Search queries
Asset search keywords
When viewing assets, you can use the keywords in this section to search and filter.
User specified fields
Asset comments
Use the syntax comment:<text>
to search comments on an asset.
comment:"contractor laptop"
comment:"imaging server"
Asset tags
Use the syntax tag:<term>
to search tags added to an asset. The term can be the tag name, or the tag name followed by an equal sign and the tag value. Tag value matches must be exact.
tag:"group"
tag:"group=production"
Organization name or ID
Use the syntax organization:<term>
to filter by organization name or ID.
organization:Rumble
organization:"Temporary Project"
organization:f1c3ef6d-cb41-4d55-8887-6ed3cfb3d42d
Site name or ID
Use the syntax site:<term>
to filter by site name or ID.
site:Primary
site:"Branch Office"
site:ad67d649-041b-439d-af59-f200053a8899
Explorer name or ID
Use the syntax explorer:<term>
to filter by explorer name or ID.
explorer:DESKTOP-AB451F
explorer:8b927a8e-d405-40e9-aa47-d6afc9bff237
Asset fields
Asset ID
The ID field is the unique identifier for a given asset, written as a UUID. Use the syntax id:<uuid>
to filter by ID field.
id:cdb084f9-4811-445c-8ea1-3ea9cf88d536
Asset OS
The operating system field is a string describing the detected operating system software. This field is searched using the syntax os:<text>
. The OS version, if available, can be searched using os_version:<number>
.
os:"Windows"
os:"Ubuntu Linux"
os_version:8
Asset type
The type field is a string describing the detected system type, such as Desktop, Laptop, Server, BMC, or Mobile. Use the syntax type:<text>
to search this field.
type:Desktop
type:BMC
type:"Game Console"
Asset hardware
The hardware field is a string describing the detected physical hardware, such as macMini
or Nintendo Switch
. Use the syntax hardware:<text>
to search this field.
hardware:Switch
hardware:macMini
Asset hostnames
The hostnames associated with an asset are obtained from DNS and exposed services. Use the syntax name:<text>
to search these names.
name:"www"
name:"TV"
To search an asset where any asset has a specific prefix or suffix, start the term with =
and use %
as a wildcard match:
name:="FTP.%"
name:="%-09"
Use the syntax name_count:<number>
to search the hostname count.
This search term supports numerical comparison operators (>
, >=
, <
, <=
, =
).
name_count:>1
Asset domains
The domains associated with an asset are obtained from DNS and exposed services. Use the syntax domain:<domainname>
to search the domain names.
domain:"amazon.com"
domain:"corp.lan"
domain:"WORKGROUP"
The domain count can be searched using the syntax domain_count:<number>
.
This search term supports numerical comparison operators (>
, >=
, <
, <=
, =
).
domain_count:>1
Asset addresses
Use the syntax address:<ip>
to search the addresses (both primary and secondary) associated with an asset, primary_address:<ip>
to search only the primary addresses associated with an asset, or secondary_address:<ip>
to search only the secondary addresses associated with an asset. These keywords also allow for wildcard matches using ‘%’. A comma-separated list of addresses will be used as an efficient multiple-match.
address:192.168.0.1
address:10.0.0
address:%.0.1
address:10.%.254
address:10.0.0.1,10.0.0.2,10.0.0.3
Use the syntax address_count:<term>
and address_extra_count:<number>
to search address primary and secondary counts.
This search term supports numerical comparison operators (>
, >=
, <
, <=
, =
).
address_extra_count:0
Asset networks
Use the syntax net:<cidr>
to search the addresses (both primary and secondary) associated with an asset by CIDR mask.
net:192.168.0.0/24
Asset default community
Use the syntax community:<text>
to search for assets with a default SNMP community (public or private).
community:public
Asset public address
Use the keyword has_public
and syntax has_public:<boolean>
to locate any asset with a non-reserved IP address.
The term is a boolean value:
true
,t
,1
, andyes
represent truefalse
,f
,0
, andno
represent false
has_public:true
Asset private address
Use the keyword has_private
and syntax has_private:<boolean>
to locate any asset with a private IP address.
The term is a boolean value:
true
,t
,1
, andyes
represent truefalse
,f
,0
, andno
represent false
has_private:false
Asset IPv6 address
Use the keyword has_ipv6
and the syntax has_ipv6:<boolean>
to locate any asset with an identified IPv6 address.
