Viewing Details about Individual Assets, Users, or Vulnerabilities

Data Source, Lucidum Data Group, and Field Change History #

You can view details about the data for a single asset, user, or vulnerability.

There are three types of data in Lucidum, all of of which you can view in Lucidum and use in dashboards:

• Data Source. Data sources map to Lucidum Connectors. For each asset, user, and vulnerability, you can view all the data sources from which Lucidum ingested data about the asset, user, or vulnerability. You can select a Data Source to exactly see which semi-raw data was provided by that data source. For example, you can see all semi-raw data ingested by the AWS connector.

• Lucidum Data Group. Enriched data about assets, user, and vulnerabilities. Lucidum ingests data from multiple data sources and uses machine learning to deduplicate and triangulate data for each asset and normalize that data. The Lucidum Data Group tab allows you to view this enriched data for each asset, user, and vulnerability. Data in the Lucidum Data Group appears as fields in the Query tool.

• Field Change History.  Displays a table of fields that have changed, including each field’s current value and its previous value. These are the fields that have changed in the last seven days.

Viewing Semi-Raw Data from the Data Source Tab #

All the data in Lucidum has been passed through Lucidum AI/ML before it reaches the Lucidum UI. However, there are some fields that further processed and then included in the Lucidum Data Group. Other fields are not further processed but are stored in Lucidum, are viewable in the UI, but are not included in the Lucidum Data Group. These fields are semi-raw data.

However, you can add semi-raw data fields to the Lucidum Data Group, so those values are available for use throughout the Lucidum product.

To view the semi-raw data in an asset record or user record:

1. Follow the steps in in the section on Building the Query.
2. In the Build a Query page, click the Show Results (page) icon in the lower right.
   
3. In the Query Results page, find the asset, user, or vulnerability you are interested in. Click the > icon in the column farthest to the right.
   
4. In the Viewing Details page, click the Data Sources tab.
   
5. The Data Sources tab lists all the data sources that contributed to the asset record or user record.
6. In the Viewing Details page, in the right pane, select a data source to see the data that Lucidum ingested from that data source about this asset, user, or vulnerability.
7. In this example, we selected Symantec Endpoint Protection Computer from the left pane.
   • The right pane displays the data about this asset that Lucidum ingested from Symantec Endpoint Protection.
8. For each data source, the Data Source tab displays First Ingestion Time.
9. Note the toggle for Show Fields with No Content in the upper right. If you want to see all the possible fields Lucidum can ingest for an asset, enable this toggle.
   • You might see fields that are not populated. This means that Lucidum has not ingested that data from your environment, either because you have not yet configured the connector(s) and triggered data ingestion or because your environment doesn’t include that type of data.
10. Only fields in the Lucidum Data Group appear in the Query tool. To add a field from a data source to the Lucidum Data Group, click its plus-sign. For details, see the section on Adding Fields to the Lucidum Data Group.

Viewing Enriched Data #

The Lucidum Data Group (LDG) is a dataset that includes real-world, verified, accurate, up-to-date data on cybersecurity and IT infrastructure.

• Lucidum is agentless and ingests read-only API data from all the solutions in your environment, including IT, operations, development, business, network, security, and HR solutions, and structured and unstructured data from data lakes.

• Lucidum transforms the ingested data using machine learning algorithms, network graph analysis, text mining, and data classification models to build an enriched, normalized dataset for all assets, users, data, and security postures in your environment.

  • For some of the ingested data, Lucidum lightly processes it using rules-based algorithms.

  • Lucidum pushes other ingested data through ML engines and then maps the data to fields in the LDG. These ML engines find relationships between assets, users, and data, determine the applications running on each asset, align all security data about vulnerabilities, risks, and misconfigurations with the appropriate assets, users, and datastores, and apply risk models.

  • Lucidum uses ML engines to deduplicate records for assets and users.

    • Lucidum examines usernames, email addresses, and other fields to deduplicate records for each user.

    • Lucidum uses serial numbers, FQDNs, MAC addresses, network graph analysis, and other fields to deduplicate assets.

    • Lucidum uses several text mining and data classification models to find details about data stores.

  • Lucidum normalizes values for asset name, asset type, OS category, OS version, status, username, and vendor, to prevent duplicate records and to enable consistent query results.

• Lucidum stores the enriched, normalized dataset in the Lucidum Data Group (LDG). After processing, the LDG includes deduplicated, normalized, and accurate details about each user, each asset, and each data store.

To view the enriched data about an asset, user, or vulnerability:

1. Follow the steps in in the section on Building the Query.

2. In the Query page, click the Show Results (page) icon in the lower right.

   

3. In the Query Results page, find the asset, user, or vulnerability you are interested in.

4. Click the > icon in the column farthest to the right.

   

5. In the Viewing Details page, click the Lucidum Data Group tab.

   

6. In the Details page, in the left pane, select the category of enriched data you want to view. In our example, we selected Asset.

