Search queries

Asset search keywords

When viewing assets, you can use the keywords in this section to search and filter.

User specified fields

Asset comments

Use the syntax comment:<text> to search comments on an asset.

comment:"contractor laptop"
comment:"imaging server"
Asset tags

Use the syntax tag:<term> to search tags added to an asset. The term can be the tag name, or the tag name followed by an equal sign and the tag value. Tag value matches must be exact.

tag:"group"
tag:"group=production"
Organization name or ID

Use the syntax organization:<term> to filter by organization name or ID.

organization:Rumble
organization:"Temporary Project"
organization:f1c3ef6d-cb41-4d55-8887-6ed3cfb3d42d
Site name or ID

Use the syntax site:<term> to filter by site name or ID.

site:Primary
site:"Branch Office"
site:ad67d649-041b-439d-af59-f200053a8899
Explorer name or ID

Use the syntax explorer:<term> to filter by explorer name or ID.

explorer:DESKTOP-AB451F
explorer:8b927a8e-d405-40e9-aa47-d6afc9bff237

Asset fields

Asset ID

The ID field is the unique identifier for a given asset, written as a UUID. Use the syntax id:<uuid> to filter by ID field.

id:cdb084f9-4811-445c-8ea1-3ea9cf88d536
Asset OS

The operating system field is a string describing the detected operating system software. This field is searched using the syntax os:<text>. The OS version, if available, can be searched using os_version:<number>.

os:"Windows"
os:"Ubuntu Linux"
os_version:8
Asset type

The type field is a string describing the detected system type, such as Desktop, Laptop, Server, BMC, or Mobile. Use the syntax type:<text> to search this field.

type:Desktop
type:BMC
type:"Game Console"
Asset hardware

The hardware field is a string describing the detected physical hardware, such as macMini or Nintendo Switch. Use the syntax hardware:<text> to search this field.

hardware:Switch
hardware:macMini
Asset hostnames

The hostnames associated with an asset are obtained from DNS and exposed services. Use the syntax name:<text> to search these names.

name:"www"
name:"TV"

To search an asset where any asset has a specific prefix or suffix, start the term with = and use % as a wildcard match:

name:="FTP.%"
name:="%-09"

Use the syntax name_count:<number>to search the hostname count. This search term supports numerical comparison operators (>, >=, <, <=, =).

name_count:>1
Asset domains

The domains associated with an asset are obtained from DNS and exposed services. Use the syntax domain:<domainname> to search the domain names.

domain:"amazon.com"
domain:"corp.lan"
domain:"WORKGROUP"

The domain count can be searched using the syntax domain_count:<number>. This search term supports numerical comparison operators (>, >=, <, <=, =).

domain_count:>1
Asset addresses

Use the syntax address:<ip> to search the addresses (both primary and secondary) associated with an asset, primary_address:<ip> to search only the primary addresses associated with an asset, or secondary_address:<ip> to search only the secondary addresses associated with an asset. These keywords also allow for wildcard matches using ‘%’. A comma-separated list of addresses will be used as an efficient multiple-match.

address:192.168.0.1
address:10.0.0
address:%.0.1
address:10.%.254
address:10.0.0.1,10.0.0.2,10.0.0.3

Use the syntax address_count:<term> and address_extra_count:<number> to search address primary and secondary counts. This search term supports numerical comparison operators (>, >=, <, <=, =).

address_extra_count:0
Asset networks

Use the syntax net:<cidr> to search the addresses (both primary and secondary) associated with an asset by CIDR mask.

net:192.168.0.0/24
Asset default community

Use the syntax community:<text> to search for assets with a default SNMP community (public or private).

community:public
Asset public address

Use the keyword has_public and syntax has_public:<boolean> to locate any asset with a non-reserved IP address.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
has_public:true
Asset private address

Use the keyword has_private and syntax has_private:<boolean> to locate any asset with a private IP address.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
has_private:false
Asset IPv6 address

Use the keyword has_ipv6 and the syntax has_ipv6:<boolean> to locate any asset with an identified IPv6 address.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
has_ipv6:false

