Incident Details

Incident Details

Clicking on an incident will display the incident details view. This view will provide you with tactical and strategic vision of the adversarial activity and intent related to the incident, as well as provide vital intel so your organization can act appropriately to contain the attacks and mitigate its impact. 

This area shows the following elements: 

  1. Incident identifier, related adversaries and status. 
  2. Detections panel
  3. Highlights panel
  4. Threat Intel panel
  5. ATT&CK Matrix panel
  6. Email report and Export
  7. Operation timeline
  8. Take Action

We’ll go over them in detail shortly.

Here, you will find the identifier of the confirmed IoC, any related adversaries that may be relevant to the organization's operation, the incident’s status and the last time and date of operation. 

Detections Panel

This panel shows the case’s history as well as the activity related to the incident, such as labels, contacts, time frame of said contacts and more. By clicking on one of the affected endpoints, you will be able to see with a great level of detail all the information about the detected interaction between the endpoint and the adversary. By selecting the See more details option, you will be able to access the incident metadata for this endpoint to analyze at your discretion. And finally, you can export and download all contacts and endpoints affected in the form of .csv spreadsheets for your convenience. 

Highlights Panel

This panel is very comprehensive, and to understand it, we must first divide it into different areas. The first area of the Highlights tab is a summary of the incident. Here you can find all the time events of the incident, as well as a synopsis of what the incident entails.

Automated Response

Lumu Defender customers have access to an additional information panel, exhaustively detailing the orchestration involved in the Automatic Response feature. This includes a list of the integrations active in the Response process, the IoCs they handle, and the threat types they are prepared to act upon.

Labels Affected

In this area you can see which labels were affected by the incident. The label system allows you to determine at a glance which areas of your business were affected, and how relevant to said business they are in a user-defined index.

Attack Distribution

The Attack Distribution view helps you understand how the adversary spreads throughout your organization’s network across a period of time. Repeated instances of adversarial activity associated with this specific incident will appear here. You can control the time frame shown in this view by using your mouse’s scroll wheel.

Compromise Radar

The Compromise Radar allows you to see the frequency of incidents across a time dial. The more times an incident with these specific characteristics is triggered, the time dial will fill up with the corresponding information. Place your cursor over the points on the radar to find additional details.


If the incident you are viewing has been identified by Lumu to be correlated with a Spambox type IoC, you will be able to see if this specific IoC has appeared in the spambox of your organization’s email inboxes.

Threat Intel Panel

Under the Threat Intel tab, you will find several tools to help you determine the origin of the incident.

Threat Triggers

The Threat Triggers area lists the IoCs pertaining to this particular incident. These can be gathered by Lumu or third party software configured to work alongside Lumu. You can also download them as a .csv file for your convenience.

Under Related Files, you can see the checksums of files involved in the incident. You can also download them as a .csv file for your convenience.

Under this section, you can find related articles (both internal and external) and resources that may be useful to create an effective response strategy for this incident. 

ATT&CK Matrix

In this tab, you can find information of the tactics used in the incident, according to the MITRE ATT&CK Matrix Framework.

Email report and Export

These options allow you to share and export information about this incident quickly and easily. By selecting the Email report option, you will be able to send an email with information and recommendations related to this incident without leaving the Lumu Portal. You can also register frequent recipients to optimize this process. 

This feature isn’t available for incidents correlated to Network Scan IoCs yet.

By selecting the Export option, you will be able to export the incident’s information in different formats for your convenience, one of them being in the form of a STIX report. We will learn more about this option in the Incident Management section.

Operation Timeline

Here, you will be able to see the actions that have been taken by your organization regarding a specific incident in chronological order. 

Take Action

By selecting this option, you will be able to see the different statuses you can assign to this incident based on the stage of your organization’s response. 

        • Related Articles

        • Lumu Portal

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. The Lumu ...
        • Incident Filters

          Filters are a set of criteria you can use to pinpoint specific incidents. Multiple filters can be used at the same time to narrow searches. Time Range The Time Range filter can be found beneath Closed Incidents. Time Range filters allow you to sort ...
        • Lumu Playback

          The cybersecurity industry has found many ways to defend against zero-day threats and emerging attacks; however, several attacks and techniques still manage to go undetected thanks to the cybercriminals' own advances in sophisticated evasion ...
        • Lumu Portal Two-Factor Authentication

          The Lumu Portal offers secure login alternatives through the use of two-factor authentication (2FA), in this case, One-time Password (OTP) on top of your account password. You can use the Authenticator app you prefer, such as Google Authenticator and ...
        • Lumu Email Intelligence

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. In this ...