The term is a boolean value:
true
,t
,1
, andyes
represent truefalse
,f
,0
, andno
represent false
has_ipv6:false
Asset link local IPv6 address
Use the keyword has_link_local
and syntax has_link_local:<boolean>
to locate any asset with an identified IPv6 link local (fe80::
) address.
The term is a boolean value:
true
,t
,1
, andyes
represent truefalse
,f
,0
, andno
represent false
has_link_local:true
Asset MAC addresses
Use the syntax mac:<term>
to search MAC addresses associated with an asset.
mac:00:5c:04
mac:00:00:1c
Use the syntax mac_count:<number>
to search the MAC address count.
This search term supports numerical comparison operators (>
, >=
, <
, <=
, =
).
mac_count:>2
If you use exact search (:=
) you can also search for full MAC addresses in Cisco format or dash-separated format:
mac:=00-10-fa-c2-bf-d5
mac:=0010.fac2.bfd5
Asset MAC address vendors
The vendor associated with the MAC addresses of an asset can be searched using the syntax mac_vendor:<text>
.
mac_vendor:Apple
mac_vendor:"Intel Corporate"
To search only the vendor associated with the newest MAC address, use the syntax newest_mac_vendor:<text>
newest_mac_vendor:Apple
The MAC address vendor count can be searched using the syntax mac_vendor_count:<number>
.
This search term supports numerical comparison operators (>
, >=
, <
, <=
, =
).
mac_vendor_count:0
Asset MAC address age
Use the syntax mac_age:<term>
to search the allocation date of the newest MAC address associated with an asset. The term supports the standard Rumble time comparison syntax.
mac_age:>1year
mac_age:<6months
mac_age:2019-12-31
Asset outlier score
Use the syntax outlier_score:<value>
to search the calculated outlier score of assets. The outlier score is in the range 0 to 5 inclusive. This search term supports numerical comparison operators (>
, >=
, <
, <=
, =
).
outlier_score:>2
outlier_score:0
Asset attributes
Use the syntax attribute:<term>
to search the asset attribute fields, such as the port used to detect the TTL.
attribute:"ip.ttl.port"
attribute:"cpe:/a:isc:bind:9.11.3"
attribute:"9.11.3"
To determine if an asset has any attribute defined, use the has:<attribute-name>
keyword. The has
keyword can be inverted to find missing fields with not has:<term>
.
has:"ip.ttl.port"
not has:"rdns.names"
In addition to the standard fields, the following special attributes are available:
has:screenshot
returns assets where at least one screenshot was obtained.has:icons
returns assets where at least one icon was obtained (HTTP, UPnP, or similar).has:uplink
returns assets seen in the CAM table of a network switch.has:downlink
returns assets where the CAM table was queried at least one other asset was connected.has:unmapped
returns assets where the CAM table was queried at least one other asset was connected but not identified by IP.
The attribute can be specified as a term directly. If the attribute name conflicts with an existing term, the prefix _asset.
can be specified to disambiguate the query.
ip.ttl.port:80
rdns.names:"router"
_asset.ip.ttl.hops:"1"
Asset services
Asset service ports
The TCP and UDP services associated with an asset can be searched by port number using the syntax port:<number>
.
port:80
port:161
Asset service TCP ports
Use the syntax tcp:<number>
to search the TCP services associated with an asset by port number.
tcp:443
To search for assets with a specific list of TCP ports open, you can use the syntax service_ports_tcp:=<list>
. Values should be in ascending numerical order, and separated by commas.
service_ports_tcp:=80,443
Asset service UDP ports
Use the syntax udp:<number>
to search UDP services associated with an asset by port number.
udp:53
To search for assets with a specific list of UDP ports open, you can use the syntax service_ports_udp:=<list>
. Values should be in ascending numerical order, and separated by commas.
service_ports_udp:=53,123
Asset service protocols
Use the syntax service_protocols:<term>
(or protocol:<term>
for short) to search the identified service protocols associated with an asset.
protocol:http
service_protocol:telnet
The protocol count can be searched using the syntax protocol_count:<number>
.
This search supports numerical comparison operators (>
, >=
, <
, <=
, =
).
protocol_count:>1
Asset service products
Use the syntax service_products:<term>
(or product:<term>
for short) to search for the identified service products associated with an asset.
product:openssh
service_products:nginx
The product count can be searched using the syntax product_count:<number>
.
