Alerting on asset and service changes

runZero scans capture a rich dataset of information about all of the assets in your environment and the services running on them. Once gathered, you can run queries on this data to identify points of interest.

A few common use cases include:

Identifying network misconfigurations
Identifying potential vulnerabilities
Finding new open services

Who is this playbook for and why?

Security teams who want to reduce the number of misconfigurations and potential vulnerabilities in their environment, or are interested in identifying new services that could be malicious.
IT teams who want to ensure their teams are following standard procedures when making updates in their environment.

How will runZero help?

runZero is able to safely scan your entire network with benign traffic, so it has complete visibility into assets and services running in your network. This allows you to find misconfigurations, potential vulnerabilities, and new services that you would not see in other tools.

What will I need to do?

In order to alert on asset and/or service updates, you will need to take the following steps:

Identify queries of interest, such as:
Create an alert template.
Configure a notification channel.
Create rules.

Prerequisites

Build a complete asset inventory.

Steps to implement

The following are step-by-step instructions for configuring a notification rule based on a query.

Identify queries of interest

Go to the Inventory page in the runZero console.
Run sample queries to identify ones that meet your needs.
Once you have identified a query of interest, you can add filters until it is ready to be used for alerting on new matches:
- Asset inventory filters
- Service inventory filters

Configure an alert template

Go to Alerts > Templates and select Create Template.
Provide a Name.
Select a Template type.
Choose a Subject line for message.
Format the Body of message.
Click Save Template.

Configure a notification channel

Go to Alerts > Channels and select Create Channel.
Enter a Name.
Select a Channel type.
- If Email, enter the Email address that will receive notifications.
- If Webhook, enter the Webhook URL and any Additional headers that may be required for the notification.
Select Save Channel.

Configure an alert rule

Go to Alerts > Rules and select Create Rule.
Select asset-query-results for asset queries or service-query-results for service queries.
Select Configure Rule.
Provide a Name for the new rule.
Select appropriate Conditions for the rule. By default, Any organization and Any site will be selected. The Query will be the query you used in the earlier steps.
Select the Notification channel that you created.
Select the Notification template that you created.
Ensure that Enabled is checked and click Save Rule.

Sample queries

You can use the following sample queries to help find network misconfigurations, potential vulnerabilities, and new services.

Misconfiguration query examples

SMBv1

protocol:"smb1"

Remote access with common services

protocol:rdp OR protocol:vnc OR protocol:teamviewer OR protocol:spice OR protocol:pca

Remote access exposed on a public IP

(protocol:rdp OR protocol:vnc OR protocol:teamviewer OR protocol:spice OR protocol:pca) AND has_public:t

See more examples

Potential vulnerability query examples

Cisco EOL VPN Routers Vulnerable to Zero-day RCE

hw:RV110W OR hw:RV130 OR hw:RV130W OR hw:RV215W

Kaspersky agent found

edr.name:"Kaspersky"

NDAA 2019 Section 889 Vendors seen

alive:t AND (
(vendor:zte OR vendor:huawei OR vendor:H3C OR vendor:CRRC OR vendor:dahua OR vendor:hikvision OR vendor:hisilicon OR vendor:panda OR vendor:dawning OR vendor:hangzhou OR vendor:hytera OR vendor:inspur OR vendor:"Aero Engine Corporation of China" OR vendor:"Aviation Industry Corporation of China" OR vendor:"China Aerospace" OR vendor:"China Electronics" OR vendor:"China General Nuclear Power" OR vendor:"China Mobile" OR vendor:"China National Nuclear Power" OR vendor:"China North Industries Group" OR vendor:"China Railway" OR vendor:"China Shipbuilding" OR vendor:"China South Industries Group" OR vendor:"China State Shipbuilding" OR vendor:"China Telecommunications" OR vendor:ztec OR vendor:ztek OR vendor:"z-tec" OR vendor:5shanghai OR vendor:"Hella Sonnen" OR vendor:anhui OR vendor:"technology sdn bhd" OR vendor:azteq)
OR
(hw:zte OR hw:huawei OR hw:h3c OR hw:CRRC OR hw:dahua OR hw:hikvision OR hw:hisilicon OR hw:panda OR hw:dawning OR hw:hangzhou OR hw:hytera OR hw:inspur OR hw:"Aero Engine Corporation of China" OR hw:"Aviation Industry Corporation of China" OR hw:"China Aerospace" OR hw:"China Electronics" OR hw:"China General Nuclear Power" OR hw:"China Mobile" OR hw:"China National Nuclear Power" OR hw:"China North Industries Group" OR hw:"China Railway" OR hw:"China Shipbuilding" OR hw:"China South Industries Group" OR hw:"China State Shipbuilding" OR hw:"China Telecommunications" OR hw:ztec OR hw:ztek OR hw:"z-tec" OR hw:5shanghai OR hw:"Hella Sonnen" OR hw:anhui OR hw:"technology sdn bhd" OR hw:azteq)
)

More examples

New services

New telnet services added in the last day

alive:t AND first_seen:<1days AND tcp_port:23

New services on a specific network in the last day

alive:t AND first_seen:<1days AND net:192.168.40.0/24

More examples

Sample alert templates

Alert templates can help you customize and format alerts triggered from rules you have set up. Here are three common alert templates you can use to get started with raw JSON, Slack, and Microsoft Teams payloads.

