Using the Lucidum App

You can use the Lucidum app to query data from your Lucidum system. The results are displayed in Slack. You can then share queries and results with your team, even if all members are not Lucidum users.

Querying Data

To query your Lucidum data from Slack:

In the Slack channel where you have invited the Lucidum app, enter:
/query-set-table
Press send.
The Select Table modal appears.
Choose the type of data you want to query:
- Assets. Table of asset data from current time period. The default “current” time period is 7 days.
- Asset History. Table of asset data from historical time period. The default historical time period is from 8 days old to 30 days old.
- Users. Table of user data from current time period. The default “current” time period is 7 days.
- User History. Table of user data from historical time period. The default historical time period is from 8 days old to 30 days old.
NOTE: You can customize or view the “current” and “historical” values in Settings > System Settings > Data Settings.
- Current uses the value of Data Lookback in Days.
- History uses the value of Data Retention in Days.
Click Submit.
In the Slack channel where you have invited the Lucidum app, enter:
/query
Send the message.
The Query Assets (or Asset History, Users, or User History, depending on the table your specified) modal page appears:
In the Query Assets modal:
- Fields. Fields are one or more properties that you are interested in, such as “first time seen”, “ip address”, “county code”, or “risk score”. Fields map to column names in a database table. The Query Assets modal can display up to 100 fields. To see additional fields, type the field name or the first few characters of a field name. The Query Assets modal will then include fields that match. For details on fields, see the chapter on Fields and Regular Expressions.
- Operators. Operators define the relationship between the fields and the values. Operators can include “match”, “not match”, “is equal to”, “is not equal to”, “is greater than”, “is less than”, “exists”, “is empty”, among others. Lucidum provides a set of operators for each field. For details on operators, see the chapter on Data Types and Operators
- Values. In this field, you select a value. This list of available values is dependent on the value you selected in Field and the value you selected in Operators. For example, if you chose “Memory Size (GB)” as a field, you could choose “is equal to” as an operator and “256” as a value. Your results would include only assets with 256 GB of memory.
- Keywords. Lucidum queries support two keywords: AND and OR.
  - AND means that the results must meet all the criteria in a multi-part query.
  - OR means that the results must meet one of the criteria in a multi-part queryField.
  - For details on AND and OR, see the section on Writing Queries that Use AND and OR.
After building the query, click Submit.
Lucidum sends the results to Slack for display.

Example Query

In the Slack channel where you have invited the Lucidum app, enter:
/query-set-table
Press send.
The Select Table modal appears.
We chose Assets.
In Slack, enter:
/query
Send the message.
The Query Assets modal page appears:
In this query, we queried the Assets table for all assets with the Asset Category of On-Prem.
The results appear like this:
Notice that although 1402 assets match the query, only ten results are displayed in Slack. To capture all the results, click Export JSON.
The JSON Export Options modal page appears.
In this modal, you can specify the results to export. Each page contains 100 results. In our example, we downloaded records 200-700.
In the query results, notice that only the asset name is displayed. To display more columns, click Edit columns
The Edit Query modal appears, with the current query already loaded.
In the Columns field, you can select one or more columns to display in the results. In our example, we selected Lucidum Asset Name and Department.
Lucidum re-runs the query and displays the new columns in Slack:

Writing Queries at the Slack Prompt

If you know the field names and values you are interested in, you can write queries directly at the Slack prompt.

To do this:

In the Slack channel where you have invited the Lucidum app, select a database to query. To do this, enter:
query-set-table <table-name>
where table_name is one of the following:
- asset. Table of asset data from current time period. The default “current” time period is 7 days.
- asset_history. Table of asset data from historical time period. The default historical time period is from 8 days old to 30 days old.
- user. Table of user data from current time period. The default “current” time period is 7 days.
- user_history. Table of user data from historical time period. The default historical time period is from 8 days old to 30 days old.
After specifying a database, you can enter a query directly in slack. To do this, enter:
/query <query_string>
where:
query_string is the query, in the format of <field> <operator> <value>
For example, to query the Assets table for all assets with the Asset Category of On-Prem, you could enter:

/query Asset_Category == On-Prem

The field name must be a single word. The field name and value name are case-sensitive.

Datetime Fields

Datetime fields where the operator is:
- within past
- not within past
- within future
- not within future
accept both the APIv2 format that includes a comma and a format without the comma.
For example,
First_Discovered_Datetime within past 2 months
or
First_Discovered_Datetime within past 2, months
are both valid.
Datetime comparison values like <, =, >, != support natural language values:
- now
- today
- yesterday
- <number> weeks ago
- <number> years ago
- combinations such as “2 months 2 weeks ago”
For example:
query First_Discovered_Datetime >= two months two weeks ago