Search Queries

Search Syntax

Asset Search Keywords

User Specified Fields

Comments that have been set on an asset can be searched using the syntax comments:<term> and comment:<term>.

comment:"contractor laptop"
comments:"imaging server"

Tags that have been set on an asset can be searched using the syntax tag:<term> and tags:<term>. The term can be either the tag name, or tag name followed by an equal sign and the tag value. Tag matches are exact terms.

tag:"group"
tags:"group=production"

The site name or ID can be used as a filter with the syntax site:<term>

site:Primary
site:"Branch Office"
site:ad67d649-041b-439d-af59-f200053a8899

The agent name or ID can be used as a filter with the syntax agent:<term>

agent:DESKTOP-AB451F
agent:8b927a8e-d405-40e9-aa47-d6afc9bff237
Asset Fields

The ID field is the unique identifier for a given asset, written as a UUID. This field is searched using the syntax id:<uuid>.

id:cdb084f9-4811-445c-8ea1-3ea9cf88d536

The operating system field is a string describing the detected operating system software. This field is searched using the syntax os:<term>.

os:"Windows"
os:"Ubuntu Linux"

The type field is a string describing the detected system type, such as Desktop, Laptop, Server, BMC, or Mobile. This field is searched using the syntax type:<term>.

type:Desktop
type:BMC
type:"Game Console"

The hardware field is a string describing the detected physical hardware, such as macMini or Nintendo Switch. This field is searched using the syntax hw:<term> and hardware:term.

hw:Switch
hardware:macMini

The hostnames associated with an asset are obtained from DNS and exposed services. These names can be searched using the syntax hostname:<term>, name:<term>, and names:<term>.

names:"www"
name:"TV"
hostname:"RTR"

The hostname count can be searched using the syntax name_count:<term>. This keyword support numerical comparison operators (>, >=, <, <=, =).

name_count:>=1

The domains associated with an asset are obtained from DNS and exposed services. These domain names can be searched using the syntax domain:<term> and domains:<term>.

domains:"amazon.com"
domain:"corp.lan"
domain:"WORKGROUP"

The domain count can be searched using the syntax domain_count:<term>. This keyword support numerical comparison operators (>, >=, <, <=, =).

domain_count:>=1

The addresses (both primary and secondary) associated with an asset can be searched using the syntax ip:<term>, addr:<term>, and host:<term>. This keyword also allows for wildcard matches using ‘%'.

ip:192.168.0.1
addr:10.0.0
addr:10.0.0.5
host:172.16.1.1
address:%.0.1
host:10.%.254

The address counts both primary and secondary) can be searched using the syntax address_count:<term> and address_extra_count:<term>. This keyword support numerical comparison operators (>, >=, <, <=, =).

address_count:>=2
address_extra_count:0

The addresses (both primary and secondary) associated with an asset can be searched by CIDR mask using the syntax net:<term>.

net:192.168.0.0/24

The keyword haspublic can be used to locate any asset with a non-reserved IPv4 address using the syntax haspublic:<term>.

haspublic:true

The keyword hasprivate can be used to locate any asset with RFC1918 IPv4 address using the syntax hasprivate:<term>.

hasprivate:false

The keyword hasipv6 can be used to locate any asset with an identified IPv6 address using the syntax hasipv6:<term> or hasip6:<term>.

hasip6:true
hasipv6:false

The keyword haslinklocal can be used to locate any asset with an identified IPv6 link local (fe80::) address using the syntax haslinklocal:<term>.

haslinklocal:true

The MAC addresses associated with an asset can be searched using the syntax mac:<term> and macs:<term>.

mac:00:5c:04
macs:00:00:1c

The MAC address count can be searched using the syntax mac_count:<term>. This keyword support numerical comparison operators (>, >=, <, <=, =).

mac_count:>=1

The vendor associated with the MAC addresses of an asset can be searched using the syntax mac-vendor:<term> and vendor:<term>.

vendor:Apple
mac-vendor:"Intel Corporate"

The MAC address vendor count can be searched using the syntax vendor_count:<term> or macvendor_count:<term>. This keyword support numerical comparison operators (>, >=, <, <=, =).

