Appendix: Fields and Regular Expressions
Fields are dependent upon the Lucidum object specified in the Build Query from field.
The Build Query from field specifies an object to examine. Choices are:
Asset
User
Asset-IP Mapping
User-IP Mapping
Vulnerability
Fields are characteristics of a Lucidum object. For example, a characteristic of a user is the user’s email address. A characteristic of an asset is the asset’s IP address.
Data Source and Lucidum Data Group
Lucidum ingests information about assets, users, and data from your environment. Lucidum then deduplicates, triangulates, and aggregates that information to provide you with enriched data about assets, users, and vulnerabilities.
There are two types of data in Lucidum:
Data Source. Data Sources contain the raw data that is ingested by Lucidum collectors from your environment. For example, Data Sources can include Tenable, SentinelOne, Infoblox, Active Directory, AWS, VMware. Within each Data Source is the raw data collected by Lucidum for an asset. For example, an Active Directory data source for an asset would include the information you would expect to find in an Active Directory record for that asset.
Lucidum Data Group. After ingestion, Lucidum cleans up the raw data and fills the gaps between security solutions. After ingesting data from connectors, Lucidum enriches that data through machine learning.
This chapter describes the fields in the Lucidum Data Group. However, you use the Data Sources page to view all the raw data in your environment. And you can view the raw data for a query result in the Data Sources tab of the Details page (Explore button > Query Builder > New Query > Show Results > details icon)
Note that the list of fields in your Lucidum system is dependent upon the data you have collected with Lucidum connectors.
You might see fields in this appendix that don’t appear in your Lucidum system. This means that Lucidum has not fetched that data from your environment, either because you have not yet configured the connector(s) and triggered data ingestion or because your environment doesn’t include that type of asset.
You might see fields called “Extra Fields” in your Lucidum system that don’t appear in the list of fields in this appendix. This means that Lucidum has fetched data from your environment that is not typically available in all environments.
The list of fields that appear in your Lucidum system are the fields you can use to build queries.
Lucidum Data Group
The following fields appear in the Lucidum Data Group. You can include these fields in queries.
Age
Field | Description | Type |
|---|---|---|
Agent Status | Status of the agent running on the asset. | Text |
First Ingestion Time | Earliest timestamp associated with the Lucidum ingestion session for the asset | Date/Time |
First Time Seen | Earliest timestamp associated with data from the asset | Date/Time |
Hire Time | Employee hiring epoch time | Date/Time |
IP Assignment End Time | IP address assignment end epoch time | Date/Time |
IP Assignment Start Time | IP address assignment start epoch time | Date/Time |
Last Lockout Time | User last locked out epoch time (from LDAP) | Date/Time |
Last Password Set Time | User last password set epoch time (from LDAP) | Date/Time |
Last Start Time | Timestamp from most recent boot of the asset | Date/Time |
Last Time Seen | Most recent timestamp associated with data from the asset | Date/Time |
Life | Life (in human-readable format) | Text |
Life (Hours) | Time in number of hours that data from the asset has existed in Lucidum | Numeric |
New Asset (yes/no) | Specifies whether asset is new | Binary/Boolean |
New User (yes/no) | Specifies whether the use is new | Binary/Boolean |
Record Generated Time | Earliest timestamp associated with the Lucidum ingestion session for the asset | Date/Time |
Status | Status of the asset | Text |
Terminate Time | Employee termination epoch time | Date/Time |
Applications
Field | Description | Type |
|---|---|---|