This search term supports numerical comparison operators (>
, >=
, <
, <=
, =
).
product_count:>3
Asset service counts
Use the following keywords to search the number of services associated with an asset can be searched by port number:
service_count_tcp:<number>
service_count_udp:<number>
service_count_icmp:<number>
service_count_arp:<number>
These keywords support numerical comparison operators (>
, >=
, <
, <=
, =
).
Examples include:
service_count_tcp:>=5
service_count_arp:0
service_count_udp:<=1
Asset tracking fields
Asset timestamps
Use the following syntaxes to search the asset timestamp fields (first_seen
, last_seen
, created_at
, updated_at
, os_eol
, os_eol_extended
):
first_seen:<term>
last_seen:<term>
created_at:<term>
updated_at:<term>
os_eol:<term>
os_eol_extended:<term>
The term supports the standard Rumble time comparison syntax.
first_seen:<3days
first_seen:>2019-08-01
first_seen:>8/1/2019
last_seen:<1week
last_seen:<2months
last_seen:<1year
created_at:>2weeks
created_at:<30minutes
updated_at:>1year
updated_at:<12hours
os_eol:<now
os_eol:>4weeks
os_eol_extended:>now
os_eol_extended:>90days
Asset online status
Use the syntax online:<boolean>
or the inverse syntax offline:<boolean>
to search the online status of an asset.
The term is a boolean value:
true
,t
,1
, andyes
represent truefalse
,f
,0
, andno
represent false
online:t
online:1
offline:0
Asset detection method
The detected by attribute of an asset can be searched using the syntax det:<term>
or detected_by:<term>
.
The term is one of arp
, icmp
, <portnumber>-tcp
, or <portnumber>-udp
. In the case of multiple detections, the priority goes arp
, icmp
, and then the first detected service.
det:arp
detected_by:80-tcp
det:53-udp
Asset Time to Live (TTL) comparisons
Use the syntax ttl:<term>
and lowest_ttl:<term>
to search the lowest TTL of an asset. TTL is the estimated number of hops between the scan source and the asset.
This search term supports numerical comparison operators (>
, >=
, <
, <=
, =
).
lowest_ttl:>3
Asset Round Trip Time (RTT) comparisons
Use the syntax rtt:<term>
and lowest_rtt:<term>
to search the lowest RTT for an asset. RTT is the round-trip response time of a given probe measured in nanoseconds (1,000,000 == 1ms).
This search term supports numerical comparison operators (>
, >=
, <
, <=
, =
).
lowest_rtt:>50000000
Asset multiple MAC address status
Use the syntax multi_mac:<boolean>
to determine if an asset has multiple MAC addresses.
The term is a boolean value:
true
,t
,1
, andyes
represent truefalse
,f
,0
, andno
represent false
multi_mac:t
Asset any MAC address status
Use the syntax has_mac:<boolean>
to find assets with any MAC addresses.
The term is a boolean value:
true
,t
,1
, andyes
represent truefalse
,f
,0
, andno
represent false
has_mac:yes
has_mac:f
Asset multiple IP address status
Use the syntax multi_home:<boolean>
to determine if an asset has multiple IP addresses.
The term is a boolean value:
true
,t
,1
, andyes
represent truefalse
,f
,0
, andno
represent false
multi_home:t
Asset multiple hostname status
Use the syntax multi_name:<boolean>
to find assets with multiple hostnames.
The term is a boolean value:
true
,t
,1
, andyes
represent truefalse
,f
,0
, andno
represent false
multi_name:yes
multi_name:false
Service search keywords
When viewing services, you can use the keywords in this section to search and filter.
Service ports
The TCP and UDP services associated with a service can be searched by port number using the syntax port:<number>
.
This search term supports numerical comparison operators (>
, >=
, <
, <=
, =
).
port:<=25
Service TCP ports
Use the syntax tcp:<number>
to search TCP service associated with a service by port number.
tcp:53
To search for all services on assets with a specific list of TCP ports open, you can use the syntax service_ports_tcp:=<list>
. Values should be in ascending numerical order, and separated by commas.
service_ports_tcp:=80,443
Service UDP ports
Use the udp:<number>
syntax to search UDP services associated with a service by port number.
udp:443
To search for all services on assets with a specific list of UDP ports open, you can use the syntax service_ports_udp:=<list>
. Values should be in ascending numerical order, and separated by commas.
service_ports_udp:=53,123
Service transport
Use the syntax transport:<term>
to search the transport associated with a service by name.
