Appendix: Fields and Regular Expressions

Fields are dependent upon the Lucidum object specified in the Build Query from field.

The Build Query from field specifies an object to examine. Choices are:

  • Asset

  • User

  • Asset-IP Mapping

  • User-IP Mapping

  • Vulnerability

Fields are characteristics of a Lucidum object. For example, a characteristic of a user is the user’s email address. A characteristic of an asset is the asset’s IP address.

Data Source and Lucidum Data Group #

Lucidum ingests information about assets, users, and data from your environment. Lucidum then deduplicates, triangulates, and aggregates that information to provide you with enriched data about assets, users, and vulnerabilities.

There are two types of data in Lucidum:

  • Data Source. Data Sources contain the raw data that is ingested by Lucidum collectors from your environment. For example, Data Sources can include Tenable, SentinelOne, Infoblox, Active Directory, AWS, VMware. Within each Data Source is the raw data collected by Lucidum for an asset. For example, an Active Directory data source for an asset would include the information you would expect to find in an Active Directory record for that asset.

  • Lucidum Data Group. After ingestion, Lucidum cleans up the raw data and fills the gaps between security solutions. After ingesting data from connectors, Lucidum enriches that data through machine learning.

This chapter describes the fields in the Lucidum Data Group. However, you use the Data Sources page to view all the raw data in your environment. And you can view the raw data for a query result in the Data Sources tab of the Details page (Explore button > Query Builder > New Query > Show Results > details icon)

Note that the list of fields in your Lucidum system is dependent upon the data you have collected with Lucidum connectors.

You might see fields in this appendix that don’t appear in your Lucidum system. This means that Lucidum has not fetched that data from your environment, either because you have not yet configured the connector(s) and triggered data ingestion or because your environment doesn’t include that type of asset.

You might see fields called “Extra Fields” in your Lucidum system that don’t appear in the list of fields in this appendix. This means that Lucidum has fetched data from your environment that is not typically available in all environments.

The list of fields that appear in your Lucidum system are the fields you can use to build queries.

Lucidum Data Group #

The following fields appear in the Lucidum Data Group. You can include these fields in queries.

Age #

Field

Description

Type

Agent Status

Status of the agent running on the asset.

Text

First Ingestion Time

Earliest timestamp associated with the Lucidum ingestion session for the asset or user

Date/Time

First Time Seen

Earliest timestamp associated with data from the asset, user, or vulnerability

Date/Time

Hire Time

Employee hiring epoch time

Date/Time

IP Assignment End Time

IP address assignment end epoch time

Date/Time

IP Assignment Start Time

IP address assignment start epoch time

Date/Time

Last Lockout Time

User last locked out epoch time (from LDAP)

Date/Time

Last Password Set Time

User last password set epoch time (from LDAP)

Date/Time

Last Start Time

Timestamp from most recent boot of the asset

Date/Time

Last Time Seen

Most recent timestamp associated with data from the asset, user, or vulnerability

Date/Time

Life

Life (in human-readable format)

Text

Life (Hours)

Time in number of hours that data from the asset or user has existed in Lucidum

Numeric

Luciudum License Expiration Time

Timestamp for Lucidum license expiration.

Date/Time

Lucidum Status

Current status of an asset. Possible values are:

  • Bypass

  • Not Listed

  • Offline

  • Online

  • Pending

Text

New Asset (yes/no)

Specifies whether asset is new

Binary/Boolean

New User (yes/no)

Specifies whether the use is new

Binary/Boolean

NVD Last Modified Time

Date and time the vulnerability was last modified in the NIST National Vulnerability Database

Date/Time

NVD Published Time

Date and time the vulnerability was first published in the NIST National Vulnerability Database

Date/Time

Record Generated Time

Earliest timestamp associated with the Lucidum ingestion session for the asset, user, or vulnerability

Date/Time

Status

Status of the asset

Text

Terminate Time

Employee termination epoch time

Date/Time

Applications #

Field

Description

Type

Applications

List of applications associated with the asset or user

Nested List

Critical Risk Apps

Number of critical risk applications

Numeric

Critical Risk Apps List

Critical risk applications

List

High Risk Apps

Number of high risk applications

Numeric

High Risk Apps List

High risk applications

List

SaaS Application

SaaS application name (e.g., Okta)

Text

SaaS Application Description

SaaS application description

Text

SaaS Application Events

SaaS application events history

List

SaaS Application Type

SaaS application type (e.g., SSO)

Text

SaaS Application Version

SaaS application version

Text

User Agent

User agent detected

Text

Asset #

Field

Description

Type

# of Assets

Number of assets linked to the user or vulnerability

Numeric

Asset Category

Category for the asset. For example, “cloud” or “on-prem”.

Text

Asset Function

Asset functional category. For example, “network” or “endpoint”

Text

Asset Group ID

Asset group ID

Text

Asset Groups

Groups associated with the asset

List

Asset LDAP Groups

Asset LDAP CN groups

List

Asset LDAP Group Members

Asset LDAP full group members

Text

Asset Type

Asset type. For example, “server” or “workstation”

Text

Auto Scaling Group

Asset auto-scaling group name (e.g., AWS EC2 auto-scaling group)

Text

Cluster Config

Cluster configuration. For example, “VMWare”

List

Cluster ID

 Cluster ID

Text

Cluster Name

 Cluster name

Text

Critical Asset (yes/no)

True if the asset is critical according to data source

Binary/Boolean

Data Center ID

 Data center ID

Text

Encrypted (yes/no)

True if the asset is encrypted

Binary/Boolean

Full Domain Name

Fully qualified domain name

List

Host ID

Host ID

List

Instance ID

 AWS instance ID

Text

Instance Name

AWS instance name

Text

Instance Type

AWS instance type

Text

IP Address

IP address(es)

List

Latest Asset Name

Asset name with the latest timestamp