RumblE NEtwork DiscovEry UsEr GuiDE v2.6.4 UpDatED on 2021°09°22 Copyright © RumblE, Inc. 2019°2021 RumblE UsEr GuiDE ContEnts UsEr GuiDE ContEnts CrEating an account Activating your account Changing your passworD UpDating your profilE picturE Organizations anD sitEs Organizations CrEating organizations SitEs Installing an ExplorEr Installation SystEm rEquirEmEnts WEb scrEEnshots Configuration NEtwork communication REmoving an ExplorEr Log managEmEnt REstart an ExplorEr CErtificatE AuthoritiEs (CAs) Manual moDE StoragE locations ContainEr installations AutomatED installations Managing ExplorErs ViEwing all ExplorErs ScrEEnshot capabilitiEs SEarching for ExplorErs ExplorEr actions Bulk managEmEnt opErations ViEwing ExplorEr DEtails UpgraDing npcap Installing on a RaspbErry Pi What you’ll nEED ConnEcting to your RaspbErry Pi via SSH NExt stEps AutomatED MSI DEploymEnts Binary DownloaDs Installing sElf-hostED RumblE REquirEmEnts OfflinE moDE 1 RumblE UsEr GuiDE Installation stEps OfflinE installation RumblE upDatEs Managing usErs CLI sErvicE managEmEnt CLI upDatE managEmEnt CLI upDatE with offlinE moDE CLI usEr managEmEnt CLI organization managEmEnt ADvancED configuration PErmissions RumblE binary vErification Binary DownloaDs Managing your tEam SinglE sign-on SSO Multi-factor authEntication (MFA) Global rolEs SEtting up AzurE AD SSO REquirEmEnts StEp 1Ã ADD anD configurE RumblE as an AzurE app StEp 2Ã DownloaD thE SSO configuration mEtaData StEp 3Ã SEt up AzurE AD SSO in RumblE StEp 4Ã ADD usErs to thE RumblE app in AzurE SEtting up Okta SSO REquirEmEnts StEp 1Ã ADD anD configurE RumblE as an Okta app StEp 2Ã SEt up SSO in RumblE StEp 3Ã ADD usErs to thE RumblE App in Okta DiscovEring assEts TargEt sitE DiscovEry ExplorEr DiscovEry scopE Scan namE SchEDulE Scan spEED SchEDulE gracE pErioD ADvancED scan options TCP ports SEt prEscan moDEs for largE IP spacEs Managing tasks Using thE invEntory UnDErstanDing assEts AssEt fiElDs Exporting assEt Data Data rEtEntion 2 RumblE UsEr GuiDE StalE assEt Expiration OfflinE assEt Expiration Scan Data Expiration Exporting HP iLO Data How to Export HP iLO CSV Data in RumblE EntErprisE HP iLO CSV Export Data Enriching scans with EC2 FinD ExplorErs with EC2 EnrichmEnt capabilitiEs ADD pErmissions to DEscribE instancEs AttributEs RumblE gEts from thE EC2 API ViEwing covEragE rEports RFC1918 covEragE rEport SEarch quEry syntax BoolEan opErators WilDcarD anD fuzzy sEarchEs Empty valuEs AssEt anD sErvicE invEntory sEarchEs SEarch quEriEs AssEt sEarch kEyworDs SErvicE sEarch kEyworDs WirElEss sEarch kEyworDs Organization sEarch kEyworDs SitE sEarch kEyworDs QuEry library sEarch kEyworDs CrEDEntial sEarch kEyworDs Automating quEriEs Turn on automatic sEarch quEriEs Managing alErts Using thE rulEs EnginE KEy concEpts CrEatE a rulE CrEating alErt tEmplatEs TEmplatE builDing basics ObjEcts anD fiElDs rEfErEncE ExamplE: AlErt whEn scan complEtEs Data typE accEptED by Each channEl Managing tEmplatEs Managing licEnsEs How Do I viEw my licEnsE? WhEn DoEs my ProfEssional or EntErprisE subscription ExpirE? How Do I rEnEw my ProfEssional subscription? How Do I rEnEw my EntErprisE plan? How Do I convErt to thE StartEr EDition? How Do I finD my invoicEs? How Do I changE or cancEl my subscription? 