transport:tcp
transport:udp
transport:icmp
Service protocol
Use the syntax service_protocols:<term>
(or protocol:<term>
for short) to search the protocols associated with services.
protocol:http
protocol:telnet
Services for assets with product
Use the syntax service_products:<term>
(or product:<term>
for short) to search for the identified service products associated with an asset, and return all services for the matching assets.
product:openssh
service_products:nginx
Service Virtual Host (VHost)
Use the syntax vhost:<text>
to search for virtual hosts associated with a service by name .
vhost:"www"
Service address
Use the keyword service_address
to match against the service IP address.
service_address:192.168.0.1
Service public address
Use the keyword service_has_public
and syntax service_has_public:<boolean>
to locate any service with a non-reserved I address.
The term is a boolean value:
true
,t
,1
, andyes
represent truefalse
,f
,0
, andno
represent false
service_has_public:true
Service private address
Use the keyword service_has_private
and syntax service_has_private:<boolean>
to locate any service with a private IP address.
The term is a boolean value:
true
,t
,1
, andyes
represent truefalse
,f
,0
, andno
represent false
service_has_private:false
Service IPv6 address
Use the keyword service_has_ipv6
and the syntax service_has_ipv6:<boolean>
to locate any service with an identified IPv6 address.
The term is a boolean value:
true
,t
,1
, andyes
represent truefalse
,f
,0
, andno
represent false
service_has_ipv6:false
Service link local IPv6 address
Use the keyword service_has_link_local
and syntax service_has_link_local:<boolean>
to locate any service with an identified IPv6 link local (fe80::
) address.
The term is a boolean value:
true
,t
,1
, andyes
represent truefalse
,f
,0
, andno
represent false
service_has_link_local:true
Services for assets with outlier score
You can use the syntax outlier_score:<value>
to search the calculated outlier score of assets, and return all services on those assets. The outlier score is in the range 0 to 5 inclusive. This search term supports numerical comparison operators (>
, >=
, <
, <=
, =
).
outlier_score:>2
outlier_score:0
Services for assets with MAC address vendors
To search the vendors associated with the MAC addresses of an asset, and return all services on those assets, use the syntax mac_vendor:<text>
.
mac_vendor:Apple
mac_vendor:"Intel Corporate"
To search only the vendor associated with the newest MAC address, use the syntax newest_mac_vendor:<text>
newest_mac_vendor:Apple
Services for assets with MAC address age
To search the ages of the newest MAC addresses associated with each asset, and return all services associated with those assets, use the syntax mac_age:<term>
. The term supports the standard Rumble time comparison syntax.
mac_age:>1year
mac_age:<6months
mac_age:2019-12-31
Service attributes
You can search all service attributes with the syntax <attribute>:<term>
. This search term supports numerical comparison operators (>
, >=
, <
, <=
, =
).
If the attribute name conflicts with an existing term, the prefix _service.
can be added to disambiguate the query.
Note that service attributes can be slow and it is often better to prefix _asset.protocol:<term>
filter in front of the service attribute query. For example, to search for SSH banners, use the syntax _assets.protocol:ssh AND banner:<term>.
banner:password
service.product:"OpenSSH"
html.title:"Apache2 Ubuntu Default Page"
http.code:>=500
screenshot.image.size:=>100000
_service.arp.macVendor:Xerox
To determine if a service has an attribute at all, use the has
keyword. The has
keyword can be inverted to find missing fields, with not has:<term>
.
has:"http.head.server"
not has:"html.title"
Software search keywords
When viewing software, you can use the keywords in this section to search and filter.
Software source
The source reporting the software installed can be searched or filtered by name using the syntax source:<name>
.
source:rumble
Software vendor
The vendor associated with a software can be searched by name using the syntax vendor:<name>
.
vendor:oracle
Software product
The product associated with a software can be searched by name using the syntax product:<name>
.
product:java
Wireless search keywords
When viewing WiFi networks, you can use the keywords in this section to search and filter.