Applications | List of applications associated with the asset | List |
Critical Risk Apps | Number of critical risk applications | Numeric |
Critical Risk Apps List | Critical risk applications | List |
High Risk Apps | Number of high risk applications | Numeric |
High Risk Apps List | High risk applications | List |
SaaS Application | SaaS application name (e.g., Okta) | Text |
SaaS Application Description | SaaS application description | Text |
SaaS Application Events | SaaS application events history | List |
SaaS Application Type | SaaS application type (e.g., SSO) | Text |
SaaS Application Version | SaaS application version | Text |
User Agent | User agent detected | Text |
Asset
Field | Description | Type |
|---|---|---|
# of Assets | Number of assets linked to the user | Numeric |
Accessible (yes/no) | True if the asset is accessible | Binary/Boolean |
Asset Category | Category for the asset. For example, “cloud” or “on-prem”. | Text |
Asset Function | Asset functional category. For example, “network” or “endpoint” | Text |
Asset Group ID | Asset group ID | Text |
Asset Groups | Groups associated with the asset | List |
Asset LDAP Groups | Asset LDAP CN groups | List |
Asset LDAP Group Members | Asset LDAP full group members | Text |
Asset Type | Asset type. For example, “server” or “workstation” | Text |
Auto Scaling Group | Asset auto-scaling group name (e.g., AWS EC2 auto-scaling group) | Text |
Cluster Config | Cluster configuration. For example, “VMWare” | List |
Cluster ID | Cluster ID | Text |
Cluster Name | Cluster name | Text |
Critical Asset (yes/no) | True if the asset is critical according to data source | Binary/Boolean |
Data Center ID | Data center ID | Text |
Encrypted (yes/no) | True if the asset is encrypted | Binary/Boolean |
Full Domain Name | Fully qualified domain name | List |
Host ID | Host ID | List |
IT Managed (yes/no) | True if the asset is managed by IT | Binary/Boolean |
Instance ID | AWS instance ID | Text |
Instance Name | AWS instance name | Text |
Instance Type | AWS instance type | Text |
IP Address | IP address(es) | List |
IT Managed (yes/no) | True if the asset is managed by IT | Binary/Boolean |
Live Migration Enabled (yes/no) | True if the live migration is enabled (e.g., VMWare VMotion) | Binary/Boolean |
Lucidum Asset Name | Asset name derived with Lucidum ML | Text |
Lucidum Asset Type | Asset type derived with Lucidum ML. Standardized and similar to normalized data. | Text |
Lucidum OS Category | OS Category derived with Lucidum ML. Standardized and similar to normalized data. For example, “Linux”, “Windows”. | Text |
Lucidum OS Version | OS version derived with Lucidum ML. Standardized and similar to normalized data. | Text |
Lucidum Vendor | Vendor name derived with Lucidum ML. Standardized and similar to normalized data. | Text |
MAC Address | MAC address(es) | List |
Multi-Host Access (yes/no) | True if the asset has multiple-host access | Binary/Boolean |
OS and Version | OS and version | Text |
Out-of-date OS (yes/no) | True if the operating system is out-of-date | Binary/Boolean |
Public IP Address | Public IP address(es) | List |
Resource Pool | Asset resource pool | Text |
Server (yes/no) | True if the asset is a server according to data source | Binary/Boolean |
Snapshot (yes/no) | True if the asset is snapshot | Binary/Boolean |
Source Asset Name | Name of the asset as fetched from the source connector | Text |
User's Assets | The asset(s) linked to the user | List |
vCenter ID | ID for the VMware vCenter | List |
Vendor | Name of the vendor | Text |
Virtual Machine (yes/no) | True if the asset is a virtual machine | Binary/Boolean |
VM ID | Virtual machine ID | List |
Cloud
Field | Description | Type |
|---|---|---|
Cloud Account | Cloud account name(s) | Text |
Cloud Account ID | Cloud account ID(s) | Text |
Cloud Asset (yes/no) | True if the asset is in cloud | Binary/Boolean |
Cloud Instance ID | ID of Cloud instance | Text |
Cloud Stack | Name of Asset stack | Text |
CloudTrail Bucket | Name of CloudTrail bucket | Text |