3 RumblE UsEr GuiDE Using thE scannEr StartEr EDition limits PErformancE & scopE Automatic wEb scrEEnshots RumblE scannEr commanDs anD options Scan outputs Raw Scan Data SErvicENow CMDB BEforE you bEgin SEt up an ETL import Things to know about RumblE Export Data UsEful links Splunk SEarch GEt thE RumblE aDD-on for Splunk AssEt sync moDEs CrowDStrikE Falcon GEtting StartED REquirEmEnts StEp 1Ã ConfigurE CrowDStrikE to allow API accEss to RumblE StEp 2Ã ADD thE CrowDStrikE crEDEntials to RumblE StEp 3Ã SEt up anD activatE thE CrowDStrikE connEction to sync Data StEp 4Ã ViEw CrowDStrikE assEts AzurE Virtual MachinEs GEtting StartED REquirEmEnts StEp 1Ã ConfigurE AzurE to allow API accEss through RumblE. StEp 2Ã ADD thE AzurE crEDEntial to RumblE. StEp 3Ã SEt up anD activatE thE AzurE VM connEction to sync Data StEp 4Ã ViEw AzurE assEts Amazon EC2 GEtting StartED REquirEmEnts StEp 1Ã ConfigurE AWS to allow API accEss through RumblE StEp 2Ã ADD thE AWS crEDEntial to RumblE StEp 3Ã SEt up anD activatE thE AWS EC2 connEction to sync Data StEp 4Ã ViEw AWS assEts MiraDorE MDM GEtting StartED REquirEmEnts StEp 1Ã CrEatE a MiraDorE API kEy. StEp 2Ã ADD thE MiraDorE API kEy to RumblE. StEp 3Ã SEt up anD activatE thE MiraDorE MDM connEction to sync Data StEp 4Ã ViEw MiraDorE assEts LEvEraging thE API Data formats 4 RumblE UsEr GuiDE Formats Scan Data AssEt Data ChangE rEports FrEquEntly AskED QuEstions Why arE thErE so many iDEntical assEts in my invEntory? How Do I run RumblE without crashing my routEr? How Do I scan VMwarE virtual machinEs without crashing thE host? Why DiDn’t thE RumblE ExplorEr capturE scrEEnshots? What protocols DoEs RumblE scan for? What ports DoEs RumblE scan? RumblE rElEasE notEs LatEst rElEasE notEs OlDEr platform rElEasE notEs Platform rElEasE notEs OlDEr ExplorEr rElEasE notEs ExplorEr rElEasE notEs (agEnts) OlDEr scannEr rElEasE notEs ScannEr rElEasE notEs 5 RumblE UsEr GuiDE CrEating an account To gEt startED, you’ll nEED to sign up for a RumblE account. RumblE offErs thrEE EDitions: startEr, profEssional, anD EntErprisE. ChoosE thE EDition that works for you. ProfEssional account: This is grEat for miD-sizE anD largEr companiEs, as wEll as consultants, who nEED to scan morE than 256 assEts. You’ll nEED a businEss Email to sign up. Sign up for a profEssional account StartEr account: This is grEat for pErsonal or small businEss usE, if you havE lEss than 256 assEts. You can usE a businEss or pErsonal Email to sign up. Sign up for a startEr account Activating your account AftEr you sign up for an account, wE’ll Email you a link to activatE your account. If you Don’t sEE an Email from us, chEck your spam folDEr. OpEn thE link in thE Email to go to thE Activation pagE. Follow thE instructions on thE pagE to activatE your account. You’ll nEED to proviDE your namE, sEt up a passworD, spEcify your location, anD accEpt our privacy policy anD tErms of sErvicE. AftEr activating your account, you’ll bE takEn DirEctly to thE RumblE ConsolE. Your nEw account has aDministrativE accEss, so you will bE ablE to managE sitEs, organizations, usErs, anD ExplorErs. If you havE any troublE crEating your account, plEasE contact support. Changing your passworD To changE your passworD, go to your account sEttings. You’ll nEED to proviDE your currEnt passworD bEforE you can EntEr a nEw onE. All passworDs must contain: At lEast 8 charactErs At lEast 1 uppErcasE charactEr At lEast 1 lowErcasE charactEr At lEast 1 numbEr 6 RumblE UsEr GuiDE