SSID (ESSID)
The SSID/ESSID field can be searched using the syntax ssid:<text>
.
ssid:"Guest Network"
ssid:"Corporate"
BSSID (MAC)
The BSSID field can be searched using the syntax bssid:<text>
or mac:<text>
.
bssid:"00:01:02:03:04:05"
mac:"00:01:%"
Vendor
The vendor field can be searched using the syntax mac_vendor:<text>
.
mac_vendor:"Google"
mac_vendor:"Netgear"
mac_vendor:"Cisco"
Family
The family field can be searched using the syntax family:<term>
.
family:"010304"
Channels
The channels field can be searched using the syntax channel:<term>
.
channel:"11"
Type
The network type field can be searched using the syntax type:<text>
.
type:"infrastructure"
Interface
The network interface field can be searched using the syntax interface:<text>
.
interface:"wlan0"
Encryption
The encryption field can be searched using the syntax encryption:<term>
.
encryption:"aes"
encryption:"none"
Authentication
The authentication field can be searched using the syntax authentication:<term>
.
authentication:"wpa2-psk"
authentication:"open"
Timestamps
The timestamp fields (first_seen, last_seen, created_at) timestamps can be searched using the syntax first_seen:<term>
, last_seen:<term>
and created_at:<term>
. The term supports the standard Rumble time comparison syntax.
first_seen:<30seconds
first_seen:>2019-08-01
last_seen:<1week
last_seen:<2months
created_at:>2weeks
created_at:<30minutes
Signal
The signal field can be searched using the syntax signal:<number>
or sig:<number>
. The term can include the operators >
, =
, <=
, and =
. The default operator is =
.
signal:">75"
signal:"<=25"
signal:99
Organization name or ID
Use the syntax organization:<term>
to filter by organization name or ID.
organization:Rumble
organization:"Temporary Project"
organization:f1c3ef6d-cb41-4d55-8887-6ed3cfb3d42d
Site name or ID
The site name or ID can be used as a filter with the syntax site:<term>
site:Primary
site:"Branch Office"
site:ad67d649-041b-439d-af59-f200053a8899
Explorer name or ID
The explorer name or ID can be used as a filter with the syntax explorer:<term>
explorer:DESKTOP-AB451F
explorer:8b927a8e-d405-40e9-aa47-d6afc9bff237
Wireless ID
The ID field is the unique identifier for a given wireless network, written as a UUID. This field is searched using the syntax id:<uuid>
.
id:cdb084f9-4811-445c-8ea1-3ea9cf88d536
Last task ID
The Last Task ID field defines which task most recently reported the wireless network and is written as a UUID. This field is searched using the syntax task:<uuid>
.
task:39ab0e71-3cf1-4176-b6b0-4ed495288229
Wireless attributes
All wireless attributes can be searched using the syntax <attribute>:<term>
.
radio_type:"802.11n"
Analysis report search keywords
When viewing generated analysis reports, you can use the keywords in this section to search and filter.
Name
The Name field can be searched using the syntax name:<text>
.
name:"main"
Description
The Description field can be searched using the syntax description:<text>
description:"compare secondary"
Type
The report type can be searched using the syntax type:<text>
type:outliers
Report ID
The ID field is the unique identifier for a given analysis report, written as a UUID. This field is searched using the syntax id:<uuid>
.
id:cdb084f9-4811-445c-8ea1-3ea9cf88d536
Created at
The timestamp when a report was generated can be searched using the syntax created_at:
.
The term supports the standard Rumble time comparison syntax.
created_at:>2019-08-01
created_at:<1week
Created by
The Created By
field can be searched using the syntax created_by:<term>
.
created_by:jsmith
Query library search keywords
When viewing saved queries, you can use the keywords in this section to search and filter.
Name
The Name
field can be searched using the syntax name:<text>
.
name:"smb2"
Description
The Description
field can be searched using the syntax description:<text>
.
description:"smb version 1"
description:"wep"
Type
The Type
field can be searched using the syntax type:<term>
.
type:"services"
Category
The Category
field can be searched using the syntax category:<term>
.
category:"security"
category:"audit"
Severity
The Severity
field can be searched using the syntax severity:<term>
.
severity:"info"
severity:"critical"
Created by
The Created By
field can be searched using the syntax created_by:<term>
.
created_by:"rumble"
Timestamps (created at, updated at)
The timestamp fields, created_at
and updated_at
, can be searched using the syntax created_at:<term>
and updated_at:<term>
. The term supports the standard Rumble time comparison syntax.
created_at:>2weeks
created_at:<30minutes
updated_at:>1month
updated_at:2hours
Explorer search keywords
When viewing deployed explorers, you can use the keywords in this section to search and filter.
