Inbound integrations

Enriching runZero results with data from other tools

The runZero platform offers integrations with several sources of asset data, allowing users to enrich their asset inventory and identify assets and subnets that are not effectively managed or protected. By leveraging product APIs and export/import functionality, runZero can pull data from many IT and security tools to extend visibility across your organization’s network.

Supported integrations

Cloud and virtualization

Endpoint protection

Asset and identity management

Vulnerabilities and risk

Custom integrations

Platform

If the solution you want to draw data from isn’t available as a current runZero integration, Platform users can leverage the custom integrations feature to add asset data from custom sources. Adding custom asset sources can be accomplished through the API or by leveraging the runZero Python SDK.

Scan probes or connector tasks

Most integrations can be run either as a scan probe or a connector task.

Scan probes run as part of a scan task. The scan task can be used to scan your environment and sync integrations at the same time. To run an integration as a scan probe:

  1. Configure a scan task from the Scan menu in your inventory or tasks page.
  2. Activate the integration under the Probes tab.
  3. Activate the correct credential under the Credentials tab.
  4. Configure, activate, or deactivate other scan task configuration options as preferred.

Connector tasks run independent of scan tasks in order to allow more finely tuned scheduling of integration syncs and asset scans. Connector tasks are run from the runZero cloud by default, but can be configured to run from an Explorer in your organization if preferred. To run an integration as a connector task:

  1. Configure a connector task from the Integrations page or the Integrate menu in your inventory or tasks page.
  2. Select an Explorer from the Explorer menu (optional).
  3. Configure, activate, or deactivate other connector task configuration options as preferred.

Importing integration data

Some integrations can be used by importing data from that platform into runZero. For example, .nessus files from Tenable Nessus and .xml files from Rapid7 Nexpose can both be ingested without requiring a connection to their APIs.

Automatic asset merge

How runZero maps integration assets to assets:

  • For hosts that can be matched to an existing runZero asset, asset-level attributes will be updated, and integration-specific attributes will be added.
  • For hosts that cannot be matched with an existing runZero asset, a new asset will be created in the site specified when the integration task is set up.

runZero is able to merge integration data into existing assets by the following, in priority order:

  1. MAC address
  2. IP address (3-day window)
  3. Hostname

Assets from integrations can also be manually merged into runZero assets using the Merge button on the Asset Inventory page.

Removing an integration data source

When an integration is removed as a data source, the associated attributes are removed from your runZero assets. Since some asset attribute fields are merged, it is possible that attributes populated by both runZero scans and the integration could be deleted. Rescanning the affected assets will resolve this issue.

Source names and IDs

The table below maps the source name to the source ID for querying assets and vulnerabilities.

ID Name Description
1 runzero runZero
2 miradore Miradore
3 aws Amazon Web Services
4 crowdstrike CrowdStrike
5 azure Microsoft Azure
6 censys Censys
7 vmware VMWare
8 gcp Google Cloud Platform
9 sentinelone SentinelOne
10 tenable Tenable.io & Nessus
12 rapid7 Rapid7 Nexpose & InsightVM
14 qualys Qualys VMDR
15 shodan Shodan
16 azuread Azure AD
17 ldap Active Directory (LDAP)
18 ms365defender Microsoft 365 Defender
19 intune Microsoft Intune
20 googleworkspace Google Workspace
21 packet runZero traffic sampling
22 tenablesecuritycenter Tenable Security Center
Updated