Use the keyword has_link_local and syntax has_link_local:<boolean> to locate any asset with an identified IPv6 link local (fe80::) address.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
has_link_local:true
Asset MAC addresses

Use the syntax mac:<term> to search MAC addresses associated with an asset.

mac:00:5c:04
mac:00:00:1c

Use the syntax mac_count:<number> to search the MAC address count. This search term supports numerical comparison operators (>, >=, <, <=, =).

mac_count:>2

If you use exact search (:=) you can also search for full MAC addresses in Cisco format or dash-separated format:

mac:=00-10-fa-c2-bf-d5
mac:=0010.fac2.bfd5
Asset MAC address vendors

The vendor associated with the MAC addresses of an asset can be searched using the syntax mac_vendor:<text>.

mac_vendor:Apple
mac_vendor:"Intel Corporate"

To search only the vendor associated with the newest MAC address, use the syntax newest_mac_vendor:<text>

newest_mac_vendor:Apple

The MAC address vendor count can be searched using the syntax mac_vendor_count:<number>. This search term supports numerical comparison operators (>, >=, <, <=, =).

mac_vendor_count:0
Asset MAC address age

Use the syntax mac_age:<term> to search the allocation date of the newest MAC address associated with an asset. The term supports the standard Rumble time comparison syntax.

mac_age:>1year
mac_age:<6months
mac_age:2019-12-31
Asset outlier score

Use the syntax outlier_score:<value> to search the calculated outlier score of assets. The outlier score is in the range 0 to 5 inclusive. This search term supports numerical comparison operators (>, >=, <, <=, =).

outlier_score:>2
outlier_score:0
Asset attributes

Use the syntax attribute:<term> to search the asset attribute fields, such as the port used to detect the TTL.

attribute:"ip.ttl.port"
attribute:"cpe:/a:isc:bind:9.11.3"
attribute:"9.11.3"

To determine if an asset has any attribute defined, use the has:<attribute-name> keyword. The has keyword can be inverted to find missing fields with not has:<term>.

has:"ip.ttl.port"
not has:"rdns.names"

In addition to the standard fields, the following special attributes are available:

  • has:screenshot returns assets where at least one screenshot was obtained.
  • has:icons returns assets where at least one icon was obtained (HTTP, UPnP, or similar).
  • has:uplink returns assets seen in the CAM table of a network switch.
  • has:downlink returns assets where the CAM table was queried at least one other asset was connected.
  • has:unmapped returns assets where the CAM table was queried at least one other asset was connected but not identified by IP.

The attribute can be specified as a term directly. If the attribute name conflicts with an existing term, the prefix _asset. can be specified to disambiguate the query.

ip.ttl.port:80
rdns.names:"router" 
_asset.ip.ttl.hops:"1"

Asset services

Asset service ports

The TCP and UDP services associated with an asset can be searched by port number using the syntax port:<number>.

port:80
port:161
Asset service TCP ports

Use the syntax tcp:<number> to search the TCP services associated with an asset by port number.

tcp:443

To search for assets with a specific list of TCP ports open, you can use the syntax service_ports_tcp:=<list>. Values should be in ascending numerical order, and separated by commas.

service_ports_tcp:=80,443
Asset service UDP ports

Use the syntax udp:<number> to search UDP services associated with an asset by port number.

udp:53

To search for assets with a specific list of UDP ports open, you can use the syntax service_ports_udp:=<list>. Values should be in ascending numerical order, and separated by commas.

service_ports_udp:=53,123
Asset service protocols

Use the syntax service_protocols:<term> (or protocol:<term> for short) to search the identified service protocols associated with an asset.

protocol:http
service_protocol:telnet

The protocol count can be searched using the syntax protocol_count:<number>. This search supports numerical comparison operators (>, >=, <, <=, =).

protocol_count:>1
Asset service products

Use the syntax service_products:<term> (or product:<term> for short) to search for the identified service products associated with an asset.

product:openssh
service_products:nginx

The product count can be searched using the syntax product_count:<number>. This search term supports numerical comparison operators (>, >=, <, <=, =).

product_count:>3
Asset service counts

Use the following keywords to search the number of services associated with an asset can be searched by port number:

  • service_count_tcp:<number>
  • service_count_udp:<number>
  • service_count_icmp:<number>
  • service_count_arp:<number>

These keywords support numerical comparison operators (>, >=, <, <=, =).