macvendor_count:>=1
vendor_count:0

The allocate date of the newest MAC address associated with an asset can be searched using the syntax newest-mac-age:<term>, mac-age:<term>, and age:<term>. The term includes a greater than > or less than < operator followed by either a relative or absolute date expression. Relative date expressions include seconds (sec, s), minutes (min, m), hours (hr, h), days (d), weeks (w), and years (yr, y), in both plural and singular forms. Absolute date expressions can be in international (2019-12-31), USA (12/31/2019), or Unix timestamp format.

newest-mac-age:>1year
mac-age:<6months
age:2019-12-31

The asset attributes fields, such as the port used to detect the TTL, can be searched using the syntax attribute:<term>, attributes:<term>, and attr:<term>.

attr:"ip.ttl.port"
attribute:"cpe:/a:isc:bind:9.11.3"
attributes:"9.11.3"

To determine if an asset has an attribute at all, the has keyword can be used. The has keyword can be inverted to find missing fields, with not has:<term>.

has:"ip.ttl.port"
not has:"rdns.names"

In addition to the standard fields, the following special attributes exist:

  • has:screenshot returns assets where at least one screenshot was obtained.
  • has:icons returns assets where at least one icon was obtained (HTTP, UPnP, or similar).
  • has:uplink returns assets seen in the CAM table of a network switch.
  • has:downlink returns assets where the CAM table was queried at least one other asset was connected.
  • has:unmapped returns assets where the CAM table was queried at least one other asset was connected but not identified by IP.

The attribute can be specified as a term directly. If the attribute name conflicts with an existing term, the prefix _asset. can be specified to disambiguate the query.

ip.ttl.port:80
rdns.names:"router" 
_asset.ip.ttl.hops:"1"

Asset Services

TThe TCP and UDP services associated with an asset can be searched by port number using the syntax port:<term>.

port:80
port:161

The TCP services associated with an asset can be searched by port number using the syntax tcp:<term>.

port:443

The UDP services associated with an asset can be searched by port number using the syntax udp:<term>.

port:53

The identified service protocols associated with an asset can be searched using the syntax protocol:<term> and protocols:<term>.

protocol:http
protocols:telnet

The protocol count can be searched using the syntax protocol_count:<term>. This keyword support numerical comparison operators (>, >=, <, <=, =).

protocol_count:>=5

The identified service products associated with an asset can be searched using the syntax product:<term> and product:<term>.

product:openssh
products:nginx

The product count can be searched using the syntax product_count:<term>. This keyword support numerical comparison operators (>, >=, <, <=, =).

product_count:>=3

The number of services associated with an asset can be searched by port number using the following keywords. These support numerical comparison operators (>, >=, <, <=, =).

  • tcp_count:<term>

  • udp_count:<term>

  • icmp_count:<term>

  • arp_count:<term>

  • service_count:<term>

  • service_count_tcp:<term>

  • service_count_udp:<term>

  • service_count_icmp:<term>

  • service_count_arp:<term>

Examples include:

tcp_count:>=5
service_count_arp:0
service_count_udp:<=1

Asset Tracking Fields

The asset timestamp fields (first_seen, last_seen, created_at, updated_at) timestamps can be searched using the syntax firstseen:<term>, first_seen:<term>, last_seen:<term>, lastseen:<term>, created_at:<term>, created:<term>, updated_at:<term>, and updated:<term>.

The term includes a greater than > or less than < operator followed by either a relative or absolute date expression. Relative date expressions include seconds (sec, s), minutes (min, m), hours (hr, h), days (d), weeks (w), and years (yr, y), in both plural and singular forms. Absolute date expressions can be in international (2019-12-31), USA (12/31/2019), or Unix timestamp format.

