The Rumble Inventory and Export functionality support arbitrary search queries to filter assets and services. The queries can be combined to
create powerful automation using the Rumble asset dataset. Search queries can be combined through AND
and OR
operators, but
all queries are considered part of the same group.
For example, a query of os:"Windows 10" AND protocols:http AND protocols:smb2
will show only those assets where Windows 10 was identified and both SMB and a web server were discovered. Search values that contain spaces must be placed in double quotes.
By contrast, the example query of os:"Windows 10" AND protocols:http OR protocols:smb2
will search for Windows 10 running a web server or any assets with the SMB service exposed.
In addition to AND
and OR
, the NOT
operator can be used to filter a query. For example, the query os:"Windows 10" AND NOT protocols:http
will show Windows 10 systems without a web server. If the negation should happen as the first term the AND
should be dropped. The query NOT protocol:http AND os:"Windows 10"
is equivalent to the previous search, with the terms reversed.
Asset and Service searches are handled slightly differently. Service queries can filter against Asset attributes (os:linux
) and Service attributes (banner:Password
), but the Asset queries are limited to summary information about services (protocol:ssh
).
Comments that have been set on an asset can be searched using the syntax comments:<term>
and comment:<term>
.
comment:"contractor laptop"
comments:"imaging server"
Tags that have been set on an asset can be searched using the syntax tag:<term>
and tags:<term>
.
tag:"sales"
tags:"CDE"
The site name or ID can be used as a filter with the syntax site:<term>
site:Primary
site:"Branch Office"
site:ad67d649-041b-439d-af59-f200053a8899
The agent name or ID can be used as a filter with the syntax agent:<term>
agent:DESKTOP-AB451F
agent:8b927a8e-d405-40e9-aa47-d6afc9bff237
The ID field is the unique identifier for a given asset, written as a UUID. This field is searched using the syntax id:<uuid>
.
id:cdb084f9-4811-445c-8ea1-3ea9cf88d536
The Last Task ID field defines which task most recently updated a given asset and is written as a UUID. This field is searched using the syntax task:<uuid>
.
task:39ab0e71-3cf1-4176-b6b0-4ed495288229
The operating system field is a string describing the detected operating system software. This field is searched using the syntax os:<term>
.
os:"Windows"
os:"Ubuntu Linux"
The type field is a string describing the detected system type, such as Desktop, Laptop, Server, BMC, or Mobile. This field is searched using the syntax type:<term>
.
type:Desktop
type:BMC
type:"Game Console"
The hardware field is a string describing the detected physical hardware, such as macMini or Nintendo Switch. This field is searched using the syntax hw:<term>
and hardware:term
.
hw:Switch
hardware:macMini
The hostnames associated with an asset are obtained from DNS and exposed services. These names can be searched using the syntax hostname:<term>
, name:<term>
, and names:<term>
.
names:"www"
name:"TV"
hostname:"RTR"
The domains associated with an asset are obtained from DNS and exposed services. These domain names can be searched using the syntax domain:<term>
and domains:<term>
.
domains:"amazon.com"
domain:"corp.lan"
domain:"WORKGROUP"
The addresses (both primary and secondary) associated with an asset can be searched using the syntax ip:<term>
, addr:<term>
, and host:<term>
.
ip:192.168.0.1
addr:10.0.0
addr:10.0.0.5
host:172.16.1.1
The addresses (both primary and secondary) associated with an asset can be searched by CIDR mask using the syntax net:<term>
.
net:192.168.0.0/24
The MAC addresses associated with an asset can be searched using the syntax mac:<term>
and macs:<term>
.
mac:00:5c:04
macs:00:00:1c
The vendor associated with the MAC addresses of an asset can be searched using the syntax mac-vendor:<term>
and vendor:<term>
.
vendor:Apple
mac-vendor:"Intel Corporate"
The asset attributes fields, such as the port used to detect the TTL, can be searched using the syntax attribute:<term>
, attributes:<term>
, and attr:<term>
.
attr:"ip.ttl.port"
attribute:"cpe:/a:isc:bind:9.11.3"
attributes:"9.11.3"
To determine if an asset has an attribute at all, the has
keyword can be used. The has
keyword can be inverted to find missing fields, with not has:<term>
.
has:"ip.ttl.port"
not has:"rdns.names"
The TCP and UDP services associated with an asset can be searched by port number using the syntax port:<term>
.
port:80
port:161
The TCP services associated with an asset can be searched by port number using the syntax tcp:<term>
.
port:443
The UDP services associated with an asset can be searched by port number using the syntax udp:<term>
.
port:53
The identified service protocols associated with an asset can be searched using the syntax protocol:<term>
and protocols:<term>
.
protocol:http
protocols:telnet
The identified service products associated with an asset can be searched using the syntax product:<term>
and product:<term>
.
product:openssh
products:nginx
The asset timestamp fields (first_seen, last_seen, created_at, updated_at) timestamps can be searched using the syntax firstseen:<term>
, first_seen:<term>
, last_seen:<term>
,
lastseen:<term>
, created_at:<term>
, created:<term>
, updated_at:<term>
, and updated:<term>
.
The term includes a greater than >
or less than <
operator followed by either a relative or absolute date expression.
Relative date expressions include seconds
, minutes
, hours
, days
, weeks
, and years
, in both plural and singular forms.
Absolute date expressions can be in international (2019-12-31
) or USA (12/31/2019
) forms.