Examples include:

service_count_tcp:>=5
service_count_arp:0
service_count_udp:<=1

Asset tracking fields

Asset timestamps

Use the following syntaxes to search the asset timestamp fields (first_seen, last_seen, created_at, updated_at, os_eol, os_eol_extended):

  • first_seen:<term>
  • last_seen:<term>
  • created_at:<term>
  • updated_at:<term>
  • os_eol:<term>
  • os_eol_extended:<term>

The term supports the standard Rumble time comparison syntax.

first_seen:<3days
first_seen:>2019-08-01
first_seen:>8/1/2019
last_seen:<1week
last_seen:<2months
last_seen:<1year
created_at:>2weeks
created_at:<30minutes
updated_at:>1year
updated_at:<12hours
os_eol:<now
os_eol:>4weeks
os_eol_extended:>now
os_eol_extended:>90days
Asset online status

Use the syntax online:<boolean> or the inverse syntax offline:<boolean> to search the online status of an asset.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
online:t
online:1
offline:0
Asset detection method

The detected by attribute of an asset can be searched using the syntax det:<term> or detected_by:<term>. The term is one of arp, icmp, <portnumber>-tcp, or <portnumber>-udp. In the case of multiple detections, the priority goes arp, icmp, and then the first detected service.

det:arp
detected_by:80-tcp
det:53-udp
Asset Time to Live (TTL) comparisons

Use the syntax ttl:<term> and lowest_ttl:<term> to search the lowest TTL of an asset. TTL is the estimated number of hops between the scan source and the asset.

This search term supports numerical comparison operators (>, >=, <, <=, =).

lowest_ttl:>3
Asset Round Trip Time (RTT) comparisons

Use the syntax rtt:<term> and lowest_rtt:<term> to search the lowest RTT for an asset. RTT is the round-trip response time of a given probe measured in nanoseconds (1,000,000 == 1ms).

This search term supports numerical comparison operators (>, >=, <, <=, =).

lowest_rtt:>50000000
Asset multiple MAC address status

Use the syntax multi_mac:<boolean> to determine if an asset has multiple MAC addresses.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
multi_mac:t
Asset any MAC address status

Use the syntax has_mac:<boolean> to find assets with any MAC addresses.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
has_mac:yes
has_mac:f
Asset multiple IP address status

Use the syntax multi_home:<boolean> to determine if an asset has multiple IP addresses.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
multi_home:t
Asset multiple hostname status

Use the syntax multi_name:<boolean> to find assets with multiple hostnames.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
multi_name:yes
multi_name:false

Service search keywords

When viewing services, you can use the keywords in this section to search and filter.

Service ports

The TCP and UDP services associated with a service can be searched by port number using the syntax port:<number>. This search term supports numerical comparison operators (>, >=, <, <=, =).

port:<=25
Service TCP ports

Use the syntax tcp:<number> to search TCP service associated with a service by port number.

tcp:53

To search for all services on assets with a specific list of TCP ports open, you can use the syntax service_ports_tcp:=<list>. Values should be in ascending numerical order, and separated by commas.

service_ports_tcp:=80,443
Service UDP ports

Use the udp:<number> syntax to search UDP services associated with a service by port number.

udp:443

To search for all services on assets with a specific list of UDP ports open, you can use the syntax service_ports_udp:=<list>. Values should be in ascending numerical order, and separated by commas.

service_ports_udp:=53,123
Service transport

Use the syntax transport:<term> to search the transport associated with a service by name.

transport:tcp
transport:udp
transport:icmp
Service protocol

Use the syntax service_protocols:<term> (or protocol:<term> for short) to search the protocols associated with services.

protocol:http
protocol:telnet
Services for assets with product

Use the syntax service_products:<term> (or product:<term> for short) to search for the identified service products associated with an asset, and return all services for the matching assets.

product:openssh
service_products:nginx
Service Virtual Host (VHost)

