Incident Details - Threat Intel

Incident Details - Threat Intel

Notes This panel is only visible for Phishing, C&C, Malware, Spam and Mining incidents
The Threat Intel Panel provides the tactical and strategic vision necessary to understand exactly who you are up against. This tab equips your security team with a suite of intelligence tools designed to determine the origin, history, and intent of the adversarial infrastructure involved in the incident.

All the threat intelligence (TI) data found in this panel is aggregated and provided by Maltiverse by Lumu. Because the nature of malicious infrastructure varies, this panel is highly dynamic. The type and number of fields displayed will automatically adapt based on the type of Indicator of Compromise (IoC) is an IP address or a Domain.

While you can always dive deeper by clicking the See all details in Maltiverse option within each area, the panel surfaces the most critical intelligence directly into your workflow through the following sections. 

Blacklist Timeline

The Blacklist Timeline section displays information regarding the period of time when Maltiverse and other sources marked the IoC as suspicious and/or malicious and which types of threats it was associated with, as well as the date when it stopped being malicious for Maltiverse.

Whois Information

The Whois Information section shows all available identifying information of the IoC. It will show origin and geographic information for IPs, and hosting and registration information for domains.

Threat Triggers

The Threat Triggers area lists the IoCs pertaining to this particular incident. These can be gathered by Maltiverse or third party sources. You can also download them as a .csv file for your convenience.

Under Related Files, you can see the checksums of files involved in the incident. You can also download them as a .csv file for your convenience.

Reverse IP Lookups

This section lists all domains that have resolved to this IP to date. It is only applicable to IP-type IoCs.

Resolved IP Addresses

List of IPs the domain has resolved up to the present. This section is exclusive to domain-type IoCs.

URLs on this IP

List of URLs that have been linked to this IP alongside the reason why each was blacklisted and their status. This section is exclusive of IP-type IOCs.

URLs on this Domain

List of URLs that have linked to this domain up to the present along the reason why they have been blacklisted. This section is exclusive of domain-type IoCs.

CIDR Classification

Classification of all the IP addresses in the same IP group based on Maltiverse’s and other aggregators’ criteria. They’ll be categorized as neutral, whitelist, suspicious and/or malicious. This section is exclusive of IP-type IoCs.

List of malware associated with the IP or domain. You will find the filename associated and the reason why it was blacklisted. This section exists for both IP and domain-type IoCs; however, it will show relevant information differently for each.

External References

Under this section, you can find related articles (both internal and external) and resources that may be useful to create an effective response strategy for this incident.

Check out the following articles to fully understand the incident details provided in the Lumu Portal. 
  1. Incident Details - Detections
  2. Incident Details - Highlights
  3. Incident Details - ATT&CK Matrix

      Get an AI Summary

          • Related Articles

          • Incident Details - Highlights

            the Highlights Panel is exclusively dedicated to incidents involving contact with malicious infrastructure. When your network communicates with adversarial assets—such as phishing sites, Command and Control (C&C) servers, malware distribution nodes, ...
          • Lumu Incident Detections

            In today's evolving threat landscape, perimeter defenses alone are insufficient to protect an organization's critical assets. As adversaries develop more sophisticated methods to bypass traditional security controls, the ability to rapidly detect, ...
          • Incident Details - Detections

            The Detections Panel is the core investigative hub within the Lumu Portal. When suspicious activity on your network escalates into a confirmed incident, this panel serves as your team's starting point for rapid triage and response. It is designed to ...
          • Incident Details - ATT&CK Matrix

            To effectively contain and eradicate a cybersecurity incident, responders must move beyond simply knowing what happened and understand how and why it happened. This is where the MITRE ATT&CK framework becomes an invaluable asset for forensic ...
          • Incidents Operation

            Detecting a threat is only the beginning of the defense process; effectively managing and resolving that threat is what ultimately secures your organization. The Lumu Portal provides a structured, intuitive workflow to help security teams track the ...