Search Query Syntax

The Rumble Inventory and Export functionality support arbitrary search queries to filter assets and services. The queries can be combined to create powerful automation using the Rumble asset dataset. Search queries can be combined through AND and OR operators, but all queries are considered part of the same group.

For example, a query of os:"Windows 10" AND protocols:http AND protocols:smb2 will show only those assets where Windows 10 was identified and both SMB and a web server were discovered. Search values that contain spaces must be placed in double quotes.

By contrast, the example query of os:"Windows 10" AND protocols:http OR protocols:smb2 will search for Windows 10 running a web server or any assets with the SMB service exposed.

In addition to AND and OR, the NOT operator can be used to filter a query. For example, the query os:"Windows 10" AND NOT protocols:http will show Windows 10 systems without a web server. If the negation should happen as the first term the AND should be dropped. The query NOT protocol:http AND os:"Windows 10" is equivalent to the previous search, with the terms reversed.

Asset and Service searches are handled slightly differently. Service queries can filter against Asset attributes (os:linux) and Service attributes (banner:Password), but the Asset queries are limited to summary information about services (protocol:ssh).

Asset Search Keywords

User Specified Fields
Asset Comments

Comments that have been set on an asset can be searched using the syntax comments:<term> and comment:<term>.

comment:"contractor laptop"
comments:"imaging server"
Asset Tags

Tags that have been set on an asset can be searched using the syntax tag:<term> and tags:<term>.

tag:"sales"
tags:"CDE"
Site Name or ID

The site name or ID can be used as a filter with the syntax site:<term>

site:Primary
site:"Branch Office"
site:ad67d649-041b-439d-af59-f200053a8899
Agent Name or ID

The agent name or ID can be used as a filter with the syntax agent:<term>

agent:DESKTOP-AB451F
agent:8b927a8e-d405-40e9-aa47-d6afc9bff237
Asset Fields
Asset ID

The ID field is the unique identifier for a given asset, written as a UUID. This field is searched using the syntax id:<uuid>.

id:cdb084f9-4811-445c-8ea1-3ea9cf88d536
Asset Last Task ID

The Last Task ID field defines which task most recently updated a given asset and is written as a UUID. This field is searched using the syntax task:<uuid>.

task:39ab0e71-3cf1-4176-b6b0-4ed495288229
Asset Operating System

The operating system field is a string describing the detected operating system software. This field is searched using the syntax os:<term>.

os:"Windows"
os:"Ubuntu Linux"
Asset Type

The type field is a string describing the detected system type, such as Desktop, Laptop, Server, BMC, or Mobile. This field is searched using the syntax type:<term>.

type:Desktop
type:BMC
type:"Game Console"
Asset Hardware

The hardware field is a string describing the detected physical hardware, such as macMini or Nintendo Switch. This field is searched using the syntax hw:<term> and hardware:term.

hw:Switch
hardware:macMini
Asset Hostnames

The hostnames associated with an asset are obtained from DNS and exposed services. These names can be searched using the syntax hostname:<term>, name:<term>, and names:<term>.

names:"www"
name:"TV"
hostname:"RTR"
Asset Domains

The domains associated with an asset are obtained from DNS and exposed services. These domain names can be searched using the syntax domain:<term> and domains:<term>.

domains:"amazon.com"
domain:"corp.lan"
domain:"WORKGROUP"
Asset Addresses

The addresses (both primary and secondary) associated with an asset can be searched using the syntax ip:<term>, addr:<term>, and host:<term>.

ip:192.168.0.1
addr:10.0.0
addr:10.0.0.5
host:172.16.1.1
Asset Networks

The addresses (both primary and secondary) associated with an asset can be searched by CIDR mask using the syntax net:<term>.

net:192.168.0.0/24
Asset MAC Addresses

The MAC addresses associated with an asset can be searched using the syntax mac:<term> and macs:<term>.

mac:00:5c:04
macs:00:00:1c
Asset MAC Address Vendors

The vendor associated with the MAC addresses of an asset can be searched using the syntax mac-vendor:<term> and vendor:<term>.

vendor:Apple
mac-vendor:"Intel Corporate"
Asset Attributes

The asset attributes fields, such as the port used to detect the TTL, can be searched using the syntax attribute:<term>, attributes:<term>, and attr:<term>.

attr:"ip.ttl.port"
attribute:"cpe:/a:isc:bind:9.11.3"
attributes:"9.11.3"

To determine if an asset has an attribute at all, the has keyword can be used. The has keyword can be inverted to find missing fields, with not has:<term>.

has:"ip.ttl.port"
not has:"rdns.names"
Asset Services
Asset Service Ports

The TCP and UDP services associated with an asset can be searched by port number using the syntax port:<term>.

