Explore Page

Explore page is the core of Lucidum web UI, which provides an ad-hoc query interface for users to run complex searches.

Query Builder #

Users can select one table (for example, “Search Asset”) to build the query. By default, Lucidum UI provides six main tables for search, including:

  • Search Asset: Current asset table
  • Search User: Current user table
  • Search Asset-History: Asset history table
  • Search User-History: User history table
  • Search Asset-IP History: Asset-IP mapping history table
  • Search User-IP History: User-IP mapping history table

 

 

After selecting one table at the top, user can then select certain fields from this table with different query operators and field values to build the query. The query is organized by different groups of “AND/OR” conditions. User can click to add one condition and click to remove one condition. “AND” condition is at the first level in the query builder logically. Each group of “AND” conditions is separated by dotted horizontal lines and different “OR” conditions are placed under one certain “AND” condition. Users can combine different “AND/OR” conditions to create complex searches. For example, the conditions shown in the figure above can be described as:

 

 

Users can click “Run” to submit the query or click “Clear all queries” to start a new query. The query results will be listed in the table under the query builder. Within the result table, the user can click “Record Detail” under the “Detail” menu to view the details of each record.

 

In the “Detail” pop-up window, Lucidum UI groups the information into different categories, including:

  • Age: Age information, such as first time seen, last time seen, new asset/user or not, and asset status
  • Applications: Applications installed on the asset, including the application name, version, and data source
  • Asset: Asset information, including asset name, asset tag, IP address, MAC address, and more
  • Cloud: Cloud information, including cloud account ID, cloud account name, cloud instance ID, and more
  • Customer Fields: Special fields from the customer. For example, one customer may provide their own asset inventory spreadsheets to Lucidum and certain fields are from this customer only. These fields will be put into the “Customer Fields” category
  • Data: Data information, including data category, data classification, file access history, and more
  • Risk: Risk information, including risk level, standardized risk score, and top risk factors
  • User: User information, including user name, department, job title, manager name, and more
  • DataSource: Data source information. Here the raw data from the related data sources will be organized under different vertical tabs so users can click through each of them and have a holistic view of all data sources for this record
  • Tags: Tag information, such as the EC2 instance and AMI image tags from AWS
  • Others: Other contextual information, including hardware configuration, location, region, and more

Query Operators #

Each query can include different operators, depending on the type of fields the user selects. More details on the query operators are listed in the table below:

 

Field type Operator Notes
Number Is equal to

Is greater than or equal to

Is greater than

Is less than or equal to

Is less than

Is not equal to

Exists

Empty

Exists: Field value is not missing and is not equal to null

 

Empty: Field value is missing or equal to null or Field does not exist

 

String Match

Not match

Is equal to

Is not equal to

Exists

Empty

Match: Field value includes certain characters or matches a certain pattern (case insensitive and it supports regular expression)

 

Is equal to: Field value equals to a string exactly (case sensitive)

 

Not match: Opposite of “Match”

Is not equal to: Opposite of “Is equal to”

List Match

Not match

Is equal to

Is not equal to

In

Not in

Exists

Empty

 

Match: Element in the field includes certain characters or matches a certain pattern (case insensitive and it supports regular expression)

 

Is equal to: Element in the field equals to a string exactly (case sensitive)

 

In: The comma-separated values are found in the field (case sensitive). For example, “IP_Address in 10.0.0.1, 10.0.0.2” will search for the assets that have IP address 10.0.0.1 OR 10.0.0.2 literally

 

 

 

Search tips:

  • Special characters in “Match”/ “Not Match” operator: As match operator supports regular expression, some special characters used in regular expression (such as dot, brackets, and space) need to be escaped with “\” if these characters are in the search value. For example, to search “Firefox (ver 23.0)” using match operator, the query will be Version → match → Firefox \(ver 23\.0\)
  • Special characters in full term search: Use double quotes around the search value if the value contains special characters. For example, to search IP address 10.1.2.5 with full term search, the value needs to be double quoted as “10.1.2.5”; otherwise the database engine will split the term by “.” and search for 10 or 1 or 2 or 5 individually.
  • “Match” vs. “Is equal to” vs. “In”: These three operators are all meant to search for certain strings, but they are used under different situations, as listed below. Generally, “Match” is most widely used as it is case insensitive and supports partial text search with flexible regular expression, but be cautious when the search value includes special characters as described above; “In” is very useful when searching on a list-type field (for example, data sources and IP addresses) as it accepts multiple search values at one time; “Is equal to” is very accurate and runs faster than “Match” operator when searching on an exact text, and it is not influenced by special characters.
Match Is equal to In
Field Type String or List String or Number List
Case Sensitivity Case insensitive Case sensitive Case sensitive
Regular Expression Yes No No
Partial Text Search Yes No No
Exact Text Search Yes (with Regex) Yes Yes
Example Data Sources “match” “aws” Asset “is equal to” “Win_AD” Data Sources “in” “aws_s3, aws_ec2”
Example Explanation Search for data source names containing “aws” sub-string, e.g., “aws_s3”, “AWS_EC2”. “AWS_EC2” with different cases satisfies Search for an asset whose name is exactly “Win_AD”. “win_ad” with different cases does not satisfy Search for data source names containing “aws_s3” or “aws_ec2”. “AWS_EC2” with different cases does not satisfy