Use the syntax vhost:<text> to search for virtual hosts associated with a service by name .

vhost:"www"
Service address

Use the keyword service_address to match against the service IP address.

service_address:192.168.0.1
Service public address

Use the keyword service_has_public and syntax service_has_public:<boolean> to locate any service with a non-reserved I address.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
service_has_public:true
Service private address

Use the keyword service_has_private and syntax service_has_private:<boolean> to locate any service with a private IP address.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
service_has_private:false
Service IPv6 address

Use the keyword service_has_ipv6 and the syntax service_has_ipv6:<boolean> to locate any service with an identified IPv6 address.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
service_has_ipv6:false

Use the keyword service_has_link_local and syntax service_has_link_local:<boolean>to locate any service with an identified IPv6 link local (fe80::) address.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
service_has_link_local:true
Services for assets with outlier score

You can use the syntax outlier_score:<value> to search the calculated outlier score of assets, and return all services on those assets. The outlier score is in the range 0 to 5 inclusive. This search term supports numerical comparison operators (>, >=, <, <=, =).

outlier_score:>2
outlier_score:0
Services for assets with MAC address vendors

To search the vendors associated with the MAC addresses of an asset, and return all services on those assets, use the syntax mac_vendor:<text>.

mac_vendor:Apple
mac_vendor:"Intel Corporate"

To search only the vendor associated with the newest MAC address, use the syntax newest_mac_vendor:<text>

newest_mac_vendor:Apple
Services for assets with MAC address age

To search the ages of the newest MAC addresses associated with each asset, and return all services associated with those assets, use the syntax mac_age:<term>. The term supports the standard Rumble time comparison syntax.

mac_age:>1year
mac_age:<6months
mac_age:2019-12-31
Service attributes

You can search all service attributes with the syntax <attribute>:<term>. This search term supports numerical comparison operators (>, >=, <, <=, =).

If the attribute name conflicts with an existing term, the prefix _service. can be added to disambiguate the query.

Note that service attributes can be slow and it is often better to prefix _asset.protocol:<term> filter in front of the service attribute query. For example, to search for SSH banners, use the syntax _assets.protocol:ssh AND banner:<term>.

banner:password
service.product:"OpenSSH" 
html.title:"Apache2 Ubuntu Default Page" 
http.code:>=500
screenshot.image.size:=>100000
_service.arp.macVendor:Xerox

To determine if a service has an attribute at all, use the has keyword. The has keyword can be inverted to find missing fields, with not has:<term>.

has:"http.head.server"
not has:"html.title"

Software search keywords

When viewing software, you can use the keywords in this section to search and filter.

Software source

The source reporting the software installed can be searched or filtered by name using the syntax source:<name>.

source:rumble
Software vendor

The vendor associated with a software can be searched by name using the syntax vendor:<name>.

vendor:oracle
Software product

The product associated with a software can be searched by name using the syntax product:<name>.

product:java

Wireless search keywords

When viewing WiFi networks, you can use the keywords in this section to search and filter.

SSID (ESSID)

The SSID/ESSID field can be searched using the syntax ssid:<text>.

ssid:"Guest Network"
ssid:"Corporate"
BSSID (MAC)

The BSSID field can be searched using the syntax bssid:<text> or mac:<text>.

bssid:"00:01:02:03:04:05"
mac:"00:01:%"
Vendor

The vendor field can be searched using the syntax mac_vendor:<text>.

mac_vendor:"Google"
mac_vendor:"Netgear"
mac_vendor:"Cisco"
Family

The family field can be searched using the syntax family:<term>.

family:"010304"
Channels

The channels field can be searched using the syntax channel:<term>.

channel:"11"
Type

The network type field can be searched using the syntax type:<text>.

type:"infrastructure"
Interface

The network interface field can be searched using the syntax interface:<text>.

interface:"wlan0"
Encryption

The encryption field can be searched using the syntax encryption:<term>.

encryption:"aes"
encryption:"none"
Authentication

The authentication field can be searched using the syntax authentication:<term>.

