Clicking on an incident will display the incident details view. This view will provide you with tactical and strategic vision of the adversarial activity and intent related to the incident, as well as provide vital intel so your organization can act appropriately to contain the attacks and mitigate its impact.
This area shows the following elements:
We’ll go over them in detail shortly.
Here, you will find the identifier of the confirmed IoC, any related adversaries that may be relevant to the organization's operation, the incident’s status and the last time and date of operation.
This panel shows the case’s history as well as the activity related to the incident, such as labels, contacts, time frame of said contacts and more. By clicking on one of the affected endpoints, you will be able to see with a great level of detail all the information about the detected interaction between the endpoint and the adversary. By selecting the See more details option, you will be able to access the incident metadata for this endpoint to analyze at your discretion. And finally, you can export and download all contacts and endpoints affected in the form of .csv spreadsheets for your convenience.
This panel is very comprehensive, and to understand it, we must first divide it into different areas. The first area of the Highlights tab is a summary of the incident. Here you can find all the time events of the incident, as well as a synopsis of what the incident entails.
In this area you can see which labels were affected by the incident. The label system allows you to determine at a glance which areas of your business were affected, and how relevant to said business they are in a user-defined index.
The Attack Distribution view helps you understand how the adversary spreads throughout your organization’s network across a period of time. Repeated instances of adversarial activity associated with this specific incident will appear here. You can control the time frame shown in this view by using your mouse’s scroll wheel.
The Compromise Radar allows you to see the frequency of incidents across a time dial. The more times an incident with these specific characteristics is triggered, the time dial will fill up with the corresponding information. Place your cursor over the points on the radar to find additional details.
If the incident you are viewing has been identified by Lumu to be correlated with a threat commonly associated with Email such as spam or phishing, you will be able to see if such IoCs have appeared in your organization’s email inboxes.
Under the Threat Intel tab, you will find several tools to help you determine the origin of the incident.
The Threat Triggers area lists the IoCs pertaining to this particular incident. These can be gathered by Lumu or third party software configured to work alongside Lumu. You can also download them as a .csv file for your convenience.
Under Related Files, you can see the checksums of files involved in the incident. You can also download them as a .csv file for your convenience.
Under this section, you can find related articles (both internal and external) and resources that may be useful to create an effective response strategy for this incident.
In this tab, you can find information of the tactics used in the incident, according to the MITRE ATT&CK Matrix Framework.
These options allow you to share and export information about this incident quickly and easily. By selecting the Email report option, you will be able to send an email with information and recommendations related to this incident without leaving the Lumu Portal. You can also register frequent recipients to optimize this process.
Here, you will be able to see the actions that have been taken by your organization regarding a specific incident in chronological order.
By selecting this option, you will be able to see the different statuses you can assign to this incident based on the stage of your organization’s response.