Note that created_at is usually identical to first_seen (initial asset detection) while updated_at can be very different from last_seen; the former indicates when the asset record was last updated (offline or otherwise) while the latter is when the asset was last seen alive. The updated_at query can be useful when synchonizing the inventory to external systems (using updated:<24hours on a daily import, etc).

firstseen:<30seconds
firstseen:>3days
first_seen:>2019-08-01
first_seen:>8/1/2019
lastseen:<1week
last_seen:<2months
lastseen:<1year
created_at:>2weeks
created:<30minutes
updated_at:>1year
updated:<12hours

The alive status of an asset can be searched using the syntax alive:<term> and online:<term> as well as the inverse with the syntax offline:<term> and dead:<term>. The term is a boolean value, where true, t, 1, and yes represent true and false, f, 0, and no represent false.

alive:t
dead:f
online:1
offline:0

The detected by attribute of an asset can be searched using the syntax det:<term> and detected-by:<term>. The term is one of arp, icmp, tcp-<port>, or udp-<port>. In the case of multiple detections, the priority goes arp, icmp, and then the first detected service.

det:arp
detected-by:80-tcp
det:53-udp

The lowest TTL of an asset can be searched using the syntax ttl:<term> and lowest_ttl:<term>. The TTL is the estimated number of hops between the scan source and the asset. This term supports numerical comparison operators (>, >=, <, <=, =).

ttl:0
lowest_ttl:>=1

The lowest RTT of an asset can be searched using the syntax rtt:<term> and lowest_rtt:<term>. The RTT is the round-trip response time of a given probe measured in nanoseconds (1,000,000 == 1ms). This term supports numerical comparison operators (>, >=, <, <=, =). The RTT

Find assets that responded in less than one millisecond:

rtt:<=1000000

Find assets that responded in more than 50 milliseconds:

lowest_rtt:>=50000000

The lowest RTT of an asset can be searched using the syntax rtt:<term> and lowest_rtt:<term>. The RTT is the round-trip response time of a given probe measured in nanoseconds (1,000,000 == 1ms). This term supports numerical comparison operators (>, >=, <, <=, =). The RTT

Find assets that responded in less than one millisecond:

rtt:<=1000000

Find assets that responded in more than 50 milliseconds:

lowest_rtt:>=50000000

Assets with any MAC addresses can be searched using the syntax hasmac:<term>. The term is a boolean value, where true, t, 1, and yes represent true and false, f, 0, and no represent false.

hasmac:yes
hasmac:f

| HasMAC | hasmac | Assets with at least one MAC address. Boolean (t, 1, yes or f, 0, no) |

Assets with multiple hostnames can be searched using the syntax multiname:<term>. The term is a boolean value, where true, t, 1, and yes represent true and false, f, 0, and no represent false.

multiname:yes
multiname:false

Service Search Keywords

The TCP and UDP services associated with a service can be searched by port number using the syntax port:<term>. This keyword support numerical comparison operators (>, >=, <, <=, =).

port:80
port:161
port:>=10000
port:<=25

The TCP services associated with a service can be searched by port number using the syntax tcp:<term>.

port:443

The UDP service associated with a service can be searched by port number using the syntax udp:<term>.

port:53

The transport associated with a service can be searched by name using the syntax transport:<term>.

transport:tcp
transport:udp
transport:icmp

The virtual host associated with a service can be searched by name using the syntax vhost:<term>.

vhost:"www"

All service attributes can be searched using the syntax <attribute>:<term>. This keyword support numerical comparison operators (>, >=, <, <=, =). If the attribute name conflicts with an existing term, the prefix _service. can be specified to disambiguate the query.

Note that service attributes can be slow and it is often better to prefix _asset.protocol:<term> filter in front of the service attribute query. For example, to search for SSH banners, use the syntax _assets.protocol:ssh AND banner:<term>.

banner:password
service.product:"OpenSSH" 
html.title:"Apache2 Ubuntu Default Page" 
http.code:>=500
screenshot.image.size:=>100000
_service.arp.macVendor:Xerox

To determine if a service has an attribute at all, the has keyword can be used. The has keyword can be inverted to find missing fields, with not has:<term>.

has:"http.head.server"
not has:"html.title"

Wireless Search Keywords

General Fields

The SSID field can be searched using the syntax ssid:<term> or essid:<term>.

essid:"Guest Network"
ssid:"Corporate"

The BSSID field can be searched using the syntax bssid:<term> or mac:<term>.

bssid:"00:01:02:03:04:05"
mac:"00:01:%"

The vendor field can be searched using the syntax mac-vendor:<term>, macvendor:<term>, or vendor:<term>.

vendor:"Google"
mac-vendor:"Netgear"
macvendor:"Cisco"