Asset, service, or wireless query alert to SIEM or SOAR using JSON

One-liner for use in the template:

{"organization":{"name":"{{organization.name}}","id":"{{organization.id}}"},"site":{"name":"{{site.name}}","id":"{{site.id}}"},"rule":{"action":"{{rule.action}}","created_at":"{{rule.created_at}}","created_by":"{{rule.created_by}}","event":"{{rule.event}}","id":"{{rule.id}}","name":"{{rule.name}}","updated_at":"{{rule.updated_at}}"},"search":{"url":"{{search.url}}","found":"{{search.found}}","comparator":"{{search.comparator}}","value":"{{search.value}}"}}

Human readable version for review:

{
  "organization": {
    "name": "{{organization.name}}",
    "id": "{{organization.id}}"
  },
  "site": {
    "name": "{{site.name}}",
    "id": "{{site.id}}"
  },
  "rule": {
    "action": "{{rule.action}}",
    "created_at": "{{rule.created_at}}",
    "created_by": "{{rule.created_by}}",
    "event": "{{rule.event}}",
    "id": "{{rule.id}}",
    "name": "{{rule.name}}",
    "updated_at": "{{rule.updated_at}}"
  },
  "search": {
    "url": "{{search.url}}",
    "found": "{{search.found}}",
    "comparator": "{{search.comparator}}",
    "value": "{{search.value}}"
  }
}

Asset, service, or wireless query alert to Slack

One-liner for use in the template:

{"blocks":[{"type":"section","text":{"type":"mrkdwn","text":":red_circle: *runZero Alert* - {{rule.name}}"}},{"type":"divider"},{"type":"section","text":{"type":"mrkdwn","text":"*Rule information*\n\n_Name_: {{rule.name}}\n_Type_: {{rule.event}}\n_Link_: https://console.runzero.com/alerts/rule/{{rule.id}}"}},{"type":"section","text":{"type":"mrkdwn","text":"*Match information*\n\n_Organization_: {{organization.name}}\n_Site_: {{site.name}}\n_Match count_: {{search.found}}\n_Search_: {{search.value}}\n_Link_: https://console.runzero.com/alerts/rule/{{search.url}}"}}]}

Human readable version for review:

{
  "blocks": [
    {
      "type": "section",
      "text": {
        "type": "mrkdwn",
        "text": ":red_circle: *runZero Alert* - {{rule.name}}"
      }
    },
    {
      "type": "divider"
    },
    {
      "type": "section",
      "text": {
        "type": "mrkdwn",
        "text": "*Rule information*\n\n_Name_: {{rule.name}}\n_Type_: {{rule.event}}\n_Link_: https://console.runzero.com/alerts/rule/{{rule.id}}"
      }
    },
    {
      "type": "section",
      "text": {
        "type": "mrkdwn",
        "text": "*Match information*\n\n_Organization_: {{organization.name}}\n_Site_: {{site.name}}\n_Match count_: {{search.found}}\n_Search_: {{search.value}}\n_Link_: https://console.runzero.com/alerts/rule/{{search.url}}"
      }
    }
  ]
}

Asset, service, or wireless query alert to Microsoft Teams

One-liner for use in the template:

{"$schema":"http://adaptivecards.io/schemas/adaptive-card.json","type":"AdaptiveCard","version":"1.5","body":[{"type":"TextBlock","text":"runZero Alert - {{rule.name}}"},{"type":"TextBlock","text":"**Rule information**\n\n_Name_: {{rule.name}}\n\n_Type_: {{rule.event}}\n\n_Link_: [Rule](https://console.runzero.com/alerts/rule/{{rule.id}})","wrap":true},{"type":"TextBlock","text":"**Match information**\n\n_Organization_: {{organization.name}}\n\n_Site_: {{site.name}}\n\n_Match count_: {{search.found}}\n\n_Search_: {{search.value}}\n\n_Link_: [Search](https://console.runzero.com/alerts/rule/{{search.url}})","wrap":true,"spacing":"Medium"}]}

Human readable version for review:

{
  "$schema": "http://adaptivecards.io/schemas/adaptive-card.json",
  "type": "AdaptiveCard",
  "version": "1.5",
  "body": [
    {
      "type": "TextBlock",
      "text": "runZero Alert - {{rule.name}}"
    },
    {
      "type": "TextBlock",
      "text": "**Rule information**\n\n_Name_: {{rule.name}}\n\n_Type_: {{rule.event}}\n\n_Link_: [Rule](https://console.runzero.com/alerts/rule/{{rule.id}})",
      "wrap": true
    },
    {
      "type": "TextBlock",
      "text": "**Match information**\n\n_Organization_: {{organization.name}}\n\n_Site_: {{site.name}}\n\n_Match count_: {{search.found}}\n\n_Search_: {{search.value}}\n\n_Link_: [Search](https://console.runzero.com/alerts/rule/{{search.url}})",
      "wrap": true,
      "spacing": "Medium"
    }
  ]
}

Outcome demo

This video is a short demo of what the outcome of alerting on runZero query results may look like.

Getting help

If you need assistance in building out this process, you can book a session with a runZero Customer Success Engineer to discuss further.

Updated May 31, 2023

Previous: Achieving RFC 1918 coverage Next: Alerting on runZero system events