Alerting on asset and service changes

runZero scans capture a rich dataset of information about all of the assets in your environment and the services running on them. Once gathered, you can run queries on this data to identify points of interest.

A few common use cases include:

  • Identifying network misconfigurations
  • Identifying potential vulnerabilities
  • Finding new open services

Who is this playbook for and why?

  • Security teams who want to reduce the number of misconfigurations and potential vulnerabilities in their environment, or are interested in identifying new services that could be malicious.
  • IT teams who want to ensure their teams are following standard procedures when making updates in their environment.

How will runZero help?

runZero is able to safely scan your entire network with benign traffic, so it has complete visibility into assets and services running in your network. This allows you to find misconfigurations, potential vulnerabilities, and new services that you would not see in other tools.

What will I need to do?

In order to alert on asset and/or service updates, you will need to take the following steps:

  1. Identify queries of interest, such as:
  2. Create an alert template.
  3. Configure a notification channel.
  4. Create rules.

Prerequisites

Steps to implement

The following are step-by-step instructions for configuring a notification rule based on a query.

Identify queries of interest

  1. Go to the Inventory page in the runZero console.
  2. Run sample queries to identify ones that meet your needs.
  3. Once you have identified a query of interest, you can add filters until it is ready to be used for alerting on new matches:

Configure an alert template

  1. Go to Alerts > Templates and select Create Template.
  2. Provide a Name.
  3. Select a Template type.
  4. Choose a Subject line for message.
  5. Format the Body of message.
  6. Click Save Template.

Configure a notification channel

  1. Go to Alerts > Channels and select Create Channel.
  2. Enter a Name.
  3. Select a Channel type.
    • If Email, enter the Email address that will receive notifications.
    • If Webhook, enter the Webhook URL and any Additional headers that may be required for the notification.
  4. Select Save Channel.

Configure an alert rule

  1. Go to Alerts > Rules and select Create Rule.
  2. Select asset-query-results for asset queries or service-query-results for service queries.
  3. Select Configure Rule.
  4. Provide a Name for the new rule.
  5. Select appropriate Conditions for the rule. By default, Any organization and Any site will be selected. The Query will be the query you used in the earlier steps.
  6. Select the Notification channel that you created.
  7. Select the Notification template that you created.
  8. Ensure that Enabled is checked and click Save Rule.

Sample queries

You can use the following sample queries to help find network misconfigurations, potential vulnerabilities, and new services.

Unnecessary public facing services

Identify non-standard public facing services

service_haspublic:t and service_hasip6:f
and not protocol:icmp
and not (port:22 and protocol:ssh)
and not (port:80 and protocol:http)
and not (port:179)
and not (port:443 and (protocol:http or protocol:tls))
and not (port:500 and protocol:ike)
and not (port:5061 and protocol:tls)

Identify insecure public facing services

has_public:t and (protocol:telnet or protocol:ftp or protocol:tftp)

Identify insecure public facing web services

has_public:t and protocol:http and not protocol:tls

Identify non-standard public facing web services

service_haspublic:t and protocol:http and not port:80 and not port:443

High outlier score with public facing IP

outlier:>2 has_public_v4:t

High risk score with public facing IP

risk_rank:>2 has_public_v4:t

See more examples

Insecure services

Database or secrets manager that does not require authentication

(_asset.protocol:redis AND protocol:redis AND has:redis.redisVersion)
OR (_asset.protocol:etcd2 protocol:etcd2 etcd2.access:allowed)
OR (_asset.protocol:zookeeper AND protocol:zookeeper AND zk.access:allowed)
OR (_asset.protocol:mongodb AND protocol:mongodb AND mongodb.auth:open)
OR (_asset.protocol:consul protocol:consul has:consul.config.datacenter)

Vulnerable Application: PrinterLogic web service

_asset.protocol:http protocol:http (html.title:="Printer%Logic" OR favicon.ico.image.md5:=ab2fc8886bfbf3e986f8015539d29736 OR favicon.ico.image.md5:=95825f2984a2f708205212d05444938e)

Unpatched Application: Android debug bridge

_asset.protocol:adb AND protocol:adb AND has:adb.features
_asset.protocol:hiddiscoveryd protocol:hiddiscoveryd has:hiddiscoveryd.unpatchedVertXploit

Vulnerable Hardware: Accellion legacy file transfer appliances

products:apache AND (
 favicon.ico.image.md5:=9423d9e9ce004c29dd5bc622f0112123 OR
 http.head.setCookie:sfcurl=deleted OR
 http.head.location:/wmLogin OR
 last.http.head.location:/wmLogin
 )

More examples

Sample alert templates

Alert templates can help you customize and format alerts triggered from rules you have set up. Here are three common alert templates you can use to get started with raw JSON, Slack, and Microsoft Teams payloads.