Note that created_at
is usually identical to first_seen
(initial asset detection) while updated_at
can be very different from last_seen
; the former indicates when the asset
record was last updated (offline or otherwise) while the latter is when the asset was last seen alive. The updated_at
query can be useful when synchonizing the inventory to
external systems (using updated:<24hours
on a daily import, etc).
firstseen:<30seconds
firstseen:>3days
first_seen:>2019-08-01
first_seen:>8/1/2019
lastseen:<1week
last_seen:<2months
lastseen:<1year
created_at:>2weeks
created:<30minutes
updated_at:>1year
updated:<12hours
The alive status of an asset can be searched using the syntax alive:<term>
and online:<term>
as well as the inverse with the syntax offline:<term>
and dead:<term>
.
The term is a boolean value, where true
, t
, 1
, and yes
represent true and false
, f
, 0
, and no
represent false.
alive:t
dead:f
online:1
offline:0
The detected by attribute of an asset can be searched using the syntax det:<term>
and detected-by:<term>
.
The term is one of arp
, icmp
, tcp-<port>
, or udp-<port>
. In the case of multiple detections, the priority goes arp
, icmp
, and then the first detected service.
det:arp
detected-by:80-tcp
det:53-udp
The multihome status (multiple network addresses) of an asset can be searched using the syntax multihome:<term>
.
The term is a boolean value, where true
, t
, 1
, and yes
represent true and false
, f
, 0
, and no
represent false.
multihome:true
multihome:no
Assets with multiple MAC addresses can be searched using the syntax multimac:<term>
.
The term is a boolean value, where true
, t
, 1
, and yes
represent true and false
, f
, 0
, and no
represent false.
multimac:t
multimac:0
Assets with any MAC addresses can be searched using the syntax hasmac:<term>
.
The term is a boolean value, where true
, t
, 1
, and yes
represent true and false
, f
, 0
, and no
represent false.
hasmac:yes
hasmac:f
| HasMAC | hasmac | Assets with at least one MAC address. Boolean (t, 1, yes or f, 0, no) |
Assets with multiple hostnames can be searched using the syntax multiname:<term>
.
The term is a boolean value, where true
, t
, 1
, and yes
represent true and false
, f
, 0
, and no
represent false.
multiname:yes
multiname:false
The TCP and UDP services associated with a service can be searched by port number using the syntax port:<term>
.
port:80
port:161
The TCP services associated with a service can be searched by port number using the syntax tcp:<term>
.
port:443
The UDP service associated with a service can be searched by port number using the syntax udp:<term>
.
port:53
The transport associated with a service can be searched by name using the syntax transport:<term>
.
transport:tcp
transport:udp
transport:icmp
The identified service protocols associated with a service can be searched using the syntax protocol:<term>
and protocols:<term>
.
protocol:http
protocols:telnet
The virtual host associated with a service can be searched by name using the syntax vhost:<term>
.
vhost:"www"
All service attributes can be searched using the syntax <attribute>:<term>
.
banner:password
service.product:"OpenSSH"
html.title:"Apache2 Ubuntu Default Page"
To determine if a service has an attribute at all, the has
keyword can be used. The has
keyword can be inverted to find missing fields, with not has:<term>
.
has:"http_header.server"
not has:"html.title"
The SSID field can be searched using the syntax ssid:<term>
or essid:<term>
.
essid:"Guest Network"
ssid:"Corporate"
The BSSID field can be searched using the syntax bssid:<term>
or mac:<term>
.
bssid:"00:01:02:03:04:05"
mac:"00:01:%"
The vendor field can be searched using the syntax mac-vendor:<term>
, macvendor:<term>
, or vendor:<term>
.
vendor:"Google"
mac-vendor:"Netgear"
macvendor:"Cisco"
The family field can be searched using the syntax family:<term>
.
family:"010304"
The channels field can be searched using the syntax channel:<term>
or channels:<term>
.
channel:"11"
The network type field can be searched using the syntax type:<term>
.
type:"infrastructure"
The network interface field can be searched using the syntax interface:<term>
.
interface:"wlan0"
The encryption field can be searched using the syntax encryption:<term>
or enc:<term>
.
encryption:"aes"
enc:"none"
The authentication field can be searched using the syntax authentication:<term>
or auth:<term>
.
authentication:"wpa2-psk"
auth:"open"
The timestamp fields (first_seen, last_seen, created_at) timestamps can be searched using the syntax firstseen:<term>
, first_seen:<term>
, last_seen:<term>
, lastseen:<term>
, created_at:<term>
, and created:<term>
. The term matches the Asset Timestamp syntax.
firstseen:<30seconds
first_seen:>2019-08-01
lastseen:<1week
last_seen:<2months
created_at:>2weeks
created:<30minutes
The signal field can be searched using the syntax signal:<term>
or sig:<term>
. The term can include the operators >
, <
, >=
, <=
, and =
. The default operator is =
.
signal:">75"
signal:"<=25"
signal:99
The site name or ID can be used as a filter with the syntax site:<term>
site:Primary
site:"Branch Office"
site:ad67d649-041b-439d-af59-f200053a8899
The agent name or ID can be used as a filter with the syntax agent:<term>
agent:DESKTOP-AB451F
agent:8b927a8e-d405-40e9-aa47-d6afc9bff237
The ID field is the unique identifier for a given wireless network, written as a UUID. This field is searched using the syntax id:<uuid>
.
id:cdb084f9-4811-445c-8ea1-3ea9cf88d536
The Last Task ID field defines which task most recently reported the wireless network and is written as a UUID. This field is searched using the syntax task:<uuid>
.
task:39ab0e71-3cf1-4176-b6b0-4ed495288229
All wireless attributes can be searched using the syntax <attribute>:<term>
.
radio_type:"802.11n"