authentication:"wpa2-psk"
authentication:"open"
Timestamps

The timestamp fields (first_seen, last_seen, created_at) timestamps can be searched using the syntax first_seen:<term>, last_seen:<term> and created_at:<term>. The term supports the standard Rumble time comparison syntax.

first_seen:<30seconds
first_seen:>2019-08-01
last_seen:<1week
last_seen:<2months
created_at:>2weeks
created_at:<30minutes
Signal

The signal field can be searched using the syntax signal:<number> or sig:<number>. The term can include the operators >, =, <=, and =. The default operator is =.

signal:">75"
signal:"<=25"
signal:99
Organization name or ID

Use the syntax organization:<term> to filter by organization name or ID.

organization:Rumble
organization:"Temporary Project"
organization:f1c3ef6d-cb41-4d55-8887-6ed3cfb3d42d
Site name or ID

The site name or ID can be used as a filter with the syntax site:<term>

site:Primary
site:"Branch Office"
site:ad67d649-041b-439d-af59-f200053a8899
Explorer name or ID

The explorer name or ID can be used as a filter with the syntax explorer:<term>

explorer:DESKTOP-AB451F
explorer:8b927a8e-d405-40e9-aa47-d6afc9bff237
Wireless ID

The ID field is the unique identifier for a given wireless network, written as a UUID. This field is searched using the syntax id:<uuid>.

id:cdb084f9-4811-445c-8ea1-3ea9cf88d536
Last task ID

The Last Task ID field defines which task most recently reported the wireless network and is written as a UUID. This field is searched using the syntax task:<uuid>.

task:39ab0e71-3cf1-4176-b6b0-4ed495288229
Wireless attributes

All wireless attributes can be searched using the syntax <attribute>:<term>.

radio_type:"802.11n"

Analysis report search keywords

When viewing generated analysis reports, you can use the keywords in this section to search and filter.

Name

The Name field can be searched using the syntax name:<text>.

name:"main"
Description

The Description field can be searched using the syntax description:<text>

description:"compare secondary"
Type

The report type can be searched using the syntax type:<text>

type:outliers
Report ID

The ID field is the unique identifier for a given analysis report, written as a UUID. This field is searched using the syntax id:<uuid>.

id:cdb084f9-4811-445c-8ea1-3ea9cf88d536
Created at

The timestamp when a report was generated can be searched using the syntax created_at:.

The term supports the standard Rumble time comparison syntax.

created_at:>2019-08-01
created_at:<1week
Created by

The Created By field can be searched using the syntax created_by:<term>.

created_by:jsmith

Query library search keywords

When viewing saved queries, you can use the keywords in this section to search and filter.

Name

The Name field can be searched using the syntax name:<text>.

name:"smb2"
Description

The Description field can be searched using the syntax description:<text>.

description:"smb version 1"
description:"wep"
Type

The Type field can be searched using the syntax type:<term> .

type:"services"
Category

The Category field can be searched using the syntax category:<term>.

category:"security"
category:"audit"
Severity

The Severity field can be searched using the syntax severity:<term>.

severity:"info"
severity:"critical"
Created by

The Created By field can be searched using the syntax created_by:<term>.

created_by:"rumble"
Timestamps (created at, updated at)

The timestamp fields, created_at and updated_at, can be searched using the syntax created_at:<term> and updated_at:<term>. The term supports the standard Rumble time comparison syntax.

created_at:>2weeks
created_at:<30minutes
updated_at:>1month
updated_at:2hours

Explorer search keywords

When viewing deployed explorers, you can use the keywords in this section to search and filter.

