Incident Details
Clicking on an incident will display the incident details view. This view will provide you with tactical and strategic vision of the adversarial activity and intent related to the incident, as well as provide vital intel so your organization can act appropriately to contain the attacks and mitigate its impact.
This area shows the following elements:
- Incident identifier, related adversaries and status.
- Detections panel
- Highlights panel
- Threat Intel panel
- ATT&CK Matrix panel
- Email report and Export
- Operation timeline
- Take Action
We’ll go over them in detail shortly.
Incident identifier, related adversaries and status
Here, you will find the identifier of the confirmed IoC, any related adversaries that may be relevant to the organization's operation, the incident’s status and the last time and date of operation.
Detections Panel
This panel shows the case’s history as well as the activity related to the incident, such as labels, contacts, time frame of said contacts and more. By clicking on one of the affected endpoints, you will be able to see with a great level of detail all the information about the detected interaction between the endpoint and the adversary. By selecting the See more details option, you will be able to access the incident metadata for this endpoint to analyze at your discretion. And finally, you can export and download all contacts and endpoints affected in the form of .csv spreadsheets for your convenience.
Highlights Panel
This panel is very comprehensive, and to understand it, we must first divide it into different areas. The first area of the Highlights tab is a summary of the incident. Here you can find all the time events of the incident, as well as a synopsis of what the incident entails.
Automated Response
Labels Affected
In this area you can see which labels were affected by the incident. The label system allows you to determine at a glance which areas of your business were affected, and how relevant to said business they are in a user-defined index.
Attack Distribution
The Attack Distribution view helps you understand how the adversary spreads throughout your organization’s network across a period of time. Repeated instances of adversarial activity associated with this specific incident will appear here. You can control the time frame shown in this view by using your mouse’s scroll wheel.
Compromise Radar
The Compromise Radar allows you to see the frequency of incidents across a time dial. The more times an incident with these specific characteristics is triggered, the time dial will fill up with the corresponding information. Place your cursor over the points on the radar to find additional details.
Email Intelligence
If the incident you are viewing has been identified by Lumu to be correlated with a threat commonly associated with Email such as spam or phishing, you will be able to see if such IoCs have appeared in your organization’s email inboxes.
Threat Intel Panel
Under the Threat Intel tab, you will find several tools to help you determine the origin of the incident. All of the information found in this panel is aggregated and provided by Maltiverse by Lumu and will vary depending on the nature of the IoC.
Keep in mind that the type and number of fields will vary depending on the incident, and not all incidents will include every available field.
For example, this is the view of an IP-type IoC:
This is the view of a domain-type IoC:
Below, you will find different sections providing an overview of the TI data provided by Maltiverse. The amount of data displayed will vary depending on the IoC, and some sections may not be populated. Bear in mind that you can find the full data by clicking on the See all details in Maltiverse option found in each section.
Blacklist Timeline
The Blacklist Timeline section displays information regarding the period of time when Maltiverse and other sources marked the IoC as suspicious and/or malicious and which types of threats it was associated with, as well as the date when it stopped being malicious for Maltiverse.
Whois Information
The Whois Information section shows all available identifying information of the IoC. It will show origin and geographic information for IPs, and hosting and registration information for domains.
Threat Triggers
The Threat Triggers area lists the IoCs pertaining to this particular incident. These can be gathered by Maltiverse or third party sources. You can also download them as a .csv file for your convenience.
Related Files
Under Related Files, you can see the checksums of files involved in the incident. You can also download them as a .csv file for your convenience.
Reverse IP Lookups
This section lists all domains that have resolved to this IP to date. It is only applicable to IP-type IoCs.
Resolved IP Addresses
List of IPs the domain has resolved up to the present. This section is exclusive to domain-type IoCs.
URLs on this IP
List of URLs that have been linked to this IP alongside the reason why each was blacklisted and their status. This section is exclusive of IP-type IOCs.
URLs on this Domain
List of URLs that have linked to this domain up to the present along the reason why they have been blacklisted. This section is exclusive of domain-type IoCs.
CIDR Classification
Classification of all the IP addresses in the same IP group based on Maltiverse’s and other aggregators’ criteria. They’ll be categorized as neutral, whitelist, suspicious and/or malicious. This section is exclusive of IP-type IoCs.
Related Malware Samples
List of malware associated with the IP or domain. You will find the filename associated and the reason why it was blacklisted. This section exists for both IP and domain-type IoCs; however, it will show relevant information differently for each.
External References
Under this section, you can find related articles (both internal and external) and resources that may be useful to create an effective response strategy for this incident.
ATT&CK Matrix
In this tab, you can find information of the tactics used in the incident, according to the MITRE ATT&CK Matrix Framework.
Email report and Export
These options allow you to share and export information about this incident quickly and easily. By selecting the Email report option, you will be able to send an email with information and recommendations related to this incident without leaving the Lumu Portal. You can also register frequent recipients to optimize this process.
Operation Timeline
Here, you will be able to see the actions that have been taken by your organization regarding a specific incident in chronological order.
Take Action
By selecting this option, you will be able to see the different statuses you can assign to this incident based on the stage of your organization’s response.
Related Articles
Lumu Portal
Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. The Lumu ...Lumu Autopilot
In today’s rapidly evolving digital environment, prompt and effective responses to security threats are essential. Lumu Autopilot simplifies the entire incident management process, reducing human error and optimizing resource allocation. By utilizing ...Lumu Email Intelligence
Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. In this ...Lumu Playback
The cybersecurity industry has developed numerous methods to defend against zero-day threats and emerging attacks. However, many attacks still slip through undetected due to the increasingly sophisticated evasion tactics employed by cybercriminals. A ...Lumu Discover
Lumu has an array of collectors and integrations that allow you to monitor your internal assets; however, every organization has exposed systems, services and resources that have unique vulnerabilities and require specialized analysis. For this ...