The Rumble Inventory and Export functionality support arbitrary search queries to filter assets and services. The queries can be combined to
create powerful automation using the Rumble asset dataset. Search queries can be combined through AND and OR operators and be grouped using parenthesis.
For example, a query of os:"Windows 10" AND protocols:http AND protocols:smb2 will show only those assets where Windows 10 was identified and both SMB and a web server were discovered. Search values that contain spaces must be placed in double quotes.
By contrast, the example query of os:"Windows 10" AND protocols:http OR protocols:smb2 will search for Windows 10 running a web server or any assets with the SMB service exposed.
In addition to AND and OR, the NOT operator can be used to filter a query. For example, the query os:"Windows 10" AND NOT protocols:http will show Windows 10 systems without a web server. If the negation should happen as the first term the AND should be dropped. The query NOT protocol:http AND os:"Windows 10" is equivalent to the previous search, with the terms reversed.
Asset and Service searches are handled slightly differently. Service queries can filter against Asset attributes (os:linux) and Service attributes (banner:Password), but the Asset queries are limited to summary information about services (protocol:ssh).
Comments that have been set on an asset can be searched using the syntax comments:<term> and comment:<term>.
comment:"contractor laptop"
comments:"imaging server"
Tags that have been set on an asset can be searched using the syntax tag:<term> and tags:<term>.
tag:"sales"
tags:"CDE"
The site name or ID can be used as a filter with the syntax site:<term>
site:Primary
site:"Branch Office"
site:ad67d649-041b-439d-af59-f200053a8899
The agent name or ID can be used as a filter with the syntax agent:<term>
agent:DESKTOP-AB451F
agent:8b927a8e-d405-40e9-aa47-d6afc9bff237
The ID field is the unique identifier for a given asset, written as a UUID. This field is searched using the syntax id:<uuid>.
id:cdb084f9-4811-445c-8ea1-3ea9cf88d536
The Last Task ID field defines which task most recently updated a given asset and is written as a UUID. This field is searched using the syntax task:<uuid>.
task:39ab0e71-3cf1-4176-b6b0-4ed495288229
The operating system field is a string describing the detected operating system software. This field is searched using the syntax os:<term>.
os:"Windows"
os:"Ubuntu Linux"
The type field is a string describing the detected system type, such as Desktop, Laptop, Server, BMC, or Mobile. This field is searched using the syntax type:<term>.
type:Desktop
type:BMC
type:"Game Console"
The hardware field is a string describing the detected physical hardware, such as macMini or Nintendo Switch. This field is searched using the syntax hw:<term> and hardware:term.
hw:Switch
hardware:macMini
The hostnames associated with an asset are obtained from DNS and exposed services. These names can be searched using the syntax hostname:<term>, name:<term>, and names:<term>.
names:"www"
name:"TV"
hostname:"RTR"
The hostname count can be searched using the syntax name_count:<term>. This keyword support numerical comparison operators (>, >=, <, <=, =).
name_count:>=1
The domains associated with an asset are obtained from DNS and exposed services. These domain names can be searched using the syntax domain:<term> and domains:<term>.
domains:"amazon.com"
domain:"corp.lan"
domain:"WORKGROUP"
The domain count can be searched using the syntax domain_count:<term>. This keyword support numerical comparison operators (>, >=, <, <=, =).
domain_count:>=1
The addresses (both primary and secondary) associated with an asset can be searched using the syntax ip:<term>, addr:<term>, and host:<term>.
ip:192.168.0.1
addr:10.0.0
addr:10.0.0.5
host:172.16.1.1
The address counts both primary and secondary) can be searched using the syntax address_count:<term> and address_extra_count:<term>. This keyword support numerical comparison operators (>, >=, <, <=, =).
address_count:>=2
address_extra_count:0
The addresses (both primary and secondary) associated with an asset can be searched by CIDR mask using the syntax net:<term>.
net:192.168.0.0/24
The MAC addresses associated with an asset can be searched using the syntax mac:<term> and macs:<term>.
mac:00:5c:04
macs:00:00:1c
The MAC address count can be searched using the syntax mac_count:<term>. This keyword support numerical comparison operators (>, >=, <, <=, =).
mac_count:>=1
The vendor associated with the MAC addresses of an asset can be searched using the syntax mac-vendor:<term> and vendor:<term>.
vendor:Apple
mac-vendor:"Intel Corporate"
The asset attributes fields, such as the port used to detect the TTL, can be searched using the syntax attribute:<term>, attributes:<term>, and attr:<term>.
attr:"ip.ttl.port"
attribute:"cpe:/a:isc:bind:9.11.3"
attributes:"9.11.3"
To determine if an asset has an attribute at all, the has keyword can be used. The has keyword can be inverted to find missing fields, with not has:<term>.