CloudTrail Global-Service (yes/no) | True if CloudTrail includes API calls from global services | Binary/Boolean |
CloudTrail Log (yes/no) | True if asset is logged in Cloud Trail | Binary/Boolean |
CloudTrail Log Group | Name of CloudTrail log group | Text |
CloudTrail Multi-Region (yes/no) | True if CloudTrail is enabled in multiple regions | Binary/Boolean |
CloudTrail Name | Name of CloudTrail | Text |
CloudTrail Resource | Name of CloudTrail resource | Text |
CloudWatch Log Group | Name of Cloudwatch log group | Text |
Cluster Name | Name of Cloud micro-service cluster | Text |
Idle Instance (yes/no) | True if the cloud instance may be idling | Binary/Boolean |
Image Creation Time | Date and time Cloud instance image was created | Date/Time |
Image ID | Cloud image ID | Text |
Image Name | Cloud image name | Text |
Instance Key | Cloud instance SSH key name | Text |
Instance Name | Name of Cloud instance | Text |
Instance Profile | Profile/role associates with the Cloud instance | Text |
Instance Type | Type associated with the Cloud instance | Text |
Monthly Cost (US Dollar) | Monthly running costs (in US dollar) | Numeric |
Old Image (yes/no) | True if the instance image is older than 30 days | Binary/Boolean |
Old Image Age | Age in months of Old image | Numeric |
Parent Image ID | Id of the parent image for the Cloud instance | Text |
Public Image (yes/no) | True if the instance image is public | Binary/Boolean |
Target Group | Target groups for the Load balancer | Text |
Task Definition | Name of the task definition for the Container service | Text |
Volume ID | Cloud volume ID attached to the instance | Text |
Compliance
Field | Description | Type |
|---|---|---|
# of Non-Compliance | Number of non-compliances | Numeric |
Cloud Trail Validation (yes/no) | True if CloudTrail log file validation is enabled | Binary/Boolean |
Cloud Watch Alarm | Name of Cloudwatch alarm | Text |
Cloud Watch Filter | Name of Cloudwatch filter | Text |
Cloud Watch Filter Pattern | Cloudwatch filter pattern | Text |
Cloud Watch Metric | Name of Cloudwatch metric | Text |
Cloud Watch Metric Space | Cloudwatch metric space | Text |
Compliance Entity | Compliance entity | Text |
Compliance Source | Compliance source | Text |
Logging Enabled (yes/no) | True if the asset logging is enabled | Binary/Boolean |
MFA Configured | MFA configuration status of the user | List |
Missing Patch List | List of missing system patches | List |
Missing Patches | Number of missing system patches | Number |
Non-Compliance List | Non-compliance list | List |
Replication Enabled (yes/no) | True if the asset replication is enabled (e.g., s3 bucket replication) | Binary/Boolean |
Root Access (yes/no) | True if the cloud account has root access enabled | Binary/Boolean |
Root MFA Enabled (yes/no) | True if the cloud account has root MFA enabled | Binary/Boolean |
Security Findings | Asset security/compliance findings | List |
Versioning Enabled (yes/no) | True if the asset versioning is enabled | Binary/Boolean |
Data
Field | Description | Type |
|---|---|---|
Bucket User Access | File bucket’s user access history | Nested list |
Bucket Users | Bucket user access history | List |
Cloud Bucket | File bucket names | List |
Cloud Files | Bucket files | List |
Data Category | Lucidum extrapolated data category | Text |
Data Classification | Lucidum extrapolated data classification | Text |
Data Description | Lucidum extrapolated data topic keywords | Text |
Data Risk | Lucidum extrapolated data risk (higher value, riskier) | Numeric |
Data Store ID | Data store ID | List |
File Folder | File folder names | List |
File List | File access history | Nested list |
Data Source
Field | Description | Type |
|---|---|---|
Data Source Details | Detailed list of data sources | Nested list |
Data Sources | List of data sources | List |
DevOps
Field | Description | Type |
|---|---|---|
Docker Image ID | Hash Id of docker image digest | Text |
Docker Repo | Name of docker repository | Text |
Hardware
Field | Description | Type |
|---|---|---|
Carrier | Mobile carrier | Text |
CPU Average Usage (%) | CPU average usage (%) | Numeric |
CPU Cores | Number of CPU cores | Numeric |
Hardware Config | Hardware configuration (e.g., VMWare) | Nested List |
IMEI # | Mobile MEID/IMEI/ESN number | Text |
MAC Vendor | MAC hardware vendors | List |
Memory Size (GB) | Memory size (in GB) | Numeric |
Memory Usage (%) | Latest memory usage (%) | Numeric |
Mobile # | Mobile/phone number | Text |
Model | Hardware model | Text |
Power State | Asset power state | Text |
Serial Number | Hardware serial number | Text |
Service Tag | Asset IT service tag | Text |
SIM # | Mobile SIM card number | Text |
Storage Size (GB) | Storage size (in GB) | Numeric |
Storage Usage (%) | Latest storage usage (%) | Numeric |
Vendor Class | Asset DHCP vendor class | Text |
Volume ID | Volume ID attached to the instance | Text |
Life Cycle
Field | Description | Type |
Asset Expiry Time | Asset lifecycle expiry epoch time | Date/Time |
Purchase Order | Asset purchase order number | Text |
Purchase Price | Asset purchase price | Numeric |
Purchase Quantity | Asset purchase quantity | Numeric |
Purchase Source | Asset purchase source | Text |
Purchase Time | Asset purchase epoch time | Date/Time |
Warranty Expiry Time | Asset warranty expiry epoch time | Date/Time |
Location
Field | Description | Type |
|---|---|---|
Building | Building name | Text |
Country Code | Location country ISO code | Text |
Country Name | Location country name | Text |
Environment | Environment | Text |
Latitude | Location latitude | Numeric |
Longitude | Location longitude | Numeric |
Location | Location | Text |
Rack | Rack name | Text |
Region | Region | Text |
Site | Site | Text |
Lucidum
These fields are derived from raw data from data sources and then normalized for easy use in queries and dashboards.
Field | Description | Type |
|---|---|---|
Lucidum Asset Name | Name of the asset | Text |
Lucidum Asset Type | Asset type. Possible values are:
| Text |
Lucidum OS Category | Manufacturer of the OS. Possible values are:
| Text |
Lucidum OS Version | Version of the OS. For example, CentOS 7.9-2009, macOS 12.1, Windows 10, Windows Server 2022 | Text |
Lucidum Status | Current status of an asset. Possibble values are:
| Text |
Lucidum User Name | User name | Text |
Lucidum User Status | Status of user account. Possible values are:
| Text |
Lucidum Vendor | Vendor associated with an asset | Text |
Network
Field | Description | Type |
|---|---|---|
Certificate Algorithm | SSL certificate encryption algorithm | Text |
Certificate ID | SSL certificate ID | Text |
Certificate Rating | SSL certificate rating | Text |
Certificate Version | SSL certificate protocol version | Text |
DNS CNAME | DNS canonical name record | Text |
DNS MX | DNS mail exchange record | Text |
DNS Name | DNS name | Text |
DNS NS | DNS nameserver record | Text |
DNS PTR | DNS pointer record | Text |
DNS Requested Domain | DNS requested domain | Text |
DNS Security | DNS security status | Text |
DNS Type | DNS record type | Text |
DNS Zone | DNS zone | Text |
Domain | Asset domain name | Text |
External Ports | Open ports accessible externally | List |
External Services | Services accessible externally | List |
Firewall Action | Firewall default action | Text |
Firewall Rules | Firewall rules | List |
Instance Key | Instance key name | Text |
Internet Gateway ID | Internet gateway ID | Text |
IP Pool | IP address pool | Text |
ISP | Public internet service provider according to source or extrapolated by Lucidum | Text |
Management VIP | Management virtual IP (VIP) address | Text |
NAS ID | NAS ID | Text |
NAS Port | NAS port | Numeric |
NAT Gateway ID | NAT gateway ID | Text |
Network ACL ID | Network access control (ACL) ID | Text |
Network Config | Network configuration (e.g., VMWare) | Nested List |
Network ID | Network ID | List |
Network Interface ID | Network interface ID | Text |
Network Segment | Network segment | Text |
