Queries and Data

Why Learn About Queries? #

Multiple features in Lucidum use queries:

• Charts in Dashboards. Clicking the Configure Filters button leads to the Query Tool.
• Actions. Clicking the Configure Filters button leads to the Query Tool.
• SmartLabels. Clicking the Add Rule or Edit Rule button leads to the Query Tool.
• Dashboards. Clicking the Refine Scope icon leads to the Query Tool, where you can create a global filter that applies a pre-filter to all charts in the dashboard.

The following sections describe how to use the Query Tool to create queries.

What Is a Query? #

Queries and filters are tools that search the database in Lucidum to find data that meets your specifications. You can then include the results in charts, actions, webhooks, and SmartLabels.

When you create a query, you must specify:

• Data Type. This is the top-level category for each query and specifies the type of Lucidum object you want to get information about. Data Type maps to tables in the Lucidum database. Data Types include:

  • Asset. Retrieve information about assets.

  • User. Retrieve information about users.

  • Asset-IP Mapping. Lucidum uses proprietary machine-learning algorithms to align each asset with an IP address. You can retrieve information about these asset/IP pairs.

  • User-IP Mapping. Lucidum uses proprietary machine-learning algorithms to align each user with an IP address. You can retrieve information about these user/IP pairs.

  • Vulnerability. Retrieve information about vulnerabilities.

• Time Range. You must first select whether you are interested in current values or historic values. The choices are:

  • Current. The default value is from the present day to 7 days old.

  • Historical. Older than current.

• Fields. Fields are characteristics of the Lucidum objects. For example, characteristics of a user is the user’s name and the user’s email address. A characteristic of an asset is the asset’s IP address. Usually, a field maps to a column name in a Lucidum database.

• Operators. Operators define the relationship between the fields and the values. Operators can include “match”, “not match”, “is equal to”, “is not equal to”, “is greater than”, “is less than”, “exists”, “is empty”, among others. Lucidum provides a set of operators for each field. For details on operators, see the chapter on Data Types and Operators

• Values. Values describe the content in a field. For example, if you choose “Memory Size (GB)” as a field, you could choose “is equal to” as an operator and “256” as a value. Your results would include only assets with 256 GB of memory.

• Keywords. Lucidum queries support two optional keywords: AND and OR.

  • AND means that the results must meet all the criteria in a multi-part query.

  • OR means that the results must meet one of the criteria in a multi-part query

The Query Builder builds read-only (SELECT) queries.

To learn the basics of queries, you can read these articles. Although the Lucidum user interface does not require SQL syntax, these articles will help you understand how queries work.

https://www.w3schools.com/sql/sql_intro.asp

https://www.w3schools.com/sql/sql_select.asp

https://www.w3schools.com/sql/sql_and_or.asp

Viewing Your Data #

Because queries allow you to find data in the Lucidum database, you might find it helpful to learn about and view the available date in Lucidum. For details about viewing the available data in Lucidum, see:

• Viewing Details about Individual Assets, Users, or Vulnerabilities
• Viewing Data About All Assets, All Users, and All Vulnerabilities
• Viewing Details About Data Sources for Assets and Users