As the scope of corporate networks has been constantly expanding over time, the challenge of maintaining an accurate asset inventory and effectively identifying unmanaged assets has only grown. In addition to on-premise environments, IT and security teams also have to keep track of cloud environments, device management solutions, and endpoint protection platforms to ensure they know what's on their network. On top of all those solutions, organizations need to find a way to identify unmanaged devices on their network, which can only be done through network discovery scanning. runZero helps to address these challenges by letting you get visibility into all the asset data your Microsoft solutions are collecting in one place and performing network asset discovery scanning to identify unmanaged assets. The integrations have support for the following Microsoft solutions:

These integrations across the Microsoft ecosystem helps users close the gaps and clarify coverage between their infrastructure, operations, and security platform dashboards while also empowering users to track down unmanaged assets.

Seeing your Azure assets through a security lens #

As organizations of all sizes and sectors migrate to the cloud, Microsoft Azure remains one of the most popular IaaS platforms available with around 21% of the global cloud infrastructure services market. As cloud computing has grown in popularity, it has come with some unique challenges for IT and security teams trying to maintain their asset inventories. While users can see the Azure resources in their tenant right in the Azure portal, many organizations have faced challenges with shadow IT deploying assets into IP ranges or subnets intended for only cloud infrastructure. To help users get visibility into their complete asset inventory, runZero added an integration with Microsoft Azure in release 2.6. This integration empowers users to sync details about their Azure resources with their runZero asset inventory, while also discovering assets connected to the network that aren't part of the integrated tenant. Instead of referencing multiple sources in an attempt to understand the scope of your inventory, runZero can maintain your entire asset inventory in one place regardless of whether your assets are on premise or in the cloud.

Microsoft Azure integration

After setting up the Azure integration, you can query your inventory to quickly find Azure or non-Azure assets that match the criteria you’re interested in. List all your Azure assets by searching source:azure, and combine that with other search parameters to find matching assets. To address the shadow IT challenge, try the query source:runzero AND NOT source:azure after scanning your known virtual IP ranges or subnets to find assets in that space that shouldn’t be there. The query source:azure AND has_public:t will list all of your Azure resources that have public IP addresses attached, giving you a quick way to identify your public-facing assets in the cloud.

Public-facing Azure assets

Integrating with Azure and scanning your Azure resources with runZero makes your data even more comprehensive, adding detailed information about the asset and its network footprint. In addition to the Azure attributes about your assets, you'll also get the benefits of runZero’s exceptional asset and service fingerprinting to provide insight into areas like listening ports and protocols, and installed services and software. This lets you search your inventory for Azure resources that match particular network or service configurations. Combined with the ability to create projects and scan your external IP ranges, you can track down sensitive services on your public-facing Azure assets. To do this:

  1. In a dedicated organization or project, configure the Azure connector or scan your Azure address space.
  2. Create a new site to use for this test.
  3. Run an external scan for all of the public IP addresses:
    1. In the scan config, select the site you made for this test
    2. If you're an Enterprise user, you could opt to use a Hosted zone rather than an onsite Explorer
    3. Set the discovery scope to public:all
  4. After the scan finishes, use site:[test-site] AND (protocol:rdp OR protocol:ssh) in your inventory to find Azure assets that have RDP or SSH listening on a public IP address.

Discovering devices unmanaged by Active Directory or Intune #

Endpoint management plays an important role in enterprise IT and security initiatives, providing a way to manage and monitor devices and the software running on them. While Active Directory and Microsoft Intune are very different solutions, they both provide a way for organizations to manage assets effectively and enforce configuration and security policies. One of the most common challenges organizations face when implementing and maintaining either platform is identifying unmanaged assets that need to be onboarded. runZero released an integration with Active Directory in v3.1, and another with Microsoft Intune in v3.2 to improve your ability to discover and identify unmanaged devices. Both integrations pull details about your managed devices in order to enrich your runZero asset inventory. After merging the asset data you can quickly figure out which devices on your network are not being managed through Active Directory or Intune.

Microsoft AD and Intune integrations

The query source:runzero AND NOT source:ldap will return a list of devices that your Explorer discovered on your network that are not joined to your domain. This can be combined with address filters to find devices in a particular subnet that aren't domain-joined, for example source:runZero AND NOT source:ldap AND address:192.168.10.0/24 to search for results in the specified address range.

Unmanaged internal assets

Similarly, the query source:runzero AND NOT (source:azuread OR source:intune) will list the assets that aren't being managed by Azure AD or Intune. Combine this with filters about when unmanaged assets were last seen to discover transient assets that have been offline for a specific period of time by using a query like source:runzero AND NOT (source:azuread OR source:intune) AND offline:t AND last_seen:>7days.

Unmanaged internal assets

Finding gaps in your Defender coverage #

Endpoint detection and response (EDR) platforms have surged in popularity in recent years, and are now commonly used on all sorts of assets for security monitoring and automatic response. While EDR solutions are an important part of many security stacks, reviewing what has been onboarded, they can’t tell you about all the assets on your network that are unprotected or unmanaged, or all the assets disconnected from your network that haven't been scanned. In release 3.2, runZero added an integration with Microsoft 365 Defender to provide insight into your EDR coverage across your asset inventory. This integration syncs with your Microsoft 365 Defender solution, enriching your asset details to give you better visibility and context. With this integration, runZero Enterprise users can view, search, analyze, export, and alert on attributes from your assets onboarded to Defender.

Microsoft 365 Defender integration

After setting up your connection, you can quickly identify unmanaged assets with a simple query. Filtering on source:runzero AND NOT source:ms365defender will return a list of assets that were found by your Explorers, but are not onboarded to Defender. This query can help you identify assets that aren’t being protected by Defender. Leverage this query in an alert rule to receive notifications whenever a scan task completes and a new asset missing Defender has been detected by adding AND first_seen:<1hour AND last_seen:<1hour.

Assets missing Defender

The opposite of this query can be used to make sure off-network assets are included in your asset inventory: source:ms365defender AND NOT source:runzero. This will give you a list of targets that may be missing from your scans so that you can make sure you’re gathering all the available network and asset data.

Unscanned Defender assets

One place for 365-degree visibility #

With runZero you can leverage any or all of these integrations to get the most accurate and comprehensive information about the assets on your network. With visibility across the Microsoft ecosystem, runZero ensures that you can easily find assets that are part of any single solution.

Written by runZero Team

Due to the nature of their research and out of respect for their privacy, runZero team members prefer to remain anonymous. Their work is published under the runZero name.

More about runZero Team
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.


Related Articles

runZero Insights
Taming the Typhoons: How runZero Keeps You Ahead of State-Sponsored Cyber Threats
China's Typhoon cyber attacks are evolving, but runZero helps you stay one step ahead with unmatched visibility and proactive defense.
runZero Insights
Ensure compliance with DORA’s ICT risk framework using runZero
Learn how to uncover unmanaged and unknown assets— including IT, OT, and IoT— to meet DORA's hidden risk requirements using runZero.
Life at runZero
Employee Spotlight: Doug Markiewicz
Doug Markiewicz is a strategic Customer Success Engineer with a passion for solving complex cybersecurity problems. Learn more about his journey as...
runZero Insights
Evolving from IT to IoT: Flax Typhoon preyed on the lesser knowns
A look at Flax Typhoon's latest operations, and how runZero’s unknown and IoT asset visibility can help calm the storm for security teams.

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved