Lucidum has been acquired by Cyderes → [Read the announcement]

Lucidum has been acquired by Cyderes → [Read the announcement]

View Categories

Appendix: Fields in the Lucidum Data Group

Estimated Reading Time: 24 min read

Fields are dependent upon the Lucidum object specified in the Build Query from field.

The Build Query from field specifies an object to examine. Choices are:

  • Asset

  • User

  • Asset-IP Mapping

  • User-IP Mapping

  • Vulnerability

Fields are characteristics of a Lucidum object. For example, a characteristic of a user is the user’s email address. A characteristic of an asset is the asset’s IP address.

Data Source and Lucidum Data Group #

Lucidum ingests information about assets, users, and data from your environment. Lucidum then deduplicates, triangulates, and aggregates that information to provide you with enriched data about assets, users, and vulnerabilities.

There are two types of data in Lucidum:

  • Data Source. Data Sources contain the raw data that is ingested by Lucidum collectors from your environment. For example, Data Sources can include Tenable, SentinelOne, Infoblox, Active Directory, AWS, VMware. Within each Data Source is the raw data collected by Lucidum for an asset. For example, an Active Directory data source for an asset would include the information you would expect to find in an Active Directory record for that asset.

  • Lucidum Data Group. After ingestion, Lucidum cleans up the raw data and fills the gaps between security solutions. After ingesting data from connectors, Lucidum enriches that data through machine learning.

This chapter describes the fields in the Lucidum Data Group. However, you use the Data Sources page to view all the raw data in your environment. And you can view the raw data for a query result in the Data Sources tab of the Details page (Explore button > Query Builder > New Query > Show Results > details icon)

Note that the list of fields in your Lucidum system is dependent upon the data you have collected with Lucidum connectors.

You might see fields in this appendix that don’t appear in your Lucidum system. This means that Lucidum has not fetched that data from your environment, either because you have not yet configured the connector(s) and triggered data ingestion or because your environment doesn’t include that type of asset.

You might see fields called “Extra Fields” in your Lucidum system that don’t appear in the list of fields in this appendix. This means that Lucidum has fetched data from your environment that is not typically available in all environments.

The list of fields that appear in your Lucidum system are the fields you can use to build queries.

Lucidum Data Group #

The following fields appear in the Lucidum Data Group. You can include these fields in queries.

Age #

Field

Description

Type

Agent Status

Status of the agent running on the asset.

String

First Ingestion Time

Earliest timestamp associated with the Lucidum ingestion session for the asset or user

Date/Time

First Time Seen

Earliest timestamp associated with data from the asset, user, or vulnerability

Date/Time

Hire Time

Employee hiring epoch time

Date/Time

IP Assignment End Time

IP address assignment end epoch time

Date/Time

IP Assignment Start Time

IP address assignment start epoch time

Date/Time

Last Lockout Time

User last locked out epoch time (from LDAP)

Date/Time

Last Password Set Time

User last password set epoch time (from LDAP)

Date/Time

Last Start Time

Timestamp from most recent boot of the asset

Date/Time

Last Time Patched

Most recent timestamp associated with patching for the asset

Date/Time

Last Time Scanned

Most recent timestamp associated with a vulnerability scan for the asset

Date/Time

Last Time Seen

Most recent timestamp associated with data from the asset, user, or vulnerability

Date/Time

Life

Life (in human-readable format)

String

Life (Hours)

Time in number of hours that data from the asset or user has existed in Lucidum

Float

Lucidum License Expiration Time

Timestamp for Lucidum license expiration.

Date/Time

Lucidum Status

Current status of an asset. Possible values are:

  • Bypass

  • Not Listed

  • Offline

  • Online

  • Pending

String

New Asset (yes/no)

Specifies whether asset is new

Binary/Boolean

New User (yes/no)

Specifies whether the use is new

Binary/Boolean

NVD Last Modified Time

Date and time the vulnerability was last modified in the NIST National Vulnerability Database

Date/Time

NVD Published Time

Date and time the vulnerability was first published in the NIST National Vulnerability Database

Date/Time

Record Generated Time

Earliest timestamp associated with the Lucidum ingestion session for the asset, user, or vulnerability

Date/Time

Status

Status of the asset

String

Terminate Time

Employee termination epoch time

Date/Time

Applications #

Field

Description

Type

Applications

List of applications associated with the asset or user

Nested values are:

Applications::Name

Applications::Source

Applications::Version

Nested List (String)

See Using Queries with Nested Lists for details on nested lists.