Name

The Name field can be searched using the syntax name:<text>.

name:"main"
Site

The site can be searched using the syntax site:<text>.

site:Primary
Up

Whether the explorer is up can be searched using the syntax up:<boolean>.

up:true
Address

The IP address(es) the explorer is deployed on can be searched using the syntax address:<IP address>.

address:10.0.1.200
Version

The software version of explorers can be searched using version:<text>.

version:2.9.7
Npcap version

The version of the npcap library for Windows explorers can be searched using npcap_version:<text>.

npcap_version:1.60
Architecture

The machine architecture explorers are deployed on can be searched using architecture:<text>.

architecture:amd64
OS

The operating system explorers are deployed on can be searched using os:<text>. Note that macOS is recorded as darwin, the underlying Unix core of macOS.

os:windows
os:darwin
Capability

The capabilities of the explorers can be searched using the syntax capability:<keyword>. Two keywords are supported:

  • screenshot for explorers which can screenshot web pages
  • ec2 for explorers which can describe AWS EC2 instances

Example:

capability:screenshot
Explorer tags

Use the syntax tag:<term> to search tags added to an explorer. The term can be the tag name, or the tag name followed by an equal sign and the tag value. Tag value matches must be exact.

tag:"admin"
tag:"group=cloud"

Task search keywords

When viewing all tasks, you can use the keywords in this section to search and filter.

Name

The Name field can be searched using the syntax name:<text>.

name:"test scan"
Description

The Description field can be searched using the syntax description:<text>

description:"full scan"
Created by

The Created By field can be searched using the syntax created_by:<term>.

created_by:"admin"
Type

The task type can be searched using type:<text>.

type:scan
Status

The task status can be searched using status:<text>.

status:error
Error

The task error message can be searched using error:<text>.

error:"no disk space"
Recurrence frequency

The frequency tasks recur at (the “Freq” column) can be searched using recur_frequency:<text> or freq:<text>. The term recurring:<boolean> or recur:<boolean> can be used to search based on whether tasks recur at all.

recur_frequency:hourly
freq:daily
freq:continuous
recur:true

To search for tasks with a frequency of Nth Weekday of Month, you can use (for example) freq:nth_weekday,2 freq:monday to find tasks which repeat on the second monday of each month.

Timestamps (created at, updated at)

The timestamp fields, created_at and updated_at, can be searched using the syntax created_at:<term> and updated_at:<term>. The term supports the standard Rumble time comparison syntax.

created_at:>2weeks
created_at:<30minutes
updated_at:>1month
updated_at:2hours
Next/last run time

You can search by next recurrence and last recurrence using the terms recur_last:<term> and recur_next:<term>. The term supports the standard Rumble time comparison syntax.

recur_last:<2hours
recur_next:>1day
Start time

You can search by start time using the syntax start_time:<term>. The term supports the standard Rumble time comparison syntax.

start_time:<2hour
Grace period

The grace period can be searched using the syntax grace_period:<term> or just grace:<term>. The term supports the standard Rumble time comparison syntax.

grace:<2hour
Site name or ID

Use the syntax site:<term> to filter by site name or ID.

site:Primary
site:"Branch Office"
site:ad67d649-041b-439d-af59-f200053a8899
Template ID

Use the syntax template_id:<term> to filter by scan template ID.

template_id:de657459-041b-439d-af59-ff1f153a7722
Source

The data source for tasks can be searched using the term source:<text> or source_id:<number>.

source:censys

Sources are:

ID Name Description
1 rumble Rumble scan
2 miradore Miradore MDM
3 aws AWS EC2 API
4 crowdstrike CrowdStrike Falcon
5 azure Microsoft Azure
6 censys Censys Search API
7 vmware VMWare
Credential ID

You can search for tasks which use a specific set of credentials using credential_id:<id>.

credential_id:d7931a68-6e56-11ec-ad72-f875a414a63a
Parameters

Tasks can be searched for task parameters using params:<text>. This can be useful for searching for scan tasks which had specific probes enabled.

params:bacnet

Scan template search keywords

When viewing scan templates, you can use the keywords in this section to search and filter.

ID

The ID field is the unique identifier for a given template, written as a UUID. Use the syntax id:<uuid> to filter by ID field.

id:cdb084f9-4811-445c-8ea1-3ea9cf88d536
Name

Use the syntax name:<text> to search by scan template name.

name:WiFi
name:"Data Center"
Timestamps

Use the following syntaxes to search the scan template timestamp fields (created_at, updated_at):

  • created_at:<term>
  • updated_at:<term>

The term supports the standard Rumble time comparison syntax.

created_at:>2weeks
created_at:<30minutes
updated_at:>1year
updated_at:<12hours
Scan template created by

The email address for the user that created the template can be searched using the syntax created_by_email:<term>.

created_by_email:user@example.com

Site search keywords

When viewing sites, you can use the keywords in this section to search and filter.

