The Rumble Inventory and Export functionality support arbitrary search queries to filter assets. The queries can be combined to
create powerful automation using the Rumble asset dataset. Search queries can be combined through
OR operators, but
all queries are considered part of the same group.
For example, a query of
os:"Windows 10" AND protocols:http AND protocols:smb2 will show only those assets where Windows 10 was identified and both SMB and a web server were discovered. Search values that contain spaces must be placed in double quotes.
By contrast, the example query of
os:"Windows 10" AND protocols:http OR protocols:smb2 will search for Windows 10 running a web server or any assets with the SMB service exposed.
In addition to
NOT operator can be used to filter a query. For example, the query
os:"Windows 10" AND NOT protocols:http will show Windows 10 systems without a web server. If the negation should happen as the first term the
be dropped. The query
NOT protocol:http AND os:"Windows 10" is equivalent to the previous search, with the terms reversed.
|Hostnames||hostname, name, names|
|Addresses||address, addresses, ip, addr, host||Searches both primary and secondary addresses|
|MAC Vendors||mac-vendor, vendor|
|Ports||port||Searches both TCP and UDP ports|
|Site||site||Filters results by Site name, use double quotes if needed|
|Credentials||cred, creds, community|
|Services||services||Searches raw service response data, extremely slow, may be removed in future releases|
|Attributes||attr, attribute, attributes|
|Alive||alive, online||Boolean (t, 1, yes or f, 0, no)|
|Offline||offline, dead||Boolean (t, 1, yes or f, 0, no). Inverse of Alive.|
|Detected By||det, detected-by||Typically arp, icmp, tcp-[PORT], or udp-[PORT]|
|Multihome||multihome||Assets with more than one address. Boolean (t, 1, yes or f, 0, no)|
|MultiMAC||multimac||Assets with more than one MAC address. Boolean (t, 1, yes or f, 0, no)|
|MultiName||multiname||Assets with more than one hostname. Boolean (t, 1, yes or f, 0, no)|
|HasMAC||hasmac||Assets with at least one MAC address. Boolean (t, 1, yes or f, 0, no)|