Critical Risk Apps

Number of critical risk applications

Integer

Critical Risk Apps List

Critical risk applications

List

High Risk Apps

Number of high risk applications

Integer

High Risk Apps List

High risk applications

List

SaaS Application

SaaS application name (e.g., Okta)

String

SaaS Application Description

SaaS application description

String

SaaS Application Events

SaaS application events history

List

SaaS Application Type

SaaS application type (e.g., SSO)

String

SaaS Application Version

SaaS application version

String

User Agent

User agent detected

String

Asset #

Field

Description

Type

# of Assets

Number of assets linked to the user or vulnerability

Integer

Asset Category

Category for the asset. For example, “cloud” or “on-prem”.

String

Asset Function

Asset functional category. For example, “network” or “endpoint”

String

Asset Group ID

Asset group ID

String

Asset Groups

Groups associated with the asset

List

Asset LDAP Groups

Asset LDAP CN groups

List

Asset LDAP Group Members

Asset LDAP full group members

String

Asset Type

Asset type. For example, “server” or “workstation”

String

Auto Scaling Group

Asset auto-scaling group name (e.g., AWS EC2 auto-scaling group)

String

Cluster Config

Cluster configuration. For example, “VMWare”

List

Cluster ID

 Cluster ID

String

Cluster Name

 Cluster name

String

Critical Asset (yes/no)

True if the asset is critical according to data source

Binary/Boolean

Data Center ID

 Data center ID

String

Encrypted (yes/no)

True if the asset is encrypted

Binary/Boolean

Full Domain Name

Fully qualified domain name

List

Host ID

Host ID

List

Instance ID

 AWS instance ID

String

Instance Name

AWS instance name

String

Instance Type

AWS instance type

String

IP Address

IP address(es)

List

Latest Asset Name

Of all available data sources, asset name with the latest timestamp

String

Live Migration Enabled (yes/no)

True if the live migration is enabled (e.g., VMWare VMotion)

Binary/Boolean

Lucidum Asset Name

Asset name derived with Lucidum ML

String

Lucidum Asset Type

Asset type derived with Lucidum ML. Standardized and similar to normalized data.

String

Lucidum OS Category

OS Category derived with Lucidum ML. Standardized and similar to normalized data. For example, “Linux”, “Windows”.

String

Lucidum OS Version

OS version derived with Lucidum ML. Standardized and similar to normalized data.

String

Lucidum Status

Current status of an asset. Possible values are:

  • Bypass

  • Not Listed

  • Offline

  • Online

  • Pending

String

Lucidum Vendor

Vendor name derived with Lucidum ML. Standardized and similar to normalized data.

String

MAC Address

MAC address(es)

List

Multi-Host Access (yes/no)

True if the asset has multiple-host access

Binary/Boolean

OS and Version

OS and version

String

Public IP Address

Public IP address(es)

List

Resource Pool

Asset resource pool

String

Snapshot (yes/no)

True if the asset is snapshot

Binary/Boolean

Source Asset Name

Name of the asset as fetched from the source connector

String

User’s Assets

The asset(s) linked to the user

The nested values include:

User’s Assets::Asset

User’s Assets::First Ingestion Time

User’s Assets::First Time Seen

User’s Assets::Last Time Seen

User’s Assets::OS

User’s Assets::Source

User’s Assets::Source User

User’s Assets::Type

Nested List (String)

See Using Queries with Nested Lists for details on nested lists.

vCenter ID

 ID for the VMware vCenter

List

Vendor

 Name of the vendor

String

VM ID

Virtual machine ID

List

Cloud #

Field

Description

Type

Cloud Account

Cloud account name(s)

String

Cloud Account ID

Cloud account ID(s)

String

Cloud Asset (yes/no)

True if the asset is in cloud

Binary/Boolean

Cloud Instance ID

ID of Cloud instance

String

Cloud Stack

Name of Asset stack

String

CloudTrail Bucket

Name of CloudTrail bucket

String

CloudTrail Global-Service (yes/no)

True if CloudTrail includes API calls from global services

Binary/Boolean

CloudTrail Log (yes/no)

True if asset is logged in CloudTrail

Binary/Boolean

CloudTrail Log Group

Name of CloudTrail log group

String

CloudTrail Multi-Region (yes/no)

True if CloudTrail is enabled in multiple regions

Binary/Boolean

CloudTrail Name

Name of CloudTrail

String

CloudTrail Resource

Name of CloudTrail resource

String

CloudWatch Log Group

Name of Cloudwatch log group

String

Cluster Name

Name of Cloud micro-service cluster

String

Idle Instance (yes/no)

True if the cloud instance may be idling

Binary/Boolean

Image Creation Time

Date and time Cloud instance image was created

Date/Time

Image ID

Cloud image ID

String

Image Name

Cloud image name

String

Instance Key

Cloud instance SSH key name

String

Instance Name

Name of Cloud instance

String

Instance Profile

Profile/role associated with the Cloud instance

String

Instance Type

Type associated with the Cloud instance

String

Monthly Cost (US Dollar)

Monthly running costs (in US dollar)

Float

Old Image (yes/no)

True if the instance image is older than 30 days

Binary/Boolean

Old Image Age

Age in months of Old image

Integer

Parent Image ID

Id of the parent image for the Cloud instance

String

Public Image (yes/no)

True if the instance image is public

Binary/Boolean

Target Group

Target groups for the Load balancer

String

Task Definition

Name of the task definition for the Container service

String

Volume ID

Cloud volume ID attached to the instance

String

Compliance #

Field

Description

Type

# of Non-Compliance

Number of non-compliances

Integer

CloudTrail Validation (yes/no)

True if CloudTrail log file validation is enabled

Binary/Boolean

CloudWatch Alarm

Name of Cloudwatch alarm

String

CloudWatch Filter

Name of Cloudwatch filter

String

CloudWatch Filter Pattern

Cloudwatch filter pattern

String

CloudWatch Metric

Name of Cloudwatch metric

String

CloudWatch Metric Space

Cloudwatch metric space

String

Compliance Entity

Compliance entity

String

Compliance Source

Compliance source

String

Compliance State

Specifies whether asset meets compliance parameters. Possible values are “Compliant” and “Noncompliant”

String

Logging Enabled (yes/no)

True if the asset logging is enabled

Binary/Boolean

MFA Configured

MFA configuration status of the user

List

Missing Patch List

List of missing system patches

List

Missing Patches

Number of missing system patches

Number

Non-Compliance List

Non-compliance list

List

Replication Enabled (yes/no)

True if the asset replication is enabled (e.g., s3 bucket replication)

Binary/Boolean

Root Access (yes/no)

True if the cloud account has root access enabled

Binary/Boolean

Root MFA Enabled (yes/no)

True if the cloud account has root MFA enabled

Binary/Boolean

Security Findings

Asset security/compliance findings

The nested values include:

Security Findings::Last Time Seen

Security Findings::Rule

Security Findings::Source

Nested List (String)

See Using Queries with Nested Lists for details on nested lists.

Versioning Enabled (yes/no)

True if the asset versioning is enabled

Binary/Boolean

Data #

Field

Description

Type

Bucket User Access

File bucket’s user access history

Nested values are:

Bucket Permission::Permission

Bucket Permission::User

Nested List (String)

See Using Queries with Nested Lists for details on nested lists.

Bucket Users

Bucket user access history

List

Cloud Bucket

File bucket names

List

Cloud Files

Bucket files

List

Data Category

Lucidum extrapolated data category

String

Data Classification

Lucidum extrapolated data classification

String

Data Description

Lucidum extrapolated data topic keywords

String

Data Risk

Lucidum extrapolated data risk (higher value, riskier)

Integer

Data Store ID

Data store ID

List

File Folder

File folder names

List

File List

File access history

The nested values include:

File List::Source

File List::File Name

File List::File Access Datetime

Nested List (String)

See Using Queries with Nested Lists for details on nested lists.

Data Source #

Field

Description

Type

Data Source Details

Data Source Details can be very helpful. This field allows you to search by the raw fields collected by Lucidum, including fields like Connector Group and Connector profile.

The nested values include:

Data Source Details::Agent Enabled (True/False)

Data Source Details::Agent Version

Data Source Details::Asset Description

Data Source Details::Cloud Account

Data Source Details::Cloud Account ID

Data Source Details::Connector Group

Data Source Details::Connector Profile

Data Source Details::Connectors

Data Source Details::Data Sources

Data Source Details::Encrypted (True/False)

Data Source Details::Expiry Time

Data Source Details::First Time Seen

Data Source Details::Instance Name

Data Source Details::IP Address

Data Source Details::Last Logon Time

Data Source Details::Last Time Seen

Data Source Details::Location

Data Source Details::Lucidum Asset Name

Data Source Details::Lucidum Asset Type

Data Source Details::Lucidum OS Category

Data Source Details::Lucidum OS Version

Data Source Details::Lucidum Status

Data Source Details::Lucidum User Name

Data Source Details::Lucidum Vendor

Data Source Details::OS and Version

Data Source Details::Serial Number

Data Source Details::Source Asset Name

Data Source Details::Source User Name

Data Source Details::Status

Data Source Details::User Disabled (True/False)

Nested List (String)

See Using Queries with Nested Lists for details on nested lists.

Data Sources

List of data sources

List

DevOps #

Field

Description

Type

Docker Image ID

Hash Id of docker image digest

String

Docker Repo

Name of docker repository

String

Extra Fields #

Description

Type

Extra Fields

Fields that are not typically available in all environments.

Nested values include:

Extra Data::Key

Extra Data::Value

Nested List (String)

See Using Queries with Nested Lists for details on nested lists.

Hardware #

Field

Description

Type

Carrier

Mobile carrier

String

CPU Average Usage (%)

CPU average usage (%)

Float

CPU Cores

Number of CPU cores

Integer

Hardware Config

Hardware configuration (e.g., VMWare)

Nested values include:

Hardware Config::Backing

Hardware Config::Summary

Hardware Config::Type

Nested List (String)

See Using Queries with Nested Lists for details on nested lists.

IMEI #

Mobile MEID/IMEI/ESN number

String

MAC Vendor

MAC hardware vendors

List

Memory Size (GB)

Memory size (in GB)

Float

Memory Usage (%)

Latest memory usage (%)

Float

Mobile #

Mobile/phone number

String

Model

Hardware model

String

Power State

Asset power state

String

Serial Number

Hardware serial number

String

Service Tag

Asset IT service tag

String

SIM #

Mobile SIM card number

String

Storage Size (GB)

Storage size (in GB)

Float

Storage Usage (%)

Latest storage usage (%)

Float

Vendor Class

Asset DHCP vendor class

String

Volume ID

Volume ID attached to the instance

String

Life Cycle #

Field

Description

Type

Asset Expiry Time

Asset lifecycle expiry epoch time

Date/Time

Purchase Order

Asset purchase order number

String

Purchase Price

Asset purchase price

Float

Purchase Quantity

Asset purchase quantity

Integer

Purchase Source

Asset purchase source

String

Purchase Time

Asset purchase epoch time

Date/Time

Warranty Expiry Time

Asset warranty expiry epoch time

Date/Time

Location #

Field

Description

Type

Building

Building name

String

Country Code

Location country ISO code

String

Country Name

Location country name

String

Environment

Environment

String

Latitude

Location latitude

Float

Longitude

Location longitude

Float

Location

Location

String

Rack

Rack name

String

Region

Region name

String

Site

Site name

String

Lucidum #

These fields are derived from raw data from data sources and then normalized for easy use in queries and dashboards.