Name

The Name field can be searched using the syntax name:<text>.

name:"Primary"
Description

The Description field can be searched using the syntax description:<text>.

description:"wireless"
description:"vlan 50"
Scope

The Scope field can be searched using the syntax scope:<term> .

scope:"10.10.10."
Excludes

The Excludes field can be searched using the syntax excludes:<term> .

excludes:"192.168.0."
Timestamps (created at, updated at)

The timestamp fields (created_at, updated_at) timestamps can be searched using the syntax created_at:<term> and updated_at:<term>. The term supports the standard Rumble time comparison syntax.

created_at:>2weeks
created_at:<30minutes
updated_at:>1month
updated_at:2hours

Organization search keywords

Name

The Name field can be searched using the syntax name:<text>.

name:"main"
Description

The Description field can be searched using the syntax description:<text>

description:"branch office"
description:"pci"
Timestamps (created at, updated at)

The timestamp fields (created_at, updated_at) timestamps can be searched using the syntax created_at:<term> and updated_at:<term>. The term supports the standard Rumble time comparison syntax.

created_at:>2weeks
created_at:<30minutes
updated_at:>1month
updated_at:2hours

Credential search keywords

When viewing saved credentials, you can use the keywords in this section to search and filter.

Credential fields

Credential ID

The ID field is the unique identifier for a given credential, written as a UUID. This field is searched using the syntax id:<uuid>.

id:cdb084f9-4811-445c-8ea1-3ea9cf88d536
Credential name

The credential name can be searched using the syntax name:<text>.

name:"AWS read-only account"
name:"Miradore API key"
Credential type

The credential type can be searched using the syntax name:<text>.

type:aws_access_secret
type:miradore_api_key_v1
Credential global property

The global property describes the level of access for all organizations. If a credential is global, all organizations have access to it. The global property can be searched using the syntax global:<boolean>.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
global:true
global:0
Credential timestamps

Credential timestamp fields (created_at and last_used_at) can be searched using the syntax:

  • created_at:<term>
  • last_used_at:<term>

The term supports the standard Rumble time comparison syntax.

created_at:<3days
created_at:>2019-08-01
created_at:>8/1/2019
created_at:<1week
created_at:<2months
last_used_at:<1year
last_used_at:>2weeks
last_used_at:<30minutes
last_used_at:>1year
last_used_at:<12hours
last_used_at:0
Credential created by

The created_by_email holds the email address for the user that created the credential. It can be searched using the syntax created_by_email:<term>.

created_by_email:user@example.com

User search keywords

When viewing users, you can use the keywords in this section to search and filter.

Email

Use the syntax email:<address> to search for someone by email address.

email:john@example.com
Name

Use the syntax name:<text> to search for someone by name.

name:john
name:"John Smith"
Superuser

To search for people based on whether they have superuser access, use the term superuser:<boolean>.

superuser:true
superuser:f
Access

Use the syntax access:<term> to search for users with a specific access level. Possible access levels are admin, user, annotator, viewer, billing and none.

access:admin
Status

To search for users by invitation status, use the term status:<text>. Possible status values are activated, pending and expired.

status:pending
SSO

To search for people based on whether they can only log in via SSO, use the term sso:<boolean>.

sso:true
MFA

To search for people based on whether they have enrolled an MFA token, use the term mfa:<boolean>.

mfa:f
Group ID

The group_id field is the unique identifier for a given group, written as a UUID. To search for users that are part of a group based on the group’s ID, use the syntax group_id:<uuid>.

group_id:cdb084f9-4811-445c-8ea1-3ea9cf88d536
Group name

To search for users that are part of a group based on the group’s name, use the syntax group_name:<text>.

group_name:administrators
group_name:"Temp annotators"

Group search keywords

When viewing your groups, you can use the keywords in this section to search and filter.

