runZero 3.4: Vulnerability import from CrowdStrike Spotlight (plus something for everyone)

What’s new with runZero 3.4?

• Vulnerability import from CrowdStrike Spotlight
• Integration performance improvements and enhancements
  • Automatic expiration of ephemeral AWS assets
  • Processing performance improvements
  • Enrichment-only integration support
• OAuth Client Secret authentication
• Simplified site import and export format
• Rapid Response queries for MegaRAC and Cisco
• User interface improvements

Vulnerability inventory from CrowdStrike

runZero Enterprise customers can now import vulnerabilities from CrowdStrike Spotlight. runZero 3.4 automatically imports vulnerabilities when a credential is supplied that has access to the “Spotlight” OAuth scope. CrowdStrike Spotlight vulnerability data can be viewed from the asset detail page as well as in the vulnerability inventory. CrowdStrike vulnerability attributes include the relevant CVE identifier, severity, exploitability status, vulnerability detail, and any recommended actions to remediate the issue. Use the filter source:crowdstrike in the asset or vulnerability inventory to see CrowdStrike-sourced data. Use the following queries to track down common concerns:

• Find vulnerabilities on assets with public IP addresses: source:crowdstrike AND has_public:t
• Find critical vulnerabilities on end-of-life assets: source:crowdstrike AND os_eol:<now AND severity:critical
• Find vulnerabilities that match a specific exploit status:
  • Exploit unproven: exploit_status:=0
  • Exploit available: exploit_status:=30
  • Exploit easily accessible: `exploit_status:=60
  • Exploit actively used: exploit_status:=90

Ready to complement your runZero inventory with vulnerability data from CrowdStrike? To get started, set up a connection to CrowdStrike using a credential with access to Spotlight vulnerabilities.

Integration performance improvements and enhancements

The 3.4 release delivers new features and performance improvements to runZero integrations.

Automatic expiration of ephemeral AWS assets

You can now have your AWS integration automatically remove AWS assets from your inventory that weren’t seen in the latest sync. Many AWS resources are ephemeral, only being in use for a short period of time, and these temporary assets can lead to a slow increase of offline assets over time. If you don’t want to keep those decommissioned AWS assets in your runZero inventory, this feature can be used to automatically delete them. An alternative to this feature is to place your cloud assets in a separate Organization and configure a low stale asset expiration.

Processing performance improvements

The performance of all integration tasks has been improved and processing now completes much faster, with better use of resources, especially for self-hosted customers. This improvement is the most significant for processing data from vulnerability management products.

Enrichment-only integration support

You can now choose to exclude unknown assets from your integration imports. If enabled, runZero won’t import assets from an integration unless they can be merged with an existing asset in your inventory. This places the integration into an enrichment-only mode. This option is helpful when overlaying data from directory providers (Azure AD and Windows AD) as well as MDM and EDR systems that often include off-network assets that may be outside of your runZero scope.

OAuth Client Secret authentication

In addition to being able to access the runZero APIs using bearer tokens, you can now configure the use of OAuth2 client credentials. Simply register an API client and use the client ID and secret to obtain a temporary session token, which can then be using with the existing APIs as a bearer token.

Simplified site import and export format

The process and format for importing sites has been simplified so that you can more quickly add multiple sites based on subnets. The format of the imported CSV has been updated so that each registered subnet can be provided as a separate row, with the results merged automatically during import. Need to add a ton of new subnets to your sites? Export the current CSV, append the new subnets to the end with the same site name, and re-import the list to update your site configuration.

Rapid Response queries for MegaRAC and Cisco

In addition to letting you create queries to fit your needs, runZero includes pre-built queries for recent threats. During the 3.4 release, new queries were added to quickly track down assets running MegaRAC BMC firmware and to locate Cisco 7800/8800 series IP phone assets.

User interface improvements

The 3.4 release includes several changes to the user interface to improve the performance of the runZero console. The tables on the analysis reports, site comparison reports, and SSO groups pages now perform and load faster. This will let users query and sort the results in tables more efficiently, getting to the answers they need faster.

Release notes

The runZero 3.4 release includes a rollup of all the 3.3.x updates, which includes all of the following features, improvements, and updates.