UpDating your profilE picturE UsEr profilE imagEs arE managED through Gravatar anD associatED with your Email aDDrEss. If you Don’t havE an account, sign up for onE. 7 RumblE UsEr GuiDE Organizations anD sitEs RumblE usEs thE concEpt of organizations anD sitEs to managE information within your account. Organizations An organization rEprEsEnts a Distinct Entity; this can bE your businEss, a spEcific DEpartmEnt within your businEss, or onE of your customErs. All actions, tasks, ExplorErs, scans, anD othEr objEcts managED by RumblE arE tiED to spEcific organizations anD isolatED from Each othEr. Your activE organization can bE switchED by using thE DropDown sElEct fiElD on thE top right of thE RumblE ConsolE. CrEating organizations Organizations can bE crEatED, moDifiED, anD DEactivatED by going to thE organizations sEction within thE consolE. Click thE Organizations button unDEr Global SEttings on thE lEft-hanD siDEbar. SitEs EvEry organization has at lEast onE sitE, but may also havE multiplE sitEs. A sitE rEprEsEnts a Distinct nEtwork sEgmEnt, usually DEfinED by aDDrEssing, or accEssibility. All analysis actions within RumblE occur at thE sitE lEvEl. This allows for multiplE sitEs to usE thE samE RFC1918 spacE, somEthing common in rEtail, whilE still bEing possiblE to DiffErEntiatE thEir assEts within thE InvEntory. For flat nEtworks, a singlE sitE is usually Enough, but complicatED, sprawling, anD highly-sEgmEntED EnvironmEnts bEnEfit from thE usE of SitEs. SitEs can also bE tiED to spEcific ExplorErs, which can hElp limit traffic bEtwEEn low- banDwiDth sEgmEnts. ThE sitE configuration allows a DEfault scan scopE to bE DEfinED, along with an optional list of ExcluDED scan scopEs. ThEsE fiElDs sEt thE DEfaults for futurE scans of this SitE. By DEfault, your account incluDEs a singlE organization, which itsElf contains a singlE sitE, namED Primary. ThE DEfault sitE cannot bE rEmovED, but it can bE rEnamED anD havE its assEts pErmanEntly DElEtED as nEcEssary. 8 RumblE UsEr GuiDE 9 RumblE UsEr GuiDE Installing an ExplorEr RumblE rEquirEs thE usE of at lEast onE ExplorEr within your EnvironmEnt to EnablE nEtwork DiscovEry. ThE ExplorEr shoulD bE installED on a systEm with rEliablE connEctivity to thE nEtwork you want to DiscovEr. For intErnal nEtworks, RumblE works bEst whEn installED on a systEm with a wirED (vs wirElEss) connEction. For ExtErnal nEtwork DiscovEry, nEarly any clouD proviDEr with a rEliablE connEction shoulD Do. If thE RumblE ExplorEr is installED in a containEr or virtualizED systEm, EnsurE that it has DirEct accEss to thE nEtwork (host nEtworking in DockEr, briDgED nEtworking in VMwarE, Etc). Installation To install thE RumblE ExplorEr, log in to thE RumblE ConsolE anD switch to thE Organization that shoulD bE associatED with thE ExplorEr. ThE ExplorEr DownloaD link is spEcific to your activE Organization anD using thE wrong link can rEsult a nEw ExplorEr bEing associatED with thE wrong organization. DownloaD thE corrEct binary for your systEm from thE ExplorEr DownloaD pagE. For most systEms, sElEct thE 64-bit (x86_64 architEcturE. For EmbEDDED DEvicEs, such as thE RaspbErry Pi 3Ú, choosE thE ARM7 architEcturE. WinDows binariEs arE signED with a valiD AuthEnticoDE signaturE, which shoulD bE valiDatED bEforE thE ExEcutablE is launchED. ThE ExplorEr installation procEss rEquirEs aDministrativE privilEgEs.