ID

The ID field is the unique identifier for a given group, written as a UUID. Use the syntax id:<uuid> to filter by ID field.

id:cdb084f9-4811-445c-8ea1-3ea9cf88d536
Name

Use the syntax name:<text> to search by group name.

name:administrators
name:"Temp annotators"
Access

Use the syntax access:<term> to search for groups with a specific access level. Possible access levels are admin, user, annotator, viewer, billing and none.

access:admin
Timestamps (created at, updated at)

Filter groups by their timestamp fields, created_at and updated_at, using the syntax created_at:<term> and updated_at:<term>. The terms support the standard Rumble time comparison syntax.

created_at:<30days
updated_at:<1week
Expiration

Filter groups by their expiration timestamp, expires_at, using the syntax expires_at:<term>. The term supports the standard Rumble time comparison syntax.

expires_at:<30days
expires_at:>8/1/2019

The expired property describes whether or not a group has expired. Search this property using the expired:<boolean> syntax.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
expired:true
expired:0

Use the syntax has_expiration:<term> to find any assets with an expiration date.

The term is a boolean value:

  • true, t, 1, and yes represent true
  • false, f, 0, and no represent false
has_expiration:true
has_expiration:0
Email

The created_by_email property holds the email address for the user that created the group. It can be searched using the syntax created_by_email:<term>.

created_by_email:user@rumble.run

Group mapping search keywords

When viewing your SSO group mappings, you can use the keywords in this section to search and filter.

ID

The ID field is the unique identifier for a given group mapping, written as a UUID. Use the syntax id:<uuid> to filter by ID field.

id:cdb084f9-4811-445c-8ea1-3ea9cf88d536
SSO attribute

The sso_attribute is the name of the attribute field to check for matching values. Use the syntax sso_attribute:<text> to search by sso_attribute.

sso_attribute:department
SSO value

The sso_value is the value or comma-separated list of values to match. Use the syntax sso_value:<text> to search by sso_value.

sso_value:security
sso_value:"admins, administrators"
Group ID

The group_id field is the unique identifier for a given group, written as a UUID. To search for group mappings related to a group based on the group’s ID, use the syntax group_id:<uuid>.

group_id:cdb084f9-4811-445c-8ea1-3ea9cf88d536
Group name

To search for group mappings related to a group based on the group’s name, use the syntax group_name:<text>.

group_name:administrators
group_name:"Temp annotators"
Timestamps (created at, updated at)

Filter group mappings by their timestamp fields, created_at and updated_at, using the syntax created_at:<term> and updated_at:<term>. The terms support the standard Rumble time comparison syntax.

created_at:<30days
updated_at:<1week
Email

The created_by_email property holds the email address for the user that created the group. It can be searched using the syntax created_by_email:<term>.

created_by_email:user@rumble.run

Event search keywords

When viewing system events under alerts, you can use the keywords in this section to search and filter.

Action

Use the syntax action:<text> to search by the action which caused the event.

action:agent-reconnected
Created timestamp

The timestamp fields created_at can be searched using the syntax created_at:<term>. The term supports the standard Rumble time comparison syntax.

created_at:>2weeks
created_at:<30minutes
updated_at:>1month
updated_at:2hours
Details

The details in the event record can be searched using the syntax details:<text>. This can be useful for searching for IP addresses.

details:192.168.0.1
Source and target name

The source (src) column can be searched using the syntax src:<text> or source:<text>. The target (tgt) column can be searched using tgt:<text> target:<text>.

src:crowdstrike
target:primary
Source and target type

The source type (shown at the start of the src column) can be searched using the syntax src_type:<text> or source_type:<text>.

Similarly, the target type can be searched using tgt_type:<text> or target_type:<text>.

src_type:task
target_type:site
Organization, site, source and target IDs

The IDs of organizations, sites, sources and targets mentioned in event details can be searched using the following search terms:

  • organization_id:<uuid>
  • site_id:<uuid>
  • source_id:<uuid> or src_id:<uuid>
  • target_id:<uuid> or tgt_id:<uuid>

The IDs are unique and are written as UUIDs.

organization_id:0eacf412-6e69-11ec-88b9-f875a414a63a
Next: Automating queries