Incident Details
Clicking on an incident will display the incident details view. This view will provide you with tactical and strategic vision of the adversarial activity and intent related to the incident, as well as provide vital intel so your organization can act appropriately to contain the attacks and mitigate its impact.
This area shows the following elements:
- Incident identifier, related adversaries and status.
- Detections panel
- Highlights panel
- Threat Intel panel
- ATT&CK Matrix panel
- Email report and Export
- Operation timeline
- Take Action
We’ll go over them in detail shortly.
Incident identifier, related adversaries and status
Here, you will find the identifier of the confirmed IoC, any related adversaries that may be relevant to the organization's operation, the incident’s status and the last time and date of operation.
Detections Panel
This panel shows the case’s history as well as the activity related to the incident, such as labels, contacts, time frame of said contacts and more. By clicking on one of the affected endpoints, you will be able to see with a great level of detail all the information about the detected interaction between the endpoint and the adversary. By selecting the See more details option, you will be able to access the incident metadata for this endpoint to analyze at your discretion. And finally, you can export and download all contacts and endpoints affected in the form of .csv spreadsheets for your convenience.
Highlights Panel
This panel is very comprehensive, and to understand it, we must first divide it into different areas. The first area of the Highlights tab is a summary of the incident. Here you can find all the time events of the incident, as well as a synopsis of what the incident entails.
Automated Response
Labels Affected
In this area you can see which labels were affected by the incident. The label system allows you to determine at a glance which areas of your business were affected, and how relevant to said business they are in a user-defined index.
Attack Distribution
The Attack Distribution view helps you understand how the adversary spreads throughout your organization’s network across a period of time. Repeated instances of adversarial activity associated with this specific incident will appear here. You can control the time frame shown in this view by using your mouse’s scroll wheel.
Compromise Radar
The Compromise Radar allows you to see the frequency of incidents across a time dial. The more times an incident with these specific characteristics is triggered, the time dial will fill up with the corresponding information. Place your cursor over the points on the radar to find additional details.
Spambox
If the incident you are viewing has been identified by Lumu to be correlated with a Spambox type IoC, you will be able to see if this specific IoC has appeared in the spambox of your organization’s email inboxes.
Threat Intel Panel
Under the Threat Intel tab, you will find several tools to help you determine the origin of the incident.
Threat Triggers
The Threat Triggers area lists the IoCs pertaining to this particular incident. These can be gathered by Lumu or third party software configured to work alongside Lumu. You can also download them as a .csv file for your convenience.
Related Files
Under Related Files, you can see the checksums of files involved in the incident. You can also download them as a .csv file for your convenience.
Related resources
Under this section, you can find related articles (both internal and external) and resources that may be useful to create an effective response strategy for this incident.
ATT&CK Matrix
In this tab, you can find information of the tactics used in the incident, according to the MITRE ATT&CK Matrix Framework.
Email report and Export
These options allow you to share and export information about this incident quickly and easily. By selecting the Email report option, you will be able to send an email with information and recommendations related to this incident without leaving the Lumu Portal. You can also register frequent recipients to optimize this process.
Operation Timeline
Here, you will be able to see the actions that have been taken by your organization regarding a specific incident in chronological order.
Take Action
By selecting this option, you will be able to see the different statuses you can assign to this incident based on the stage of your organization’s response.
Related Articles
Lumu Portal
Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. The Lumu ...Incident Filters
Filters are a set of criteria you can use to pinpoint specific incidents. Multiple filters can be used at the same time to narrow searches. Time Range The Time Range filter can be found beneath Closed Incidents. Time Range filters allow you to sort ...Lumu Playback
The cybersecurity industry has found many ways to defend against zero-day threats and emerging attacks; however, several attacks and techniques still manage to go undetected thanks to the cybercriminals' own advances in sophisticated evasion ...Lumu Portal Two-Factor Authentication
The Lumu Portal offers secure login alternatives through the use of two-factor authentication (2FA), in this case, One-time Password (OTP) on top of your account password. You can use the Authenticator app you prefer, such as Google Authenticator and ...Lumu Email Intelligence
Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. In this ...