Search Query Syntax

The Rumble Inventory and Export functionality support arbitrary search queries to filter assets. The queries can be combined to create powerful automation using the Rumble asset dataset. Search queries can be combined through AND and OR operators, but all queries are considered part of the same group.

For example, a query of os:"Windows 10" AND protocols:http AND protocols:smb2 will show only those assets where Windows 10 was identified and both SMB and a web server were discovered. Search values that contain spaces must be placed in double quotes.

By contrast, the example query of os:"Windows 10" AND protocols:http OR protocols:smb2 will search for Windows 10 running a web server or any assets with the SMB service exposed.

In addition to AND and OR, the NOT operator can be used to filter a query. For example, the query os:"Windows 10" AND NOT protocols:http will show Windows 10 systems without a web server. If the negation should happen as the first term the AND should be dropped. The query NOT protocol:http AND os:"Windows 10" is equivalent to the previous search, with the terms reversed.

Search Keywords

Field Keywords Notes
Operating System os
Type type
Hardware hw, hardware
Hostnames hostname, name, names
Domains domain, domains
Comments comment, comments
Addresses address, addresses, ip, addr, host Searches both primary and secondary addresses
Protocols protocol, protocols
Products product, products
MACs mac, macs
MAC Vendors mac-vendor, vendor
Ports port Searches both TCP and UDP ports
TCP Port tcp
UDP Port udp
Credentials cred, creds, community
Services services Searches raw service response data, extremely slow, may be removed in future releases
Attributes attr, attribute, attributes
Tags tag, tags
Alive alive, online Boolean (t, 1, yes or f, 0, no)
Offline offline, dead Boolean (t, 1, yes or f, 0, no). Inverse of Alive.
Detected By det, detected-by Typically arp, icmp, tcp-[PORT], or udp-[PORT]
Multihome multihome Assets with more than one address. Boolean (t, 1, yes or f, 0, no)
MultiMAC multimac Assets with more than one MAC address. Boolean (t, 1, yes or f, 0, no)
MultiName multiname Assets with more than one hostname. Boolean (t, 1, yes or f, 0, no)
HasMAC hasmac Assets with at least one MAC address. Boolean (t, 1, yes or f, 0, no)