Open Inbound Access (yes/no) | True if the asset is open to public inbound connection | Binary/Boolean |
Port Group | Asset network port group | List |
Ports | Open ports | List |
Public Facing or Internet Reachable (yes/no) | True if the asset is public-facing | Binary/Boolean |
Route Table ID | Route table ID | Text |
Security Group ID | Cloud security Group IDs | List |
Security Group IP Range | Cloud security group IP ranges permitted | List |
Security Group Name | Cloud security group names | List |
Security Group Rules | Security group rules | Nested List |
Services | Services running on the asset | List |
Subnet ID | Cloud subnet ID | Text |
Switch Name | Network switch name | Text |
VLAN ID | VLAN ID | Text |
VLAN Name | VLAN name | Text |
VPC ID | Cloud VPC ID | Text |
VPN Gateway ID | VPN gateway ID | Text |
VPN Profile | VPN profile name | Text |
Others
Field | Description | Type |
|---|---|---|
Asset Description | Asset description | Text |
Comments | Comments added | Text |
Cost Center | Cost center name/ID | Text |
Idle Instance (yes/no) | True if the asset may be idling | Binary/Boolean |
Monthly Cost (US Dollar) | Monthly running costs (in US dollar) | Numeric |
Organization | Organization name | Text |
Purpose | Asset’s purpose according to data source | Text |
User Tickets | User’s service tickets | List |
Policy
Field | Description | Type |
Admin Policies | Number of admin policies | Numeric |
Policy | Policy name | Text |
Policy Statement | Policy statements | List |
User Password Changeable (yes/no) | True if user can change the password | Binary/Boolean |
User Password Enabled | User password enabled status | List |
User Password Expired (yes/no) | True if the user's password is expired | Binary/Boolean |
User Password Min. Length | Minimum length required for user's password | Numeric |
User Password Not Required (yes/no) | True if the user's password is not required | Binary/Boolean |
User Password Resettable (yes/no) | True if user's password is resettable | Binary/Boolean |
User Password Reuse Times | Maximum user password reuse times | Numeric |
User Password Valid Age | Number of days that a user password is valid | Numeric |
User Password with Lower Letter (yes/no) | True if user's password must contain lower-case character | Binary/Boolean |
User Password with Number (yes/no) | True if user's password must contain numbers | Binary/Boolean |
Risk
Field | Description | Type |
|---|---|---|
Risk CDF | Statistical risk score (1-100) | Numeric |
Risk Factors | All risk factors | List |
Risk Level | Risk level | Text |
Risk Ranking | Standardized/ranked risk score (1-100) | Numeric |
Risk Score | Raw risk score (higher value, riskier) | Numeric |
Top Factor 1 | Risk top factor 1 | Text |
Top Factor 2 | Risk top factor 2 | Text |
Top Factor 3 | Risk top factor 3 | Text |
Tags
Field | Description | Type |
|---|---|---|
Image Tag | Cloud instance image tags | List |
Tag | Tag associated with an asset | List |
Threat
Field | Description | Type |
|---|---|---|
Agent Updated (yes/no) | True if the endpoint protection agent is updated | Binary/Boolean |
Critical Threats | Number of critical-severity threats | Numeric |
Endpoint Agent (yes/no) | True if the endpoint protection agent is installed | Binary/Boolean |
High Threats | Number of high-severity threats | Numeric |
Host IDS (yes/no) | True if the asset is monitored in host IDS | Binary/Boolean |
Malware/Threat Alerts | Number of malware infections or threats detected | Numeric |
Network IDS (yes/no) | True if the asset is monitored in network IDS | Binary/Boolean |
SANS Malicious IP (yes/no) | Specifies whether an IP address is included in SANS list of malicious IPs | Binary/Boolean |
Threat List | Threat list | List |
TOR Node IP (yes/no) | Specifies whether an IP address is from the TOR network | Binary/Boolean |
User
Field | Description | Type |
|---|---|---|
# of Users | Number of users linked to the asset | Numeric |
All Login Users | List of users on the asset | Nest List |