Name
The Name field can be searched using the syntax name:<text>
.
name:"main"
Site
The site can be searched using the syntax site:<text>
.
site:Primary
Up
Whether the explorer is up can be searched using the syntax up:<boolean>
.
up:true
Address
The IP address(es) the explorer is deployed on can be searched using the syntax address:<IP address>
.
address:10.0.1.200
Version
The software version of explorers can be searched using version:<text>
.
version:2.9.7
Npcap version
The version of the npcap library for Windows explorers can be searched using npcap_version:<text>
.
npcap_version:1.60
Architecture
The machine architecture explorers are deployed on can be searched using architecture:<text>
.
architecture:amd64
OS
The operating system explorers are deployed on can be searched using os:<text>
. Note that macOS is recorded as darwin
, the underlying Unix core of macOS.
os:windows
os:darwin
Capability
The capabilities of the explorers can be searched using the syntax capability:<keyword>
. Two keywords are supported:
screenshot
for explorers which can screenshot web pagesec2
for explorers which can describe AWS EC2 instances
Example:
capability:screenshot
Explorer tags
Use the syntax tag:<term>
to search tags added to an explorer. The term can be the tag name, or the tag name followed by an equal sign and the tag value. Tag value matches must be exact.
tag:"admin"
tag:"group=cloud"
Task search keywords
When viewing all tasks, you can use the keywords in this section to search and filter.
Name
The Name field can be searched using the syntax name:<text>
.
name:"test scan"
Description
The Description field can be searched using the syntax description:<text>
description:"full scan"
Created by
The Created By
field can be searched using the syntax created_by:<term>
.
created_by:"admin"
Type
The task type can be searched using type:<text>
.
type:scan
Status
The task status can be searched using status:<text>
.
status:error
Error
The task error message can be searched using error:<text>
.
error:"no disk space"
Recurrence frequency
The frequency tasks recur at (the “Freq” column) can be searched using recur_frequency:<text>
or freq:<text>
. The
term recurring:<boolean>
or recur:<boolean>
can be used to search based on whether tasks recur at all.
recur_frequency:hourly
freq:daily
freq:continuous
recur:true
To search for tasks with a frequency of Nth Weekday of Month
, you can use (for example) freq:nth_weekday,2 freq:monday
to find tasks which repeat on the second monday of each month.
Timestamps (created at, updated at)
The timestamp fields, created_at
and updated_at
, can be searched using the syntax created_at:<term>
and updated_at:<term>
. The term supports the standard Rumble time comparison syntax.
created_at:>2weeks
created_at:<30minutes
updated_at:>1month
updated_at:2hours
Next/last run time
You can search by next recurrence and last recurrence using the terms recur_last:<term>
and recur_next:<term>
. The term supports the standard Rumble time comparison syntax.
recur_last:<2hours
recur_next:>1day
Start time
You can search by start time using the syntax start_time:<term>
. The term supports the standard Rumble time comparison syntax.
start_time:<2hour
Grace period
The grace period can be searched using the syntax grace_period:<term>
or just grace:<term>
. The term supports the standard Rumble time comparison syntax.
grace:<2hour
Site name or ID
Use the syntax site:<term>
to filter by site name or ID.
site:Primary
site:"Branch Office"
site:ad67d649-041b-439d-af59-f200053a8899
Template ID
Use the syntax template_id:<term>
to filter by scan template ID.
template_id:de657459-041b-439d-af59-ff1f153a7722
Source
The data source for tasks can be searched using the term source:<text>
or source_id:<number>
.
source:censys
Sources are:
ID | Name | Description |
---|---|---|
1 | rumble |
Rumble scan |
2 | miradore |
Miradore MDM |
3 | aws |
AWS EC2 API |
4 | crowdstrike |
CrowdStrike Falcon |
5 | azure |
Microsoft Azure |
6 | censys |
Censys Search API |
7 | vmware |
VMWare |
Credential ID
You can search for tasks which use a specific set of credentials using credential_id:<id>
.
credential_id:d7931a68-6e56-11ec-ad72-f875a414a63a
Parameters
Tasks can be searched for task parameters using params:<text>
.
This can be useful for searching for scan tasks which had specific probes enabled.
params:bacnet
Scan template search keywords
When viewing scan templates, you can use the keywords in this section to search and filter.