has:"ip.ttl.port"
not has:"rdns.names"
In addition to the standard fields, the following special attributes exist:
has:screenshot returns assets where at least one screenshot was obtained.has:icons returns assets where at least one icon was obtained (HTTP, UPnP, or similar).has:uplink returns assets seen in the CAM table of a network switch.has:downlink returns assets where the CAM table was queried at least one other asset was connected.has:unmapped returns assets where the CAM table was queried at least one other asset was connected but not identified by IP.The attribute can be specified as a term directly. If the attribute name conflicts with an existing term, the prefix _asset. can be specified to disambiguate the query.
ip.ttl.port:80
rdns.names:"router"
_asset.ip.ttl.hops:"1"
The TCP and UDP services associated with an asset can be searched by port number using the syntax port:<term>.
port:80
port:161
The TCP services associated with an asset can be searched by port number using the syntax tcp:<term>.
port:443
The UDP services associated with an asset can be searched by port number using the syntax udp:<term>.
port:53
The identified service protocols associated with an asset can be searched using the syntax protocol:<term> and protocols:<term>.
protocol:http
protocols:telnet
The protocol count can be searched using the syntax protocol_count:<term>. This keyword support numerical comparison operators (>, >=, <, <=, =).
protocol_count:>=5
The identified service products associated with an asset can be searched using the syntax product:<term> and product:<term>.
product:openssh
products:nginx
The product count can be searched using the syntax product_count:<term>. This keyword support numerical comparison operators (>, >=, <, <=, =).
product_count:>=3
The number of services associated with an asset can be searched by port number using the following keywords. These support numerical comparison operators (>, >=, <, <=, =).
tcp_count:<term>
udp_count:<term>
icmp_count:<term>
arp_count:<term>
service_count:<term>
service_count_tcp:<term>
service_count_udp:<term>
service_count_icmp:<term>
service_count_arp:<term>
Examples include:
tcp_count:>=5
service_count_arp:0
service_count_udp:<=1
The asset timestamp fields (first_seen, last_seen, created_at, updated_at) timestamps can be searched using the syntax firstseen:<term>, first_seen:<term>, last_seen:<term>,
lastseen:<term>, created_at:<term>, created:<term>, updated_at:<term>, and updated:<term>.
The term includes a greater than > or less than < operator followed by either a relative or absolute date expression.
Relative date expressions include seconds, minutes, hours, days, weeks, and years, in both plural and singular forms.
Absolute date expressions can be in international (2019-12-31) or USA (12/31/2019) forms.
Note that created_at is usually identical to first_seen (initial asset detection) while updated_at can be very different from last_seen; the former indicates when the asset
record was last updated (offline or otherwise) while the latter is when the asset was last seen alive. The updated_at query can be useful when synchonizing the inventory to
external systems (using updated:<24hours on a daily import, etc).
firstseen:<30seconds
firstseen:>3days
first_seen:>2019-08-01
first_seen:>8/1/2019
lastseen:<1week
last_seen:<2months
lastseen:<1year
created_at:>2weeks
created:<30minutes
updated_at:>1year
updated:<12hours
The alive status of an asset can be searched using the syntax alive:<term> and online:<term> as well as the inverse with the syntax offline:<term> and dead:<term>.
The term is a boolean value, where true, t, 1, and yes represent true and false, f, 0, and no represent false.
alive:t
dead:f
online:1
offline:0
The detected by attribute of an asset can be searched using the syntax det:<term> and detected-by:<term>.
The term is one of arp, icmp, tcp-<port>, or udp-<port>. In the case of multiple detections, the priority goes arp, icmp, and then the first detected service.
det:arp
detected-by:80-tcp
det:53-udp
The lowest TTL of an asset can be searched using the syntax ttl:<term> and lowest_ttl:<term>. The TTL is the estimated number of hops between the scan source and the asset. This term supports numerical comparison operators (>, >=, <, <=, =).
ttl:0
lowest_ttl:>=1
The lowest RTT of an asset can be searched using the syntax rtt:<term> and lowest_rtt:<term>. The RTT is the round-trip response time of a given probe measured in nanoseconds (1,000,000 == 1ms). This term supports numerical comparison operators (>, >=, <, <=, =). The RTT
Find assets that responded in less than one millisecond:
rtt:<=1000000
Find assets that responded in more than 50 milliseconds:
lowest_rtt:>=50000000
The multihome status (multiple network addresses) of an asset can be searched using the syntax multihome:<term>.
The term is a boolean value, where true, t, 1, and yes represent true and false, f, 0, and no represent false.
multihome:true
multihome:no
Assets with multiple MAC addresses can be searched using the syntax multimac:<term>.
The term is a boolean value, where true, t, 1, and yes represent true and false, f, 0, and no represent false.
multimac:t
multimac:0
Assets with any MAC addresses can be searched using the syntax hasmac:<term>.
The term is a boolean value, where true, t, 1, and yes represent true and false, f, 0, and no represent false.
hasmac:yes
hasmac:f
| HasMAC | hasmac | Assets with at least one MAC address. Boolean (t, 1, yes or f, 0, no) |
Assets with multiple hostnames can be searched using the syntax multiname:<term>.