Asset, service, or wireless query alert to SIEM or SOAR using JSON

One-liner for use in the template:

{"organization":{"name":"{{organization.name}}","id":"{{organization.id}}"},"site":{"name":"{{site.name}}","id":"{{site.id}}"},"rule":{"action":"{{rule.action}}","created_at":"{{rule.created_at}}","created_by":"{{rule.created_by}}","event":"{{rule.event}}","id":"{{rule.id}}","name":"{{rule.name}}","updated_at":"{{rule.updated_at}}"},"search":{"url":"{{search.url}}","found":"{{search.found}}","comparator":"{{search.comparator}}","value":"{{search.value}}"}}

Human readable version for review:

{
  "organization": {
    "name": "{{organization.name}}",
    "id": "{{organization.id}}"
  },
  "site": {
    "name": "{{site.name}}",
    "id": "{{site.id}}"
  },
  "rule": {
    "action": "{{rule.action}}",
    "created_at": "{{rule.created_at}}",
    "created_by": "{{rule.created_by}}",
    "event": "{{rule.event}}",
    "id": "{{rule.id}}",
    "name": "{{rule.name}}",
    "updated_at": "{{rule.updated_at}}"
  },
  "search": {
    "url": "{{search.url}}",
    "found": "{{search.found}}",
    "comparator": "{{search.comparator}}",
    "value": "{{search.value}}"
  }
}

Asset, service, or wireless query alert to Slack

One-liner for use in the template:

{"blocks":[{"type":"section","text":{"type":"mrkdwn","text":":red_circle: *runZero Alert* - {{rule.name}}"}},{"type":"divider"},{"type":"section","text":{"type":"mrkdwn","text":"*Rule information*\n\n_Name_: {{rule.name}}\n_Type_: {{rule.event}}\n_Link_: https://console.runzero.com/alerts/rule/{{rule.id}}"}},{"type":"section","text":{"type":"mrkdwn","text":"*Match information*\n\n_Organization_: {{organization.name}}\n_Site_: {{site.name}}\n_Match count_: {{search.found}}\n_Search_: {{search.value}}\n_Link_: https://console.runzero.com/alerts/rule/{{search.url}}"}}]}

Human readable version for review:

{
  "blocks": [
    {
      "type": "section",
      "text": {
        "type": "mrkdwn",
        "text": ":red_circle: *runZero Alert* - {{rule.name}}"
      }
    },
    {
      "type": "divider"
    },
    {
      "type": "section",
      "text": {
        "type": "mrkdwn",
        "text": "*Rule information*\n\n_Name_: {{rule.name}}\n_Type_: {{rule.event}}\n_Link_: https://console.runzero.com/alerts/rule/{{rule.id}}"
      }
    },
    {
      "type": "section",
      "text": {
        "type": "mrkdwn",
        "text": "*Match information*\n\n_Organization_: {{organization.name}}\n_Site_: {{site.name}}\n_Match count_: {{search.found}}\n_Search_: {{search.value}}\n_Link_: https://console.runzero.com/alerts/rule/{{search.url}}"
      }
    }
  ]
}

Asset, service, or wireless query alert to Microsoft Teams

One-liner for use in the template:

{"$schema":"http://adaptivecards.io/schemas/adaptive-card.json","type":"AdaptiveCard","version":"1.5","body":[{"type":"TextBlock","text":"runZero Alert - {{rule.name}}"},{"type":"TextBlock","text":"**Rule information**\n\n_Name_: {{rule.name}}\n\n_Type_: {{rule.event}}\n\n_Link_: [Rule](https://console.runzero.com/alerts/rule/{{rule.id}})","wrap":true},{"type":"TextBlock","text":"**Match information**\n\n_Organization_: {{organization.name}}\n\n_Site_: {{site.name}}\n\n_Match count_: {{search.found}}\n\n_Search_: {{search.value}}\n\n_Link_: [Search](https://console.runzero.com/alerts/rule/{{search.url}})","wrap":true,"spacing":"Medium"}]}

Human readable version for review:

{
  "$schema": "http://adaptivecards.io/schemas/adaptive-card.json",
  "type": "AdaptiveCard",
  "version": "1.5",
  "body": [
    {
      "type": "TextBlock",
      "text": "runZero Alert - {{rule.name}}"
    },
    {
      "type": "TextBlock",
      "text": "**Rule information**\n\n_Name_: {{rule.name}}\n\n_Type_: {{rule.event}}\n\n_Link_: [Rule](https://console.runzero.com/alerts/rule/{{rule.id}})",
      "wrap": true
    },
    {
      "type": "TextBlock",
      "text": "**Match information**\n\n_Organization_: {{organization.name}}\n\n_Site_: {{site.name}}\n\n_Match count_: {{search.found}}\n\n_Search_: {{search.value}}\n\n_Link_: [Search](https://console.runzero.com/alerts/rule/{{search.url}})",
      "wrap": true,
      "spacing": "Medium"
    }
  ]
}

Outcome demo

This video is a short demo of what the outcome of alerting on runZero query results may look like.

Getting help

If you need assistance in building out this process, you can book a session with a runZero Customer Success Engineer to discuss further.

Updated