Full Term Search #

Users can select “Full Term Search” to quickly search one term in a certain table.

For example, the figure above shows one full term search on the keyword, “Windows”, and the web UI will search this keyword across all fields under the asset table. Note that the keyword here is case insensitive and it must be a complete/full term, so if one field value is “Windows 10”, a full-term search using “WINDOWS” or “windows” will find this record; however, a search using “Win” (partial term) will have no results.

Query Menu #

 

Users can click the button next to the “Clear all queries” to expand the query management menu.

  • Export Result: Click this to export the search results into a CSV file. Users can choose the export fields to be included in the output CSV file
  • Save Query: Click this to save current query. Users can specify the saved query name, detailed description and saved query group for future use.
  • Query Management: Click this to go into query management, which will be described with more details in later context
  • Add Comments: Click this to add comments to the selected query results, which will be described with more details in later context
  • Edit Columns: Click this to select the desired fields to show in the query results. The list of selected fields is stored in the browser cache locally. For example, the screen below selects four columns to display in the query results: Asset name, User name, First time seen, and Last time seen

Query Management #

Query management has two tabs: Query Library and Query Run History.

 

Query Library lists all the queries saved by the user. Lucidum also includes some pre-built queries to help the first-time user get started. For each saved query, five different actions are provided under the “Action” menu:

  • Use this: load the saved query into the query builder for a quick repeatable search
  • Copy MQL: copy original database query string into the clipboard (for advanced user)
  • Edit: edit query name, description and group
  • Delete: delete the saved query
  • Schedule setting: schedule the saved query to run at a certain time and send out email reports. Users can click the “Schedule Setting” to expand the schedule setting panel, fill in the recipient emails (separated by comma if there are multiple recipients listed), specify the schedule, and select output fields to be included in the report. After clicking the “Confirm” button, the scheduled job will be started immediately and at the same time sent to the “Job Manager” page, which will be described in further details later. Note: This feature will be incorporated into the new Action Center as well

 

 

Query Library supports importing and exporting the saved queries. For example, one user can export some saved queries into an Excel spreadsheet and share it with other users who can then import the spreadsheet into their query libraries.

  • To export queries: Select one or more queries using the boxes on the left side, and click “Export” button to save the Excel file
  • To import queries: Click “Import” button and select the Excel file to import
  • User can also select multiple saved queries and delete them in batches by clicking the “Delete” button. Caution: the deleted queries can not be recovered

 

Query Run History lists the recent queries run by the user. For each entry in the query run history, four different actions are provided in the “Action” menu:

  • Use this: load the query into the query builder for a quick search
  • Copy MQL: copy original database query string into the clipboard (for advanced user)
  • Delete: delete the query from the history. User can also select multiple queries and delete them in batches by clicking the “Delete” button at the top. Caution: the deleted queries can not be recovered
  • Save To Library: save the query into Query Library for future use

Add Comments #

Add comments to multiple records #

Users can select one or more query records from the result table and add some comments. The record with comments will have a “note” indicator on the right side. Different users can add different comments to the same records.

Add comments to a single record #

Users can also add comments to one single record when viewing the record details. In the record “Detail” pop-up window, users can click “Add Comments” to the top and add comments to this record only. Different users can add different comments to the same record as well.

Users can click “Record Detail” in the “Detail” menu to view the comment history under the “Comments” tab. The comment history will list the comment’s creator, details and created date. Users can also edit/delete their own comments as needed. Note that only system admin can delete other users’ comments.

Leave a Reply

Your email address will not be published. Required fields are marked *