The family field can be searched using the syntax family:<term>.

family:"010304"

The channels field can be searched using the syntax channel:<term> or channels:<term>.

channel:"11"

The network type field can be searched using the syntax type:<term>.

type:"infrastructure"

The network interface field can be searched using the syntax interface:<term>.

interface:"wlan0"

The encryption field can be searched using the syntax encryption:<term> or enc:<term>.

encryption:"aes"
enc:"none"

The authentication field can be searched using the syntax authentication:<term> or auth:<term>.

authentication:"wpa2-psk"
auth:"open"

The timestamp fields (first_seen, last_seen, created_at) timestamps can be searched using the syntax firstseen:<term>, first_seen:<term>, last_seen:<term>, lastseen:<term>, created_at:<term>, and created:<term>. The term matches the Asset Timestamp syntax.

firstseen:<30seconds
first_seen:>2019-08-01
lastseen:<1week
last_seen:<2months
created_at:>2weeks
created:<30minutes

The signal field can be searched using the syntax signal:<term> or sig:<term>. The term can include the operators >, <, >=, <=, and =. The default operator is =.

signal:">75"
signal:"<=25"
signal:99

The signal field can be searched using the syntax signal:<term> or sig:<term>. The term can include the operators >, <, >=, <=, and =. The default operator is =.

The site name or ID can be used as a filter with the syntax site:<term>

site:Primary
site:"Branch Office"
site:ad67d649-041b-439d-af59-f200053a8899

The agent name or ID can be used as a filter with the syntax agent:<term>

agent:DESKTOP-AB451F
agent:8b927a8e-d405-40e9-aa47-d6afc9bff237

The ID field is the unique identifier for a given wireless network, written as a UUID. This field is searched using the syntax id:<uuid>.

id:cdb084f9-4811-445c-8ea1-3ea9cf88d536

The Last Task ID field defines which task most recently reported the wireless network and is written as a UUID. This field is searched using the syntax task:<uuid>.

task:39ab0e71-3cf1-4176-b6b0-4ed495288229

All wireless attributes can be searched using the syntax <attribute>:<term>.

radio_type:"802.11n"

Organization Search Keywords

The Name field can be searched using the syntax name:<term>.

name:"main"

The Description field can be searched using the syntax desc:<term> or description:<term>

desc:"branch office"
description:"pci"

The timestamp fields (created_at, updated_at) timestamps can be searched using the syntax created_at:<term>, created:<term>, updated_at:<term>, updated:<term>. The term matches the Asset Timestamp syntax.

created_at:>2weeks
created:<30minutes
updated_at:>1month
updated:2hours

Site Search Keywords

The Name field can be searched using the syntax name:<term>.

name:"Primary"

The Description field can be searched using the syntax desc:<term> or description:<term>.

desc:"wireless"
description:"vlan 50"

The Scope field can be searched using the syntax scope:<term> .

scope:"10.10.10."

The Excludes field can be searched using the syntax excludes:<term> .

excludes:"192.168.0."

The timestamp fields (created_at, updated_at) timestamps can be searched using the syntax created_at:<term>, created:<term>, updated_at:<term>, updated:<term>. The term matches the Asset Timestamp syntax.

created_at:>2weeks
created:<30minutes
updated_at:>1month
updated:2hours

Query Library Search Keywords

The Name field can be searched using the syntax name:<term>.

name:"smb2"

The Description field can be searched using the syntax desc:<term> or description:<term>.

desc:"smb version 1"
description:"wep"

The Type field can be searched using the syntax type:<term> .

type:"services"

The Category field can be searched using the syntax category:<term> or cat:<term>.

category:"security"
cat:"audit"

The Severity field can be searched using the syntax severity:<term> or sev:<term>.

severity:"info"
sev:"critical"

The Created By field can be searched using the syntax created_by:<term> or by:<term>

by:"rumble"

The timestamp fields (created_at, updated_at) timestamps can be searched using the syntax created_at:<term>, created:<term>, updated_at:<term>, updated:<term>. The term matches the Asset Timestamp syntax.

created_at:>2weeks
created:<30minutes
updated_at:>1month
updated:2hours
Rumble Logo
Get Rumble Login

© Critical Research Corporation