Field

Description

Type

Lucidum Asset Name

Name of the asset

String

Lucidum Asset Type

Asset type. Possible values are:

  • Certificate

  • Code

  • Computer

  • Container

  • Database

  • DNS

  • Domain

  • Facility

  • Generic

  • Image

  • IoT

  • License

  • Microservice

  • Mobile

  • Network

  • Power

  • Server

  • Service

  • Storage

  • Workstation

String

Lucidum License Expiration Time

Date and time that the Lucidum license expires

Date/Time

Lucidum OS Category

Manufacturer of the OS. Possible values are:

  • Android

  • Arista

  • CheckPoint

  • Cisco ASA

  • Cisco Hyperflex

  • Cisco IOS

  • Cisco IOS-XE

  • Cisco ISE

  • Cisco Linksys

  • Cisco MDS

  • Cisco Meraki

  • Cisco NX-OS

  • Cisco WLC

  • Dell

  • Dish Network

  • Embedded

  • EMC

  • ExtremeOS

  • F-5 Networks

  • FORTINET

  • Generic

  • Hitachi NAS

  • IBM i5OS

  • IBM OS/390

  • iOS

  • Linux

  • macOS

  • Microsoft Windows

  • NetApp

  • Novell

  • Nutanix

  • Palo Alto

  • Palo Alto Networks

  • Polycom

  • Ruckus

  • Sun

  • tvOS

  • Unix

  • VMware

  • VMware ESXi

  • VMware NSX

  • Windows

  • Xbox 360

String

Lucidum OS Version

Version of the OS. For example, CentOS 7.9-2009, macOS 12.1, Windows 10, Windows Server 2022

String

Lucidum Status

Current status of an asset. Possible values are:

  • Bypass

  • Not Listed

  • Offline

  • Online

  • Pending

String

Lucidum User Name

User name

String

Lucidum User Status

Status of user account. Possible values are:

  • Disabled

  • Enabled

String

Lucidum Vendor

Vendor associated with an asset

String

Network #

Field

Description

Type

Certificate Algorithm

SSL certificate encryption algorithm

String

Certificate ID

SSL certificate ID

String

Certificate Rating

SSL certificate rating

String

Certificate Version

SSL certificate protocol version

String

DNS CNAME

DNS canonical name record

String

DNS MX

DNS mail exchange record

String

DNS Name

DNS name

String

DNS NS

DNS nameserver record

String

DNS PTR

DNS pointer record

String

DNS Requested Domain

DNS requested domain

String

DNS Security

DNS security status

String

DNS Type

DNS record type

String

DNS Zone

DNS zone

String

Domain

Asset domain name

String

External Ports

Open ports accessible externally

List

External Services

Services accessible externally

List

Firewall Action

Firewall default action

String

Firewall Rules

Firewall rules

The nested values include:

Firewall Rules::Action

Firewall Rules::Name

Firewall Rules::Override Action

Firewall Rules::Priority

Firewall Rules::Statement

Firewall Rules::Visibility

Nested List (String)

See Using Queries with Nested Lists for details on nested lists.

Instance Key

Instance key name

String

Internet Gateway ID

Internet gateway ID

String

IP Pool

IP address pool

String

ISP

Public internet service provider according to source or extrapolated by Lucidum

String

Management VIP

Management virtual IP (VIP) address

String

NAS ID

NAS ID

String

NAS Port

NAS port

Integer

NAT Gateway ID

NAT gateway ID

String

Network ACL ID

Network access control (ACL) ID

String

Network Config

Network configuration (e.g., VMWare)

The nested values include:

Network Config::Interface

Network Config::Protocol

Nested List (String)

See Using Queries with Nested Lists for details on nested lists.

Network ID

Network ID

List

Network Interface ID

Network interface ID

String

Network Segment

Network segment

String

Open Inbound Access (yes/no)

DEPRECATED

Binary/Boolean

Port Group

Asset network port group

List

Ports

Open ports

List

Public Facing (yes/no)

True if the asset is public-facing. If an external port is accessible, set to True.

Binary/Boolean

Route Table ID

Route table ID

String

Security Group ID

Cloud security Group IDs

List

Security Group IP Range

Cloud security group IP ranges permitted

List

Security Group Name

Cloud security group names

List

Security Group Rules

Security group rules

The nested values include:

Security Group Rules::From Port

Security Group Rules::Group Pairs

Security Group Rules::IP Ranges

Security Group Rules::Protocol

Security Group Rules::Rule Name

Security Group Rules::Rule Type

Security Group Rules::To Port

Nested List (String)

See Using Queries with Nested Lists for details on nested lists.

Services

Services running on the asset

List

Subnet ID

Cloud subnet ID

String

Switch Name

Network switch name

String

VLAN ID

VLAN ID

String

VLAN Name

VLAN name

String

VPC ID

Cloud VPC ID

String

VPN Gateway ID

VPN gateway ID

String

VPN Profile

VPN profile name

String

Others #

Field

Description

Type

Asset Description

Asset description

String

Changed Fields

Specifies a list of fields that have had a change in value.

List

Comments

Comments added

String

Cost Center

Cost center name/ID

String

Idle Instance (yes/no)

True if the asset may be idling

Binary/Boolean

Monthly Cost (US Dollar)

Monthly running costs (in US dollar)

Integer

Organization

Organization name

String

Purpose

Asset’s purpose according to data source

String

User Tickets

User’s service tickets

List

Policy #

Field

Description

Type

Admin Policies

Number of admin policies

Integer

Policy

Policy name

String

Policy Statement

Policy statements

List

User Password Changeable (yes/no)

True if user can change the password

Binary/Boolean

User Password Enabled

User password enabled status

The nested values include:

User Password Enabled::Account

User Password Enabled::Status

Nested List (String)

See Using Queries with Nested Lists for details on nested lists.

User Password Expired (yes/no)

True if the user’s password is expired

Binary/Boolean

User Password Min. Length

Minimum length required for user’s password

Integer

User Password Not Required (yes/no)

True if the user’s password is not required

Binary/Boolean

User Password Resettable (yes/no)

True if user’s password is resettable

Binary/Boolean

User Password Reuse Times

Maximum user password reuse times

Integer

User Password Valid Age

Number of days that a user password is valid

Integer

User Password with Lower Letter (yes/no)

True if user’s password must contain lower-case character

Binary/Boolean

User Password with Number (yes/no)

True if user’s password must contain numbers

Binary/Boolean

User Policies

AWS User policies

The nested values include:

User Policies::Account

User Policies::Policies

Nested List (String)

See Using Queries with Nested Lists for details on nested lists.

Risk #

Field

Description

Type

High Risk Assets

Count of high-risk assets associated with the user

Integer

High Risk Assets List

List of high-risk assets associated with the user

List

High Risk Users

Count of high-risk user associated with the asset

Integer

High Risk Users List

List of high-risk users associated with the asset

List

Risk Factors

All risk factors

List

Risk Level

Risk level

String

Risk Ranking

Standardized/ranked risk score (1-100)

Integer

Risk Score

Raw risk score (higher value, riskier)

Float

Top Factor 1

Risk top factor 1

String

Top Factor 2

Risk top factor 2

String

Top Factor 3

Risk top factor 3

String

Smart Labels #

Field

Description

Type

Smart Labels

A complex query the user has created in Lucidum. For details, see Creating and Managing Smart Labels.

Boolean

Float

Integer

List

String

Tags #

Field

Description

Type

Tags

Tags the user has created in Lucidum and can assign to asset in Lucidum. For details, see Creating and Managing Tags.

List

Number

String

Time

Image Tag

Cloud instance image tags

The nested values include:

Image Tag::Key

Image Tag::Value

Nested List (String)

See Using Queries with Nested Lists for details on nested lists.

Tag

Tag retrieved by Lucidum from an asset. In Lucidum these are called Ingested Tags.

The nested values include:

Tag::Key

Tag::Value

Nested List (String)

See Using Queries with Nested Lists for details on nested lists.