ID
The ID field is the unique identifier for a given template, written as a UUID. Use the syntax id:<uuid>
to filter by ID field.
id:cdb084f9-4811-445c-8ea1-3ea9cf88d536
Name
Use the syntax name:<text>
to search by scan template name.
name:WiFi
name:"Data Center"
Timestamps
Use the following syntaxes to search the scan template timestamp fields (created_at
, updated_at
):
created_at:<term>
updated_at:<term>
The term supports the standard Rumble time comparison syntax.
created_at:>2weeks
created_at:<30minutes
updated_at:>1year
updated_at:<12hours
Scan template created by
The email address for the user that created the template can be searched using the syntax created_by_email:<term>
.
created_by_email:user@example.com
Site search keywords
When viewing sites, you can use the keywords in this section to search and filter.
Name
The Name field can be searched using the syntax name:<text>
.
name:"Primary"
Description
The Description field can be searched using the syntax description:<text>
.
description:"wireless"
description:"vlan 50"
Scope
The Scope field can be searched using the syntax scope:<term>
.
scope:"10.10.10."
Excludes
The Excludes field can be searched using the syntax excludes:<term>
.
excludes:"192.168.0."
Timestamps (created at, updated at)
The timestamp fields (created_at
, updated_at
) timestamps can be searched using the syntax created_at:<term>
and updated_at:<term>
. The term supports the standard Rumble time comparison syntax.
created_at:>2weeks
created_at:<30minutes
updated_at:>1month
updated_at:2hours
Organization search keywords
Name
The Name field can be searched using the syntax name:<text>
.
name:"main"
Description
The Description field can be searched using the syntax description:<text>
description:"branch office"
description:"pci"
Timestamps (created at, updated at)
The timestamp fields (created_at
, updated_at
) timestamps can be searched using the syntax created_at:<term>
and updated_at:<term>
. The term supports the standard Rumble time comparison syntax.
created_at:>2weeks
created_at:<30minutes
updated_at:>1month
updated_at:2hours
Credential search keywords
When viewing saved credentials, you can use the keywords in this section to search and filter.
Credential fields
Credential ID
The ID field is the unique identifier for a given credential, written as a UUID. This field is searched using the syntax id:<uuid>
.
id:cdb084f9-4811-445c-8ea1-3ea9cf88d536
Credential name
The credential name can be searched using the syntax name:<text>
.
name:"AWS read-only account"
name:"Miradore API key"
Credential type
The credential type can be searched using the syntax name:<text>
.
type:aws_access_secret
type:miradore_api_key_v1
Credential global property
The global property describes the level of access for all organizations. If a credential is global, all organizations have access to it. The global property can be searched using the syntax global:<boolean>
.
The term is a boolean value:
true
,t
,1
, andyes
represent truefalse
,f
,0
, andno
represent false
global:true
global:0
Credential timestamps
Credential timestamp fields (created_at
and last_used_at
) can be searched using the syntax:
created_at:<term>
last_used_at:<term>
The term supports the standard Rumble time comparison syntax.
created_at:<3days
created_at:>2019-08-01
created_at:>8/1/2019
created_at:<1week
created_at:<2months
last_used_at:<1year
last_used_at:>2weeks
last_used_at:<30minutes
last_used_at:>1year
last_used_at:<12hours
last_used_at:0
Credential created by
The created_by_email holds the email address for the user that created the credential. It can be searched using the syntax created_by_email:<term>
.
created_by_email:user@example.com
User search keywords
When viewing users, you can use the keywords in this section to search and filter.
Use the syntax email:<address>
to search for someone by email address.
email:john@example.com
Name
Use the syntax name:<text>
to search for someone by name.
name:john
name:"John Smith"
Superuser
To search for people based on whether they have superuser access, use the term superuser:<boolean>
.
superuser:true
superuser:f
Access
Use the syntax access:<term>
to search for users with a specific access level. Possible access levels are admin
, user
, annotator
, viewer
, billing
and none
.
access:admin
Status
To search for users by invitation status, use the term status:<text>
. Possible status values are activated
, pending
and expired
.
status:pending
SSO
To search for people based on whether they can only log in via SSO, use the term sso:<boolean>
.
sso:true
MFA
To search for people based on whether they have enrolled an MFA token, use the term mfa:<boolean>
.
mfa:f
Group ID
The group_id
field is the unique identifier for a given group, written as a UUID. To search for users that are part of a group based on the group’s ID, use the syntax group_id:<uuid>
.
group_id:cdb084f9-4811-445c-8ea1-3ea9cf88d536
Group name
To search for users that are part of a group based on the group’s name, use the syntax group_name:<text>
.
group_name:administrators
group_name:"Temp annotators"
Group search keywords
When viewing your groups, you can use the keywords in this section to search and filter.