The term is a boolean value, where true, t, 1, and yes represent true and false, f, 0, and no represent false.
multiname:yes
multiname:false
The TCP and UDP services associated with a service can be searched by port number using the syntax port:<term>. This keyword support numerical comparison operators (>, >=, <, <=, =).
port:80
port:161
port:>=10000
port:<=25
The TCP services associated with a service can be searched by port number using the syntax tcp:<term>.
port:443
The UDP service associated with a service can be searched by port number using the syntax udp:<term>.
port:53
The transport associated with a service can be searched by name using the syntax transport:<term>.
transport:tcp
transport:udp
transport:icmp
The identified service protocols associated with a service can be searched using the syntax protocol:<term> and protocols:<term>.
protocol:http
protocols:telnet
The virtual host associated with a service can be searched by name using the syntax vhost:<term>.
vhost:"www"
All service attributes can be searched using the syntax <attribute>:<term>. This keyword support numerical comparison operators (>, >=, <, <=, =). If the attribute name conflicts with an existing term, the prefix _service. can be specified to disambiguate the query.
banner:password
service.product:"OpenSSH"
html.title:"Apache2 Ubuntu Default Page"
http.code:>=500
screenshot.image.size:=>100000
_service.macVendor:Xerox
To determine if a service has an attribute at all, the has keyword can be used. The has keyword can be inverted to find missing fields, with not has:<term>.
has:"http_header.server"
not has:"html.title"
The SSID field can be searched using the syntax ssid:<term> or essid:<term>.
essid:"Guest Network"
ssid:"Corporate"
The BSSID field can be searched using the syntax bssid:<term> or mac:<term>.
bssid:"00:01:02:03:04:05"
mac:"00:01:%"
The vendor field can be searched using the syntax mac-vendor:<term>, macvendor:<term>, or vendor:<term>.
vendor:"Google"
mac-vendor:"Netgear"
macvendor:"Cisco"
The family field can be searched using the syntax family:<term>.
family:"010304"
The channels field can be searched using the syntax channel:<term> or channels:<term>.
channel:"11"
The network type field can be searched using the syntax type:<term>.
type:"infrastructure"
The network interface field can be searched using the syntax interface:<term>.
interface:"wlan0"
The encryption field can be searched using the syntax encryption:<term> or enc:<term>.
encryption:"aes"
enc:"none"
The authentication field can be searched using the syntax authentication:<term> or auth:<term>.
authentication:"wpa2-psk"
auth:"open"
The timestamp fields (first_seen, last_seen, created_at) timestamps can be searched using the syntax firstseen:<term>, first_seen:<term>, last_seen:<term>, lastseen:<term>, created_at:<term>, and created:<term>. The term matches the Asset Timestamp syntax.
firstseen:<30seconds
first_seen:>2019-08-01
lastseen:<1week
last_seen:<2months
created_at:>2weeks
created:<30minutes
The signal field can be searched using the syntax signal:<term> or sig:<term>. The term can include the operators >, <, >=, <=, and =. The default operator is =.
signal:">75"
signal:"<=25"
signal:99
The site name or ID can be used as a filter with the syntax site:<term>
site:Primary
site:"Branch Office"
site:ad67d649-041b-439d-af59-f200053a8899
The agent name or ID can be used as a filter with the syntax agent:<term>
agent:DESKTOP-AB451F
agent:8b927a8e-d405-40e9-aa47-d6afc9bff237
The ID field is the unique identifier for a given wireless network, written as a UUID. This field is searched using the syntax id:<uuid>.
id:cdb084f9-4811-445c-8ea1-3ea9cf88d536
The Last Task ID field defines which task most recently reported the wireless network and is written as a UUID. This field is searched using the syntax task:<uuid>.
task:39ab0e71-3cf1-4176-b6b0-4ed495288229
All wireless attributes can be searched using the syntax <attribute>:<term>.
radio_type:"802.11n"
The Name field can be searched using the syntax name:<term>.
name:"main"
The Description field can be searched using the syntax desc:<term> or description:<term>
desc:"branch office"
description:"pci"
The timestamp fields (created_at, updated_at) timestamps can be searched using the syntax created_at:<term>, created:<term>, updated_at:<term>, updated:<term>. The term matches the Asset Timestamp syntax.
created_at:>2weeks
created:<30minutes
updated_at:>1month
updated:2hours
The Name field can be searched using the syntax name:<term>.
name:"Primary"
The Description field can be searched using the syntax desc:<term> or description:<term>.
desc:"wireless"
description:"vlan 50"
The Scope field can be searched using the syntax scope:<term> .
scope:"10.10.10."
The Excludes field can be searched using the syntax excludes:<term> .
excludes:"192.168.0."
The timestamp fields (created_at, updated_at) timestamps can be searched using the syntax created_at:<term>, created:<term>, updated_at:<term>, updated:<term>. The term matches the Asset Timestamp syntax.
created_at:>2weeks
created:<30minutes
updated_at:>1month
updated:2hours