New features

• The AWS integration now includes an option to automatically remove assets no longer reported by AWS.
• OAuth 2.0 client credentials can now be used to authenticate with runZero APIs.
• The edr.name asset attribute is now updated to show when a runZero scan no longer detects the EDR.
• Tasks can now be stopped during data gathering and processing phases.
• The site import and export CSV format has been simplified.
• The performance of connector task processing has been improved.
• Tables for the Site comparison report, analysis report results, and SSO group mappings have been redesigned for improved performance.
• Added a new canned query for finding Cisco 7800/8800 series IP phone assets.
• Improved fingerprinting coverage of Google Workspace assets.
• Additional fingerprint updates.

Security improvements

• A bug that could show cross-tenant “no access” role users in the Your team > Current organization view was resolved. This issue only applied to the cloud-hosted version of the runZero platform. The affected build was live for slightly more than two hours. Any customers affected by this issue will receive a detailed notice to the email addresses associated with their superuser accounts.

Product improvements

• The consistency in asset terminology has been improved.
• The site import CSV format has been improved.
• The CLI Scanner --api-url parameter handling has been improved.
• The DELETE API method for bulk asset deletion has been deprecated.
• A public API endpoint to check the platform health has been added.
• OS EOL dates are now reported for Windows 11.
• A new canned query for MegaRAC BMC firmware has been added.
• Self-hosted customers can configure concurrent task processing with the RUNZERO_CRUNCHER_INSTANCES option.
• VMware ESXi instances now display OS end-of-life dates based on version.
• The scanner now supports a configurable ToS/Traffic Class field in the advanced configuration.
• Additional operating system and hardware icons are available in the inventory view.
• Explorer and CLI Scanner binaries are now approximately 5MB smaller.
• The All Organizations view now more accurately handles limited user permissions.

Performance improvements

• The performance of the task overview page load time has been improved.
• The import time for third-party data sources was improved.
• The scheduler will now delay recurring tasks if the previously completed task has not yet started processing.
• The backend now processes concurrent tasks for separate sites within the same organization when possible.
• Searching and sorting is faster when using the asset first seen and last seen columns.

Fingerprinting changes

• Improved fingerprinting coverage of Apple HomeKit and HomeKit-connected devices.
• Improved fingerprinting coverage of Google Workspace assets.
• Improved fingerprinting coverage of Microsoft Intune and Azure Active Directory assets.
• Additional support added-or-improved for products by by Advidia, APC, Apple, Ascom, Avaya, Cisco, Citrix, D-Link, Dahua, ecobee, Eve, Fortinet, First Peer, Google, Green Electronics, ICP DAS, ifm electronic, iXsystems, LG, Microsoft, Motorola, Nintendo, OnePlus, OpenWRT, Poly, QNAP, Raspberry Pi, Red Hat, Riverbed, Roku, Sagemcom, Samsung, Shelly, Schneider Electric, SolidCP, Sony, SUSE, SwitchBot, TCL, Technicolor, Twinkly, UPS Manufacturing, Vizio, and VMware.

Integration improvements

• The CrowdStrike integration now imports vulnerabilities when CrowdStrike Spotlight is enabled for the API key.
• An option to disable the creation of new assets from third-party integrations has been added.
• Third-party integrations merge assets more consistently.
• Third-party integrations now merge more accurately when using IP addresses as the match key.
• Microsoft Intune and Azure Active Directory assets are now fingerprinted more accurately.
• New LDAP credentials now auto-populate the discovered port.
• The Microsoft Defender integration now merges assets more comprehensively.
• The AWS EC2 integration now provides an option to include Stopped instances.

Bug fixes

• A bug that could prevent an Explorer from running scans with specific network configurations has been resolved.
• A bug that could cause recurring tasks to backup has been resolved.
• A bug in the Organization asset export API has been resolved.
• A bug that caused the License information page to display an incorrect project asset count was resolved.
• A bug that could delay concurrent task processing has been resolved.
• An issue that could cause the command-line scanner to skip LDAP enumeration has been resolved with the --ldap-thumbprints flag.
• A bug that could prevent tag searches from completing when thousands of tags are in use has been resolved.
• A bug that could result in partial import of GCP CloudSQL assets was resolved.
• A bug that could lead to duplicate vulnerabilities when an import was restarted has been resolved.