runZero
Visualize runZero (previously called Rumble) organizations, users, and assets, map users to employees, discover vulnerable OS assets, and monitor changes through queries and alerts.
- Installation guide
- runZero data model
- runZero types
Installation
For this integration, you can configure the runZero integration using either an Account API Key or a single Export Token. The Export Token has more limited read-only permissions which will limit the data that is collected in JupiterOne.
Configuration in runZero
For this integration, you can configure the runZero integration using either an Account API Key or a single Export Token. The Export Token has more limited read-only permissions which will limit the data that is collected in JupiterOne.
API Key method
This method is recommended for instances where there are multiple organizations that you wish to ingest data into JupiterOne. It also provides a larger set of ingested entities than solely using an Export Token. You must have a runZero Enterprise License to utilize this method.
To configure this integration via API key, follow the below instructions:
Account API Key Generation
- Navigate to the runZero Console.
- In the navigation bar, go to
Account
. - On the Account page under the Account API keys section, click Generate API Key.
- A new Account API Key will be created. Copy this key as it will be used in JupiterOne.
Export Token Generation
Next, you'll need to generate an export token for each organization whose assets, services, and wireless data you want to include in the JupiterOne graph. The integration will automatically collect these tokens if they are present. Organizations without export tokens will not have assets, services, or wireless data ingested.
- Navigate to the runZero Console
- In the navigation bar, go to
Organizations
- Click on the organization in which you want to create an
Export Token
- Press the Generate Export Token button.
- Repeat for all organizations whose data you want to ingest.
Export Token method
This method is typically suggested if there is only a single organization for which you intend to populate data into JupiterOne.
If you wish to utilize an Export Token rather than use API credentials, ensure that you have admin access to the runZero organization and follow the below steps for obtaining your Export Token for use with JupiterOne.
To generate the Export Token:
- Navigate to the runZero Console
- In the navigation bar, go to
Organizations
- Click on the organization in which you want to create an
Export Token
- Press the Generate Export Token button.
- Copy your
Export Token
for use in JupiterOne
Configuration in JupiterOne
To install the runZero integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select runZero. Click New Instance to begin configuring your integration.
Creating a configuration requires the following:
The Account Name used to identify the runZero account in JupiterOne. Ingested entities will have this value stored in
tag.AccountName
when theAccountName
toggle is enabled.Description to assist in identifying the integration instance, if desired.
Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as
DISABLED
and manually execute the integration.Lastly, depending on your authentication preference, input either of the following credentials:
- For configuring the integration with an Account API Key then put the key in the runZero Account API Key field.
- For configuring the integration with an Export Token, provide the token in the Export Token field.
Click Create once all values are provided to finalize the integration.
Next steps
Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.
Data Model
Entities
The following entities are created:
Resources | Entity _type | Entity _class |
---|---|---|
Account | rumble_account | Account |
Asset | rumble_asset | Device |
Organization | rumble_organization | Organization |
Site | rumble_site | Site |
User | rumble_user | User |
Relationships
The following relationships are created:
Source Entity _type | Relationship _class | Target Entity _type |
---|---|---|
rumble_account | HAS | rumble_organization |
rumble_account | HAS | rumble_site |
rumble_account | HAS | rumble_user |
rumble_organization | HAS | rumble_site |
rumble_site | HAS | rumble_asset |
rumble_user | ASSIGNED | rumble_organization |
Rumble Account
rumble_account
inherits from Account
Property | Type | Description | Specifications |
---|---|---|---|
name * | string | ||
displayName * | string |
Rumble Organization
rumble_organization
inherits from Organization
Property | Type | Description | Specifications |
---|---|---|---|
clientId * | string | Format: uuid | |
createdAt | number | ||
updatedAt | number | ||
downloadTokenCreatedAt | number | ||
demo * | boolean | Whether the organization is a demo org | |
project * | boolean | ||
parentId * | string | Format: uuid | |
description | string | ||
inactive * | boolean | ||
deactivatedAt | number | ||
serviceCount * | number | ||
serviceCountTCP * | number | ||
serviceCountUDP * | number | ||
serviceCountARP * | number | ||
serviceCountICMP * | number | ||
assetCount * | number | ||
liveAssetCount * | number | ||
recentAssetCount * | number | ||
softwareCount * | number | ||
vulnerabilityCount * | number | ||
exportTokenCreatedAt | number | ||
exportTokenLastUsedAt | number | ||
exportTokenLastUsedBy | string | Examples: 127.0.0.1 | |
exportTokenCounter | number | ||
expirationAssetsStale | number | ||
expirationAssetsOffline | number | ||
expirationScans | number | ||
expirationWarningLastSent | number |
Rumble User
rumble_user
inherits from User
Property | Type | Description | Specifications |
---|---|---|---|
displayName * | string | ||
admin * | boolean | Derived by client_admin or org_default_role properties from | |
orgDefaultRole | string | ||
resetTokenExpiration | number | ||
inviteTokenExpiration | number | ||
lastLoginIP | string | ||
lastLoginAt | number | ||
lastLoginUa | string | Examples: curl/1.0 | |
lastActivityAt | number | ||
ssoOnly | boolean | ||
loginFailures | number | ||
actions | number | ||
lastActionAt | number | ||
active * | boolean | default: true |
Rumble Site
rumble_site
inherits from Site
Property | Type | Description | Specifications |
---|---|---|---|
createdAt | number | ||
updatedAt | number | ||
clientId | string | ||
organizationId | string | ||
scope | string | ||
excludes | string | Examples: "192.168.0.5" | |
inactive | boolean | ||
deactivatedAt | number | ||
serviceCount | number | ||
serviceCountTCP | number | ||
serviceCountUDP | number | ||
serviceCountARP | number | ||
serviceCountICMP | number | ||
assetCount | number | ||
liveAssetCount | number | ||
recentAssetCount | number | ||
softwareCount | number | ||
vulnerabilityCount | number | ||
assetAddressCount | number | ||
assetAddressExtraCount | number | ||
lastTaskId | string | ||
lastTaskAt | number | ||
lastTaskBy | string | ||
lastTaskDuration | number |
Rumble Asset
rumble_asset
inherits from Device
Property | Type | Description | Specifications |
---|---|---|---|
createdAt | number | ||
updatedAt | number | ||
alive | boolean | ||
lastSeen | number | ||
firstSeen | number | ||
detectedBy | string | Examples: icmp | |
type | string | Examples: Server | |
osVendor | string | ||
hardware | string | Examples: Dell PowerEdge 2500 | |
macAddresses | array of string s | Examples: 11:22:33:44:55:66 | |
macAddress | array of string s | Examples: 11:22:33:44:55:66 | |
ipAddress | array of string s | Examples: 192.158.1.38 | |
ipAddresses | array of string s | Examples: 192.158.1.38 | |
scanned | boolean | ||
serviceCount | number | ||
softwareCount | number | ||
vulnerabilityCount | number | ||
lastAgentId | string | ||
lastTaskId | string | ||
newestMacAddress | string | ||
newestMacVendor | string | Examples: Intel Corporate | |
orgName | string | ||
siteName | string | Examples: Primary |