ID
The ID field is the unique identifier for a given group, written as a UUID. Use the syntax id:<uuid>
to filter by ID field.
id:cdb084f9-4811-445c-8ea1-3ea9cf88d536
Name
Use the syntax name:<text>
to search by group name.
name:administrators
name:"Temp annotators"
Access
Use the syntax access:<term>
to search for groups with a specific access level. Possible access levels are admin
, user
, annotator
, viewer
, billing
and none
.
access:admin
Timestamps (created at, updated at)
Filter groups by their timestamp fields, created_at
and updated_at
, using the syntax created_at:<term>
and updated_at:<term>
. The terms support the standard Rumble time comparison syntax.
created_at:<30days
updated_at:<1week
Expiration
Filter groups by their expiration timestamp, expires_at
, using the syntax expires_at:<term>
. The term supports the standard Rumble time comparison syntax.
expires_at:<30days
expires_at:>8/1/2019
The expired
property describes whether or not a group has expired. Search this property using the expired:<boolean>
syntax.
The term is a boolean value:
true
,t
,1
, andyes
represent truefalse
,f
,0
, andno
represent false
expired:true
expired:0
Use the syntax has_expiration:<term>
to find any assets with an expiration date.
The term is a boolean value:
true
,t
,1
, andyes
represent truefalse
,f
,0
, andno
represent false
has_expiration:true
has_expiration:0
The created_by_email
property holds the email address for the user that created the group. It can be searched using the syntax created_by_email:<term>
.
created_by_email:user@rumble.run
Group mapping search keywords
When viewing your SSO group mappings, you can use the keywords in this section to search and filter.
ID
The ID field is the unique identifier for a given group mapping, written as a UUID. Use the syntax id:<uuid>
to filter by ID field.
id:cdb084f9-4811-445c-8ea1-3ea9cf88d536
SSO attribute
The sso_attribute
is the name of the attribute field to check for matching values. Use the syntax sso_attribute:<text>
to search by sso_attribute
.
sso_attribute:department
SSO value
The sso_value
is the value or comma-separated list of values to match. Use the syntax sso_value:<text>
to search by sso_value
.
sso_value:security
sso_value:"admins, administrators"
Group ID
The group_id
field is the unique identifier for a given group, written as a UUID. To search for group mappings related to a group based on the group’s ID, use the syntax group_id:<uuid>
.
group_id:cdb084f9-4811-445c-8ea1-3ea9cf88d536
Group name
To search for group mappings related to a group based on the group’s name, use the syntax group_name:<text>
.
group_name:administrators
group_name:"Temp annotators"
Timestamps (created at, updated at)
Filter group mappings by their timestamp fields, created_at
and updated_at
, using the syntax created_at:<term>
and updated_at:<term>
. The terms support the standard Rumble time comparison syntax.
created_at:<30days
updated_at:<1week
The created_by_email
property holds the email address for the user that created the group. It can be searched using the syntax created_by_email:<term>
.
created_by_email:user@rumble.run
Event search keywords
When viewing system events under alerts, you can use the keywords in this section to search and filter.
Action
Use the syntax action:<text>
to search by the action which caused the event.
action:agent-reconnected
Created timestamp
The timestamp fields created_at
can be searched using the syntax created_at:<term>
. The term supports the standard Rumble time comparison syntax.
created_at:>2weeks
created_at:<30minutes
updated_at:>1month
updated_at:2hours
Details
The details in the event record can be searched using the syntax details:<text>
. This can be useful for searching for IP addresses.
details:192.168.0.1
Source and target name
The source (src) column can be searched using the syntax src:<text>
or source:<text>
. The target (tgt) column can be searched using tgt:<text>
target:<text>
.
src:crowdstrike
target:primary
Source and target type
The source type (shown at the start of the src column) can be searched using the syntax src_type:<text>
or source_type:<text>
.
Similarly, the target type can be searched using tgt_type:<text>
or target_type:<text>
.
src_type:task
target_type:site
Organization, site, source and target IDs
The IDs of organizations, sites, sources and targets mentioned in event details can be searched using the following search terms:
organization_id:<uuid>
site_id:<uuid>
source_id:<uuid>
orsrc_id:<uuid>
target_id:<uuid>
ortgt_id:<uuid>
The IDs are unique and are written as UUIDs.
organization_id:0eacf412-6e69-11ec-88b9-f875a414a63a