR http.body:"/tmui/" OR favicon.ico.image.md5:04d9541338e525258daf47cc844d59f3)

When updated vulnerability scan data is available, you can use queries to find results that match a specific CVE or scan plugin ID to better prioritize your remediation efforts. For example, this query can help you find external-facing assets with vulnerable Log4Shell installations: has_public:t AND cve:CVE-2021-44228.

What’s new with runZero 3.0?

• Meet our new brand: runZero!
• Sync assets, software, & vulnerability data from Qualys

Introducing runZero

Rumble is officially runZero! This name change reflects our growth as a product and as a company. Over the past year, Rumble has added so many new capabilities, presenting an opportunity to evolve so that our brand reflects all of our existing and planned features. runZero continues our mission of making asset inventory easy, fast, and accurate, while giving us runway to grow our platform.

Gathering vulnerability data from Qualys

runZero Enterprise users can now enrich their inventory with vulnerability data from Qualys. This allows you to search for Qualys attributes, software entries, and vulnerabilities in runZero, as well as find assets not scanned by Qualys. runZero automatically correlates Qualys assets to runZero assets based on unique fields. Vulnerability data can be viewed in the asset detail view as well as a dedicated inventory tab. Vulnerability attributes include CVSS score, relevant CVEs, vulnerability description, and any recommended remediations.

To get started, set up a connection to Qualys.

Release notes

The runZero 3.0 release includes a rollup of all the 2.15.x updates, which includes all of the following features, improvements, and updates.

New features

• Rumble is now runZero and the product UX has been updated to match.
• runZero Enterprise customers can now sync asset and vulnerability data from Qualys VMDR.
• Users can now specify a Default Organization in the profile settings page.
• A custom query to find DrayTek Vigor routers has been added.
• The Organization API now supports asset merging.

Product improvements

• Outlier calculations and insight queries now automatically run as daily analysis tasks.
• Outlier calculations and insight queries can be regenerated on demand using the Metrics menu on the Tasks overview page.
• Merging assets with foreign attributes from the same source now retains all sets of foreign attributes.
• Software entries imported from SentinelOne and Tenable now report their service addresses.
• The Software and Vulnerabilities datatables now have a “view more details” button.
• The Asset and Service attributes reports can now be filtered by Site.
• API keys are now shown hidden by default and can be copied to the clipboard through a click.
• Vulnerability details are now available on the Vulnerability Inventory screen.
• Improved ability to extract Microsoft Windows information from web services.
• Improved ability to extract information from NetBIOS, including new detection of Domain Controller roles.
• Hosted Zone scan limits have been increased.
• The runZero Explorer now logs configuration file loading and reports any syntax errors.
• Hostname identification from LDAP responses has been improved.
• Filtering of non-unique MAC addresses has been improved.
• Inconsistent SNMP data handling has been improved for certain classes of devices.
• The API now returns all attributes, sources, and subnets for a single asset.
• The runZero Explorer now runs as a delayed auto start process on Windows to increase reliability after reboots.
• The Organization Overview report now includes navigation links to return to the top of the report.
• Click-to-copy functionality has been restored for MAC addresses displayed on inventory pages.
• Asset export query errors now return HTTP 400 status code with descriptive bodies.

Performance improvements

• The Queries datatable has been redesigned and is now more performant.
• The Route Pathing report is now more performant and aborts early in out-of-memory scenarios.
• Processing speed for large Nexpose and Tenable imports has been improved.
• Improved support for processing very large scans.
• Improved performance of the software and vulnerabilities tables.

Fingerprinting changes

• Improved operating system fingerprints for Amazon, Azure, and GCP integrations.
• Improved operating system fingerprints for Red Hat Enterprise Linux / CentOS, Fedora, Rocky, and Ubuntu releases.
• Improved fingerprints for Windows operating system.
• Added the ability to fingerprint McAfee ePolicy Orchestrator (ePO) and Agent.
• Improved NetBIOS, NTLM, and LDAP fingerprinting logic.
• Improved coverage for networking gear, including vendors Cisco, Dell, and Extreme Networks.
• Improved NTP banner fingerprints.
• Printer detection has been improved.
• OS fingerprinting will now use Rapid7 fingerprints, when Rapid7 is the only data source.
• Additional support for products by 2N, Axis, D-Link, DrayTek, FortiNet, Foscam, FrontRow, Hisense, Impinj, Kentec, OleumTech, Schneider Electric, SEL, Synology, and VMware.

Integration improvements

• Improved hostname-based merging for Rapid7 imports.
• Improved support for processing very large Rapid7 imports.
• Software will now be populated from Rapid7 imports.
• Rapid7 foreign attributes have been adjusted for clarity.
• Services will now be populated from Censys.
• The InsightVM integration now supports larger imports.

Bug fixes

• A bug in the AWS Configuration UI causing the “Lambda instances” option to not persist has been resolved.
• A bug that could prevent external users from being directed to their main SSO login page has been resolved.
• A bug which could cause stale software entries to be retained has been fixed.
• A bug in the Insights table which could render very large buttons has been fixed.
• A bug that could lead to a 500 error when accessing the users endpoint of the organization API has been resolved.
• A bug that could cause tooltips to persist on the screen has been resolved.
• A bug that could cause the vulnerabilities table to appear empty when sorted by the details column has been fixed.
• A bug that could cause the HTTP probe to abort early has been resolved.
• The asset tag update and bulk asset tag update APIs now work as documented.
• Fixed a bug which prevented all org admins from deleting other users.
• The User Last Activity date now shows the correct date.
• A bug that could prevent connector tasks from running in parallel while connecting to third-party APIs has been resolved.
• A bug that prevented organization administrators from deleting other users has been resolved.
• A bug affecting inventory multi-select operations has been resolved.
• A bug preventing inventory column selection has been resolved.
• A bug that could indefinitely stall a task has been resolved.
• A bug affecting license warning banners has been fixed.
• A bug affecting macOS Explorer upgrades on M1 systems has been fixed.
• A bug that prevented importing VMware assets has been fixed.
• When a templated task fails due to an Explorer being unavailable, copying the failed task now retains the connection to the template.
• A bug in the Overview report which showed blank addresses for Unscanned assets has been resolved.
• A bug that caused scan copies to get assigned to a different site has been resolved.
• A bug that prevented OS icons from showing on inventory tables has been resolved.
• A bug that prevented copying or updating Nessus connector tasks has been resolved.
• A bug that could lead to an error in the External Asset Report when no assets were present has been resolved.
• A bug that could cause the Export API to return a 500 instead of 400 for invalid queries has been resolved.
• A bug that caused some Explorer updates to fail on Windows has been resolved.

• Dashboard metrics now account for unscanned assets imported from third-party integrations.
• Internal recurring tasks for metrics calculation no longer show in the recurring task count.
• Fingerprint updates.

• A bug that could prevent exporting asset attributes has been resolved.
• Fingerprint updates.

• Processing performance for foreign asset data has been improved.
• A bug that could prevent the generation of some asset attribute reports has been resolved.
• Fingerprint updates, including AIX OS and vCenter, Avaya, and Proofpoint appliances.