Saved Queries and Historical Queries

The Query tool includes fields for re-using queries:

• Load from Query Library. Leads to a list of saved queries. Saved queries are associated with your login. You can view saved queries you create, those shared with you by other users, and those created by Lucidum (Value-Oriented Queries or VOQs).

• Load from Historical Query. Leads to a list of cached queries. Query history is not associated with your login but instead includes all queries from all Lucidum users on the current Lucidum system. Query history is deleted when the Lucidum system is rebooted or restarted.

This chapter describes how to create, use, and manage saved queries and historical queries.

Creating a Saved Query #

From the Query button, you can save a query for use in a chart, a Smart Label, or an Action. To do this:

1. Follow the steps to create a query.

   

2. In the Query a Current page, click the Save Query (disc).

3. The Add Query dialog page appears:

   

4. In the Save Query dialog page, supply values in the fields:

   • Query Name. The name of the saved query.

   • Author Comments. Optional description of the query.

   • Group. Optional group to organized saved queries.

   • Output Fields. Specifically selected fields from the list of fields returned by the query. This is particularly helpful when creating actions, where you want to send only a subset of data to the external system.
   • Send to Luci. For users with Admin or Lucidum Support accounts, this field is enabled. When you toggle this field, Luci pre-runs the query and analyzes the results. If you ask a question related to the query (for example, if you ask a question about unencrypted workstations), Luci will provide this query as one of the options in her answer.

5. The saved query now appears in the list of Saved Queries in the Query page and in the Query Library page (Settings > Query Library).

Using a Saved Query #

You can use a Saved Query from the Query page.

You can also use a Saved Query from the Add Chart or Edit Chart page, from the Filters page for an Action, and in a Smart Label rule.

NOTE: Saved Queries are not dynamically updated. This means that if you include a Save Query in an Action or a Chart and then later update the definition of the Saved Query, the Action or Chart will continue to use the previous definition, not the updated definition.

To load a Saved Query from the Query button:

1. Click the Query button in the upper right corner of each page in Lucidum.

2. The Query page appears.

   

3. In the Query page, click Load from Query Library.

4. The Choose a Save Query page appears, with a list of all saved queries.

   

5. To choose and load a query, select the Edit Saved Query (up arrow) icon.

6. The query appears in the Build a Query page. From this page, you can edit the saved query or apply it to a chart or action.

   

7. To apply the saved query to a chart or action, click the Apply (pencil and paper) icon. To use the query in a SmartLabel, click the SmartLabel icon.

Managing Saved Queries #

You can manage saved queries in the Query Library page. From the Query Library page, you can:

• edit the properties of the saved query
• edit the filter for the saved query
• use the saved query to build an action
• delete the saved query
• export a saved query
• import a saved query

To access the Query Library page:

1. Go to Left menu > Query Library icon.
2. The Query Library page displays all the saved queries in Lucidum:
   
3. The Query Library includes three tabs:
   • Lucidum Queries. This tab displays Value-Oriented Queries (VOQs). These are frequently-used queries that Lucidum provides in the Query Library.
   • My Queries. This tab displays queries you have created and saved.
   • All Queries. This tab displays queries created by you and created by your colleagues.
4. Each tab displays the following about each saved query:
   • Query Name. Name of the query.
   • Description. After saving the Saved Query, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Business Value. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Data Type. Specifies the Data Type of the query. Choices are Asset, Asset-IP, User, User-IP, and Vulnerability.
   • Group. Category for the query. This is defined when the saved query is created and helps keep the queries organized.
   • MetaBlocks. MetaBlocks aligned with the Saved Query. For details, see Using MetaBlocks with Saved Queries.
   • Created By. Specifies the Lucidum user who created or imported the saved query.
5. The Actions column allows you to perform the following on a saved query:
   • Edit (pencil icon). Leads to the Edit Saved Query modal, where you can edit the name, description, and group for a saved query. This icon is disabled for Lucidum Queries.
   • Edit Filters (up-arrow icon). Leads to the Edit Filters for Saved Query, where you can edit the filter(s) for the query.
   • Send to Actions (paper airplane icon). Leads to the Actions page, where you can create an action with the saved query loaded in the action’s filter.
   • Align MetaBlocks. Adds or deletes the Saved Query to one or more MetaBlocks. For details, see Using MetaBlocks with Saved Queries.
   • Delete (trash-can icon). Allows you to delete a saved query. This icon is disabled for Lucidum Queries.
6. To export a query from the Query Library page, click the checkbox for the query, and select Export  Queries (down arrow with underline) in the upper right. The query is saved as a JSON file to the local computer.

   NOTE: Before importing the Saved Query to another Lucidum system, you must open the exported JSON file with a text editor and edit the “name”:”value” pair. For example appending the string “COPY” to the name, like:

   "name":"How many cloud object stores with logging disabled?_COPY"

7. To import a query into the Query Library page, click the checkbox for the query, select Import Queries (page with up arrow) in the upper right and navigate to a saved JSON file. Imported files appear in the My Queries tab.
8. To share one or more saved queries with another Lucidum user, click the checkbox for the query and then select Share (email) icon in the lower left. The query will appear in the My Queries page for that user on the current Lucidum system.
9. To bulk delete saved queries, click the checkbox for each query you want to delete and then select the Delete (trash can) icon in the lower left.

Using a Historical Query #

If you would like to re-run a query that you ran earlier but did not save as a Saved Query (query), you can use the Historical Query (query). Historical Queries are not associated with your login but instead include all queries from all Lucidum users on the current Lucidum system. Historical Queries are deleted when the Lucidum system is rebooted or restarted.

You can use a Historical Query from the Add Chart or Edit Chart page and from the Filters page for an Action. You can also use a historical query in a Smart Label rule.

From the Query button, you can load a historical query:

1. Click the Query button in the upper right corner of each page in Lucidum.

2. The Query page appears.

   

3. In the Query page, click Load from Historical Query.

4. The Choose a Historical Query page appears, with a list of all historical queries.

   

5. To choose and load a query, select the Edit Historical Query (up arrow) icon.

6. The query appears in the Query a Current page. From this page, you can edit the saved query or apply it to a chart or action.

   

7. To apply the historical query to a chart or action, click the Apply (pencil and paper) icon.

Managing Historical Queries #

Historical Queries are not associated with your login but instead include all queries from all Lucidum users on the current Lucidum system. Historical Queries are deleted when the Lucidum system is rebooted or restarted.

You can manage previously run queries in the Query Run History page (Settings > Query Run History). From the Query Run History page, you can:

• view the filter for the query

• convert the query to a saved query

• delete the query

To access the Query Run History page:

1. Go to Settings > Query Run History.

2. The Query Run History page displays all the previously run queries in Lucidum:

   

3. The Query Run History page displays the following about each saved query:

   • Down arrow icon (v). Displays the query.

   • Table Name. Table associated with the query. Choices are:

     • Asset. Retrieve information about assets.

     • User. Retrieve information about users.

     • Vulnerability. Retrieve information about vulnerabilities.

   • Filters. Number of conditions in the query.

   • Query Time. Date and time the query was last run.

   • Result Count. Number of records that match the query on its last run.

4. You can perform the following actions on each previously run query:

   • Convert to Saved Query (disc icon). Leads to the Add Saved Query modal, where you can define a saved query.

   • Delete a Historical Query (trash-can icon). Allows you to delete a historical query.