port:80
port:161
Asset Service TCP Ports

The TCP services associated with an asset can be searched by port number using the syntax tcp:<term>.

port:443
Asset Service UDP Ports

The UDP services associated with an asset can be searched by port number using the syntax udp:<term>.

port:53
Asset Service Protocols

The identified service protocols associated with an asset can be searched using the syntax protocol:<term> and protocols:<term>.

protocol:http
protocols:telnet
Asset Service Products

The identified service products associated with an asset can be searched using the syntax product:<term> and product:<term>.

product:openssh
products:nginx
Asset Tracking Fields
Asset Timestamps (FirstSeen, LastSeen, CreatedAt, UpdatedAt)

The asset timestamp fields (first_seen, last_seen, created_at, updated_at) timestamps can be searched using the syntax firstseen:<term>, first_seen:<term>, last_seen:<term>, lastseen:<term>, created_at:<term>, created:<term>, updated_at:<term>, and updated:<term>. The term includes a greater than > or less than < operator followed by either a relative or absolute date expression. Relative date expressions include seconds, minutes, hours, days, weeks, and years, in both plural and singular forms. Absolute date expressions can be in international (2019-12-31) or USA (12/31/2019) forms.

Note that created_at is usually identical to first_seen (initial asset detection) while updated_at can be very different from last_seen; the former indicates when the asset record was last updated (offline or otherwise) while the latter is when the asset was last seen alive. The updated_at query can be useful when synchonizing the inventory to external systems (using updated:<24hours on a daily import, etc).

firstseen:<30seconds
firstseen:>3days
first_seen:>2019-08-01
first_seen:>8/1/2019
lastseen:<1week
last_seen:<2months
lastseen:<1year
created_at:>2weeks
created:<30minutes
updated_at:>1year
updated:<12hours
Asset Online Status

The alive status of an asset can be searched using the syntax alive:<term> and online:<term> as well as the inverse with the syntax offline:<term> and dead:<term>. The term is a boolean value, where true, t, 1, and yes represent true and false, f, 0, and no represent false.

alive:t
dead:f
online:1
offline:0
Asset Detection Method

The detected by attribute of an asset can be searched using the syntax det:<term> and detected-by:<term>. The term is one of arp, icmp, tcp-<port>, or udp-<port>. In the case of multiple detections, the priority goes arp, icmp, and then the first detected service.

det:arp
detected-by:80-tcp
det:53-udp
Asset Multiple Address Status

The multihome status (multiple network addresses) of an asset can be searched using the syntax multihome:<term>. The term is a boolean value, where true, t, 1, and yes represent true and false, f, 0, and no represent false.

multihome:true
multihome:no
Asset Multiple MAC Address Status

Assets with multiple MAC addresses can be searched using the syntax multimac:<term>. The term is a boolean value, where true, t, 1, and yes represent true and false, f, 0, and no represent false.

multimac:t
multimac:0
Asset Any MAC Address Status

Assets with any MAC addresses can be searched using the syntax hasmac:<term>. The term is a boolean value, where true, t, 1, and yes represent true and false, f, 0, and no represent false.

hasmac:yes
hasmac:f

| HasMAC | hasmac | Assets with at least one MAC address. Boolean (t, 1, yes or f, 0, no) |

Asset Multiple Hostname Status

Assets with multiple hostnames can be searched using the syntax multiname:<term>. The term is a boolean value, where true, t, 1, and yes represent true and false, f, 0, and no represent false.

multiname:yes
multiname:false

Service Search Keywords

Service Ports

The TCP and UDP services associated with a service can be searched by port number using the syntax port:<term>.

port:80
port:161
Service TCP Ports

The TCP services associated with a service can be searched by port number using the syntax tcp:<term>.

port:443
Service UDP Ports

The UDP service associated with a service can be searched by port number using the syntax udp:<term>.

port:53
Service Transport

The transport associated with a service can be searched by name using the syntax transport:<term>.

transport:tcp
transport:udp
transport:icmp
Service Protocols

The identified service protocols associated with a service can be searched using the syntax protocol:<term> and protocols:<term>.

protocol:http
protocols:telnet
Service Virtual Host

The virtual host associated with a service can be searched by name using the syntax vhost:<term>.

vhost:"www"
Service Attributes

All service attributes can be searched using the syntax <attribute>:<term>.

banner:password
service.product:"OpenSSH" 
html.title:"Apache2 Ubuntu Default Page" 

To determine if a service has an attribute at all, the has keyword can be used. The has keyword can be inverted to find missing fields, with not has:<term>.

has:"http_header.server"
not has:"html.title"