Department | The business department associated with the user account | Text |
Duplicated User Detection | Confidence score for potentially duplicated users | Numeric |
The email associated with the user account | Text | |
Job Title | The job title associated with the user account | Text |
Lucid User Name | Lucidum derived user entity name | Text |
Manager | The manager’s name associated with the user account | Text |
Person Full Name | The person's full/display name | Text |
Related to Asset (yes/no) | True if the user has one or more assets linked | Binary/Boolean |
Role Assuming Principals | Cloud role assuming principal(s) | List |
Role ID | Role ID | Text |
Role Name | Role name | List |
Source User Name | Data source raw user name | List |
System Admin (yes/no) | True if the user has admin permission | Binary/Boolean |
User Active (yes/no) | True if the user is active | Binary/Boolean |
User Disabled (yes/no) | True if the user account is disabled (in LDAP) | Binary/Boolean |
User Group Member | User LDAP full group memberships | List |
User Groups | Groups associated with the user | List |
User IDs | The user IDs linked to the user account | List |
User Key | The API access key(s) associated with the user (AWS) account | List |
User LDAP Group Members | User LDAP full group memberships | List |
User LDAP Groups | User LDAP CN groups | List |
User Locked Out (yes/no) | True if the user is locked out (from LDAP) | Binary/Boolean |
User Sources | User linked data source(s) | List |
User SSO Failures | Number of failed SSO logins | Numeric |
User Status | User status | List |
User Terminated (yes/no) | True if the user is terminated in HR | Binary/Boolean |
User Type | User type | Text |
Vulnerability
Field | Description | Type |
|---|---|---|
Critical CVE List | Critical CVE IDs | List |
Critical Vulns | Number of critical-severity vulnerabilities | Numeric |
CVE Count | Number of CVE vulnerabilities | Numeric |
CVE List | CVE IDs | List |
High CVE List | High CVE IDs | List |
High Vulns | Number of high-severity vulnerabilities | Numeric |
Mitigated Vulns | Number of mitigated vulnerabilities | Numeric |
Vuln Scan (yes/no) | True if the asset is scanned by vulnerability assessment | Binary/Boolean |
Vulnerabilities | Vulnerability details | List |
Vulnerability Names | Vulnerability names | List |
Regular Expressions
For fields of type Text, List, and Nested List, you can include special characters in the Value field. These fields allow you to further customize the query.
Characters | Description | Example |
|---|---|---|
^ (caret) | Matches entries that start with the character(s) to the right | For example, if the field is Data Category, ^F matches both “Finance” and “Facility” |
, (comma) | Functions as an “OR”, examining all values in the comma-separated list and showing results that match one or more of the values in the list. | For example, if the field is Data Sources: crowdstrike,carbonblack,sentinelone matches any asset that has one or more Data Sources from CrowdStrike or CarbonBlack or SentinelOne. NOTE: Do not include spaces QA after the comma. |
$ (dollar sign) | Matches entries that end with the character(s) to the left | For example, if the field is Data Category, t$ matches “Customer Support” and “Product” |
. (period) | Matches one instance of any character | For example, if the field is Lucidum User Name ..te matches “achristensen”,”bhatter”, “kate”, and “pete” |
+ (plus sign) | Matches one or more occurrences of the character to the left of the symbol | For example, if the field is Data Description, Agre+m matches “Budget Agreements” |
? (question mark) | Matches zero or one occurrence the character to the left of the symbol | For example, if the field is Data Description, q? matches “Budget Requirements” |
| (pipe) | An OR. Matches either the string the left or the string on the right of the symbol. | For example, if the field is Data Category, Fin|Info Matches both “Finance” and “Information Technology” |