7. After each ingestion, Lucidum:

   • Deduplicates records. For example, suppose an asset uses DHCP. Suppose Lucidum ingests different information about that asset each day. However, each day, that asset will lease a new IP address. Instead of creating multiple asset records, Lucidum creates a single record for that asset. The single record includes all the IP addresses associated with the asset over time.

   • Triangulates records. Suppose a single user appears in multiple solutions with multiple versions of a user name. For example, suppose Lucidum ingests a different name from Azure AD, GitHub, and Intune. Suppose Lucidum ingests the names “John.Smith”, “SmithJ”, and “[email protected]”. Lucidum creates a single entry for that user with a single user name and enriches the user record with information from Azure AD, GitHut, and Intune.

   • Aggregates records. Suppose Lucidum ingests data about an asset from CarbonBlack, Tenable, Intune, VMware, and InfoBlox. Each data source provides some information. Some of these data sources provide unique information. For example, one solution might provide OS and version, another solution might provide vulnerabilities, another solution might provide hardware information, another solution m7ight provide application data, and another solution might provide cloud information. Lucidum creates a single asset record that aggregates all the data from the multiple solutions.

   • Derives Data. Suppose you are interested in broader categories of data to provide a high-level overview in dashboards and reports. In these cases, Lucidum can strip out extraneous detail without losing accuracy. For example, suppose you are interested in operating systems running in your environment. Lucidum can provide you with a list of devices running Linux, Windows, and MacOs, regardless of the flavors or versions. Or suppose you want a list of all Windows 10 devices, regardless of the build of Windows 10.

8. Note the toggle for Show Fields with No Content in the upper right. If you want to see all the possible fields Lucidum can ingest for an asset, enable this toggle.

   

9. Notice that when toggled on, some of the fields are empty.

   • The populated fields in the LDG are dependent upon the data you have ingested with Lucidum connectors.

   • You might see fields that are not populated in your Lucidum system. This means that Lucidum has not ingested that data from your environment, either because you have not yet configured the connector(s) and triggered data ingestion or because your environment doesn’t include that type of data.

   • You also might see fields called “Extra Fields” in your Lucidum system that don’t appear in the list of fields. This means that Lucidum has ingested data from your environment that is not typically available in all environments.

10. The Lucidum Data Group tab includes a category for Risk. This tab displays the Lucidum risk calculations for an asset and risk calculations by other data sources for the asset (if applicable).

11. The Lucidum Data Group tab includes categories for Smart Labels and Tags. Note that in the Tags category, the Lucidum Data Group also displays the tags ingested from the source asset or user.

Adding Fields to the Lucidum Data Group #

Only fields in the Lucidum Data Group appear in the Query tool. If you want to use data from a data source in a Dashboard, Action, or SmartLabel, you must first add the data to the Lucidum Data Group.

NOTE: Although some semi-raw data appears in the Query Tool, you cannot include these fields in a Table chart until you add them to the Lucidum Data Group.

To add a field from a data source to the Lucidum Data Group:

1. Follow the steps in in the section on Building the Query.
2. In the Build a Query page, click the Show Results (page) icon in the lower right.
   
3. In the Query Results page, find the asset, user, or vulnerability you are interested in. Click the > icon in the column farthest to the right.
   
4. In the Viewing Details page, click the Data Sources tab.
   
5. The Data Sources tab lists all the data sources that contributed to the asset record or user record.
6. In the Viewing Details page, in the right pane, select a data source to see the data that Lucidum ingested from that data source about this asset, user, or vulnerability.
7. In this example, we selected SentinelOne Agent from the left pane.
8. Suppose we want to promote the semi-raw data field CPU Cores. We click the Add to Lucidum Data Group icon (plus-sign) next to the field.
   
9. In the Add Field to Lucidum Data Group modal page, we click Save.
10. The promoted field appears in the Lucidum Data Group tab for the asset:
    
11. To delete a promoted field from the Lucidum Data  Group, click the fields Delete icon (trashcan).

NOTE: If a promoted field is used in Dashboard, Action, or SmartLabel, you cannot delete the field from the Lucidum Data Group.

Viewing Field Change History #

The Field Change History tab displays a list of fields from the Lucidum Data Group that have changed. The Field Change History tab displays the current value and all the previous values for each changed field.

To view the change history for fields in an asset record or user record:

1. Follow the steps in in the section on Building the Query.

2. In the Query page, click the Show Results (page) icon in the lower right.

   

3. In the Query Results page, find the asset, user, or vulnerability you are interested in. Click the checkbox for that entry.

4. Click the > icon in the column farthest to the right.

   

5. In the Viewing Details page, click the Field Change History tab.

   

6. In the Field Change History page, you can expand each drawer (down arrow) and see a list of all values for a changed field and the time at which the change occurred.