Tracking asset ownership with tags

(updated ), by Pearce Barry

Asset discovery is our bread-and-butter at runZero, allowing us to surface network-connected systems and devices to our users. Once you have an asset inventory, you can track asset ownership with runZero, which allows you to identify assets that have been orphaned and are no longer actively maintained or owned. Surfacing unowned assets allows those assets to be properly decommissioned or reclaimed, ultimately reducing the potential security risks by leaving them on the network.

Ownership tracking can also highlight unexpected or unauthorized assets connected to the network, providing a path for investigation and maintaining good cybersecurity hygiene. Let’s walk through a process for tracking asset ownership with tags using runZero Professional and Enterprise features.

Start with the known assets #

The first thing you’ll need is an inventory of expected and known assets. If you don’t have a runZero scan of your assets yet, you can follow our Getting Started guide, which covers everything from account creation on up. If you have a large inventory of assets, it might be easier to narrow your scope to a smaller set of assets (like one organization or one site).

In runZero, tagging allows you to label and group assets based on a shared set of characteristics. There are two ways to tag: manually or automatically via rules. To keep things simple, we’ll manually tag our assets in this article.

Starting from your asset inventory, select the assets you expect to see on your network AND know have an owner. To bulk select assets, you can use the checkbox located above the column heading.

If you only want to look at a particular site of assets, you can search by site in the query field:

Asset inventory

Once you have selected your known and owned assets, click the Tags button. In the modal window that opened, you can apply these two tags to those assets:

  • owner_name - Identifies the owner of the asset. The owner can be an individual, a group, an organization, an ID number, really whatever is most convenient for your situation.
  • owner_last_verified - Identifies when the asset was last verified to still be owned by owner_name. This value can be a year, year and month, or other; whatever works best for your situation.
Create tags

Tags can be applied individually and do not need to be applied at the same time. After you have tagged all known and owned assets with owner_name and owner_last_verified values, you can set up rules and notifications.

Rules and notifications for unowned assets #

Within the runZero console, you can use rules to trigger alerts for the events you’re interested in knowing about, such as an asset that does not have a current owner has been discovered on the network.

Rules can be set up to execute for a number of runZero event types. In this example, the rule will execute following a scan, since that is when there will be new asset data available to check for these conditions.

Set up a rule for unowned assets #

The first thing you’ll need to do is create a rule for unexpected assets. In the runZero console, navigate to Alerts > Rules and click the Create Rule button.

Under the “Inventory queries (post-scan)” section, select the asset-query-results event type and click the Configure Rule button to continue.

Next, enter in the following rule information:

  • Name: Unowned asset
  • Query: NOT (tag:owner_name AND tag:owner_last_verified=2021)
  • Number of matches: Is greater than
  • Value: 0
Asset query results

These settings give the rule a descriptive name (“Unowned asset”), matching whenever ANY scanned assets do not have an owner_name tag and a “current” owner_last_verified tag. You can also limit the rule to a specific organization and/or site, like in the screenshot above, or leave it to match against any organization or site assets.

Set up notifications for unowned assets #

Finally, scroll down and ensure that the action for this rule is set to “Notify”, and any specific notification channels or templates can be selected here, as well. The default is a good starting point, but alerts via email and webhook notification channels can be handy, too.

Create rule

Turn on the rule #

Verify everything looks correct, and make sure the Enabled checkbox is selected. Save the rule if everything looks good. The new rule will be listed under the Rules tab:

Create rule

With this rule in place, you’ll receive alerts for unowned assets–including unknown and orphaned assets–when scans complete.

Investigate (and iterate) as needed #

The number of alerts you have will display in the navigation menu.

Alert notification

When you go to the Alerts page, you will see all of the current alerts:

View all alerts

Acknowledge the alerts to dismiss them. Alerts can also be set up to work with different formats of data and different alert mechanisms.

Set up recurring scans to ensure regular coverage #

To ensure regular coverage for catching unknown and orphaned assets, you can use recurring scans or continuous scanning.

Assets tagged with owner_name=<name> and owner_last_verified=<date> tags but do not maintain a constant presence on the network will be correctly handled as they come-and-go from the network, as long as they don’t age out due to stale or offline asset settings of the the organization.

Update rules periodically #

Asset ownership is also an ongoing process. In order to keep the “Orphaned asset” rule relevant, the rule will need periodic updating for matching the correct owner_last_verified value. For our example, when at the end of 2021, the “Orphaned asset” rule’s Query field should be updated to reflect the new year (e.g. NOT (tag:owner_last_verified=2022 and tag:owner_name)) so that it is now checking current ownership, which itself drives updating the owner_last_verified= tag on assets once their owner has been verified (and perhaps the owner_name= tag, as well, if it has changed). And you may discover some orphaned assets in this process.

Find unknown and orphaned assets with runZero #

The features covered in this post are available in runZero Professional and Enterprise editions. Sign up for a free trial to see what you can do with runZero.

Pearce Barry
Written by Pearce Barry

Pearce Barry is a Director of Security Research at runZero. Barry joined runZero in June 2021, working on the Metasploit Project the four years prior. Now, Pearce leads research efforts at runZero, which includes creating and improving fingerprints, adding to protocols, enhancing scanning logic, and writing queries.

Similar Content

April 22, 2021

Get slack notifications for new or modified devices

Rumble Network Discovery is now runZero! With our Rumble 2.1 release, we added alert templates. That means you can receive custom Slack messages to alert on events you care about, like new, unmanaged, or modified devices. Yay, another Slack channel and more notifications! …

Read More

March 22, 2021

Automate tagging asset owners and alerting on orphaned devices

Rumble Network Discovery is now runZero! Tags help you to organize your asset inventory, allowing you to quickly search, group, and flag assets. You can apply tags to assign ownership, location, criticality, and groups, as well as use them to flag assets that need deeper …

Read More