Threat #

Field

Description

Type

Critical Threats

Number of critical-severity threats

Integer

Endpoint Agent (yes/no)

True if the endpoint protection agent is installed

Binary/Boolean

High Severity Threat List

List of all high-severity threats

List

High Threats

Number of high-severity threats

Integer

Malware/Threat Alerts

Number of malware infections or threats detected

Integer

Medium Severity Threat List

List of all mediuum-severity threats

List

SANS Malicious IP (yes/no)

Specifies whether an IP address is included in SANS list of malicious IPs

Binary/Boolean

Threat List

Threat list

List

TOR Node IP (yes/no)

Specifies whether an IP address is from the TOR network

Binary/Boolean

User #

Field

Description

Type

# of Users

Number of users linked to the asset

Integer

All Login Users

List of users on the asset.

The nested fields include:

All Login Users::First Ingestion Time

All Login Users::First Time Seen

All Login Users::IP Address

All Login Users::Last Time Seen

All Login Users::Source

All Login Users::Source User

All Login Users::User

Nested List (String)

See Using Queries with Nested Lists for details on nested lists.

Bucket Permission

Specifies the S3 permissions for a user.

The nested fields include:

Bucket Permission::Owner_Name

Bucket_Permission::Permission

Nested List (String)

See Using Queries with Nested Lists for details on nested lists.

Department

The business department associated with the user account

String

Duplicated User Detection

Confidence score for potentially duplicated users

Integer

Email

The email associated with the user account

String

Job Title

The job title associated with the user account

String

Lucidum User Name

Lucidum derived user entity name

String

Manager

The manager’s name associated with the user account

String

Person Full Name

The person’s full/display name

String

Related to Asset (yes/no)

True if the user has one or more assets linked

Binary/Boolean

Role Assuming Principals

Cloud role assuming principal(s)

List

Role ID

Role ID

String

Role Name

Role name

List

Source User Name

Data source raw user name

List

System Admin (yes/no)

True if the user has admin permission

Binary/Boolean

User Active (yes/no)

True if the user is active

Binary/Boolean

User Disabled (yes/no)

True if the user account is disabled (in LDAP)

Binary/Boolean

User Group Member

User LDAP full group memberships

List

User Groups

Groups associated with the user

List

User IDs

The user IDs linked to the user account

List

User Key

The API access key(s) associated with the user (AWS) account

The nested values include:

User Key::Account

User Key::Creation Time

User Key::Key ID

User Key::Last Time Used

User Key::Status

Nested List (String)

See Using Queries with Nested Lists for details on nested lists.

User LDAP Group Members

User LDAP full group memberships

List

User LDAP Groups

User LDAP CN groups

List

User Locked Out (yes/no)

True if the user is locked out (from LDAP)

Binary/Boolean

User Sources

User linked data source(s)

List

User SSO Failures

Number of failed SSO logins

Integer

User Status

User status

The nested values include:

User Status::Last Time Seen

User Status::Lucidum Status

User Status::Source

User Status::Source User

User Status::Status

User Status::User Disabled

Nested List (String)

See Using Queries with Nested Lists for details on nested lists.

User Terminated (yes/no)

True if the user is terminated in HR

Binary/Boolean

User Type

User type

String

Vulnerability #

Field

Description

Type

Critical CVE List

Critical CVE IDs

List

Critical Vulns

Number of critical-severity vulnerabilities

Integer

CVE Count

Number of CVE vulnerabilities

Integer

CVE Description

Description of a vulnerability

String

CVE List

CVE IDs

List

CVE Software

One or more software packages affected by the CVE

Nested values include:

CVE Software::Name

CVE Software::Type

CVE Software::Vendor

Nested List (String)

See Using Queries with Nested Lists for details on nested lists.

CVE Solutions

Specifies the solution (if applicable) for a CVE

String

CVE Workarounds

Specifies the workaround (if applicable) for a CVE

String

CVSS Score

Score in the Common vulnerability scoring system. A mathematical/statistical scoring for vulnerabilities. Maintained by FIRST (forum of incident response and security teams). Range is 0 (no risk) – 10 (critical risk).

