Reviewing results

Dashboard & Inventory Views

Once scans complete the dashboard will be populated with results. The dashboard provides trend data and insights that will help you assess how your inventory is changing over time. Below the Asset and Services trends other tables show trending by other categories such as Asset Types, OS, Hardware, Port, Protocol, and Products. Clicking “View more” at the bottom of each of these tables shows a more detailed inventory by category.

Next, review the full list of assets identified and learn how to Use the Inventory.

Insights from queries

Queries and reports can help you gain valuable insights, but you may wonder where to get started. We recommend trying the pre-built queries in the Query Library first. Some of these queries are a result of Rumble’s Rapid Response to emerging threats and are described on our blog.

Rumble’s query language allows you to search and filter your asset inventory based on asset fields and value pairs. See the Overview and Syntax references. Once you are familiar with the query language you can write your own queries that can be automatically ran and tracked on the dashboard when scans complete.

Sample Queries

Asset Inventory

  • Equipment that is likely 8+ years old: alive:t mac_age:>8years
  • Assets with end-of-life OS: os_eol:<now
  • Virtual machines: has:virtual
  • Devices acting as a router: router:true
  • Devices that may be bridging: has_public:t and has_private:t

Service Inventory

  • Protocol on a non-standard port example: protocol:ssh not port:22
  • Publicly addressed assets running RDP or VNC: has_public:t and (protocol:rdp or protocol:vnc)
  • Authenticated web services that are not encrypted: (_asset.protocol:http AND not _asset.protocol:tls) AND ( html.inputs:"password:" OR last.html.inputs:"password:" OR has:http.head.wwwAuthenticate OR has:last.http.head.wwwAuthenticate )
  • Older TLS versions in use: alive:t AND protocol:"=tls" AND ( tls.versionName:"=TLS 1.0" OR tls.versionName:"=TLS 1.1")

Some other sample queries are described in our blog entries:

Reports

Taking a look at the available Reports should be your next stop, especially:

  • Switch topology to identify how your assets are connected and find “unmapped” MAC addresses (in red) that were not included in your scan scope (a summary of which is un the Unmapped MACs report)
  • Bridging to visualize what hosts may have both public and private connections
  • RFC 1918 coverage that can identify potential blindspots on your network like missing (unscanned) subnets, rogue devices, and “hinted” IPs that are secondary interfaces on unscanned network ranges.
  • See the “View all” button at the top right for a list of other reports to investigate outliers

Alerts

Rumble can trigger automatic alerts to designated channels for post-scan inventory queries, asset changes, explorer and scan issues, security operations, or API events. Channels are publication types that include internal to the UX, email, or webhooks that can enable integration with services such as Slack or Mattermost. Alerts use the same query language shown above, so this is a good way to automate proactive notification for critical events.