Float

CVSS Severity

Severity in the Common vulnerability scoring system, maintained by FIRST (forum of incident response and security teams). Possible values are Critical, High, Medium, Low

String

CVSS Version

Version in the Common vulnerability scoring system, maintained by FIRST (forum of incident response and security teams). Each version of CVSS includes improved metrics and formulas. Possible versions v2 (released 2007), v3.0 (2015), v3.1 (2019), and v4.0 (2023).

String

EPSS Percentils

Percentile in the Exploit prediction scoring system. A mathematical/statistical scoring for exploits. Maintained by FIRST (forum of incident response and security teams)

Integer

EPSS Score

Score in the Exploit prediction scoring system. A mathematical/statistical scoring for exploits. Maintained by FIRST (forum of incident response and security teams)

Float

High CVE List

High CVE IDs

List

High EPSS Count

Number of EPSS vulnerabilities

Integer

High EPSS List

List of EPSS vulnerabilities

List

High Vulns

Number of high-severity vulnerabilities

Integer

KEV Count

Number of vulnerabilities from the Known Exploited Vulnerabilities catalog.

Integer

KEV List

List of vulnerabilities from the Known Exploited Vulnerabilities catalog.

List

Known Exploited Vulnerability (yes/no)

Specifies if this is a Known Exploited Vulnerability, as specified by CISA.

Binary/Boolean

Known Fix (yes/no)

Specifies the solution (if applicable) for a CVE

Binary/Boolean

Low Vulns

Number of low-severity vulnerabilities

Integer

Lucidum Verified Risk

Lucidum calculates Lucidum Verified Risk by ingesting CVSS data, KEV data, and EPSS data about a vulnerability and applying proprietary rule-based algorithms and machine learning algorithms. The lowest possible score is “1”. The highest possible score is “100”. The higher the Lucidum Verified Risk score, the greater the risk.

Integer

Medium Vulns

Number of medium-severity vulnerabilities

Integer

Mitigated Vulns

Number of mitigated vulnerabilities

Integer

Vuln Scan (yes/no)

True if the asset is scanned by vulnerability assessment

Binary/Boolean

Vulnerabilities

Vulnerability details

The nested values include:

Vulnerabilities::CVE

Vulnerabilities::CVSS Score

Vulnerabilities::Description

Vulnerabilities::EPSS Percentile

Vulnerabilities::EPSS Score

Vulnerabilities::Fixable

Vulnerabilities::KEV

Vulnerabilities::Lucidum Verified Risk

Nested List (String)

See Using Queries with Nested Lists for details on nested lists.

Vulnerability Names

Vulnerability names

List

Regular Expressions #

For fields of type String, List, and Nested List (String, you can include special characters in the Value field. These fields allow you to further customize the query.

Characters

Description

Example

^ (caret)

Matches entries that start with the character(s) to the right

For example, if the field is Data Category,

^F

matches both “Finance” and “Facility”

, (comma)

Functions as an “OR”, examining all values in the comma-separated list and showing results that match one or more of the values in the list.

For example, if the field is Data Sources:

crowdstrike,carbonblack,sentinelone

matches any asset that has one or more Data Sources from CrowdStrike or CarbonBlack or SentinelOne.

NOTE: Do not include spaces QA after the comma.

$ (dollar sign)

Matches entries that end with the character(s) to the left

For example, if the field is Data Category,

t$

matches

“Customer Support” and “Product”

. (period)

Matches one instance of any character

For example, if the field is Lucidum User Name

..te

matches

“achristensen”,”bhatter”, “kate”, and “pete

+ (plus sign)

Matches one or more occurrences of the character to the left of the symbol

For example, if the field is Data Description,

Agre+m

matches

“Budget Agreements”

? (question mark)

Matches zero or one occurrence the character to the left of the symbol

For example, if the field is Data Description,

q?

matches

“Budget Requirements”

| (pipe)

An OR. Matches either the string the left or the string on the right of the symbol.

For example, if the field is Data Category,

Fin|Info

Matches both “Finance” and “Information Technology”
What are your Feelings