Incident Management - Lumu Portal

Incidents

Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools.

The Lumu Portal offers a centralized and intuitive way to manage your incidents, track their statuses, and review which compromises have been solved—for simpler and faster activation of response processes.

In this view of the Lumu Portal, you can stay up to date with and manage incidents in an easy-to-read dashboard with details on the activity and distribution of the Indicators of Compromise (IoC) that Lumu identified in your organization. 

What is an Incident?

According to NIST, an incident is an occurrence that results in actual or potential exposure of the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits.

Lumu groups all occurrences of contacts to malicious infrastructure per domain (or IP address) and presents them consolidated in the form of single incidents in the Lumu Portal.

Incidents Summary

In this section of the Lumu Portal, you have a summary of the accumulated adversarial activity, such as the number of open incidents (1), contacts (2), affected labels (3), and reached endpoints (4). You also have a graphical visualization of open incidents by top labels (5) and threat type (6).

Incidents summary Figure 1 - Incidents summary.

For each incident, you have the number of labels and endpoints affected and the total of contacts from that adversary. Navigate through the tabs by incident status: Open, Closed, or Muted.

The incidents are listed in chronological order considering the time of its first contact. You can filter incidents by threat type, label, or business relevance. For more details about labels, consult our documentation.

Incidents summary list Figure 2 - Incidents summary list.

Incident Details

Click on an incident in the summary list to view its details. This area shows the case history as well as activity related to the incident, such as labels and contact timeframe views. This area also offers a comprehensive view of the affected endpoints. From here, you can go directly to the Compromise Context area for more in-depth insights about the incident.


Incident details Figure 3 - Incident details.

Incident Management

By default, each new incident is going to be shown in the “Open” tab. For each incident, you have the option to mark it as closed, or to mute all incidents from that adversary.


Incident management options Figure 4 - Incident management options.

The following figure represents an Incident lifecycle in the Lumu Portal:

Incident lifecycle Figure 5 - Incident lifecycle.

Mute Incidents

Use this option to stop new notifications of contacts from a specific adversary.

Be aware that this option applies to all further malicious activity from that adversary. Contacts from this adversary will continue to accumulate, but, your company will not receive any further notifications.
When selecting this option, you will be requested to leave a comment informing the reason you are taking this action. The comment will be recorded and stored in the incident that will be moved to the “Muted” tab.

Mute Incidents from an adversary Figure 6 - Mute Incidents from an adversary.

Unmute Incident

Use the option to unmute an incident that was marked as muted.

This option is available only for muted incidents. After closing an incident, it can not be reopened.

When unmuting an incident, please leave a comment listing the actions taken or any information related to the incident unmuting. That comment will be recorded and stored in the incident, which will move to the “Open” tab.


Unmuting an incident Figure 7 - Unmuting an incident.

Close Incident

Use this option to mark an incident as closed after you finalized working on the case.

This action can not be undone. After closing an incident, it can not be reopened.

When closing an incident, please leave a comment listing the actions taken or any information related to the incident closure. That comment will be recorded and stored in the incident, which will be moved to the “Closed” tab.


Closing an incident Figure 8 - Closing an incident.

STIX Reports

STIX 2.0 is the industry standard for the capture, characterization, and communication of cyber threat information. It is supported by a committee of nearly 280 companies and organizations from all around the globe and is used by organizations such as The U.S. Department of Homeland Security (DHS), the Financial Services Information Sharing and Analysis Center (FS-ISAC), The Japanese Information-technology Promotion Agency (IPA), Microsoft, American Express, USAA, etc. The Lumu Portal now allows you to download STIX reports for each compromise incident, which may be especially useful in the following scenarios:
  1. If your organization is in a highly regulated environment and needs to send cyber threat information using the STIX format.
  2. If your organization shares cyber threat intelligence with other organizations to help combat cybercrime.
To download STIX reports, just click on the three dots in the upper right corner of the incident you wish to review. An options menu will pop up with the ‘Download STIX Report’ option. The Lumu Portal will provide a STIX report for an incident regardless of it being closed, open, or muted.

How to download STIX reports Figure 9 - How to download STIX reports.

This will download a JSON file containing information in STIX format that represents all the details about the incident that you see in the Lumu Portal. If you’d prefer a more visual approach, this file can be viewed through this official tool provided by the STIX project.  
The filename of the STIX report will have the following structure: <Incident UUID>.json
To learn more about STIX and how to read and use these reports, refer to STIX’s official documentation

Incident Response

We recommend being familiar with Lumu’s Incident Response Playbooks that are based on the National Institute of Standards and Technology (NIST) Framework and include best practices for how to use Lumu to respond to specific attacks.

Know more about the Lumu Portal:

  1. Compromise Overview
  2. Collectors
  3. Labels
  4. Mailing and Accounts

        • Related Articles

        • Lumu Portal

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. The Lumu ...
        • Collectors

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. Lumu ...
        • Labels

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. Labels ...
        • Spambox

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. In this ...
        • Compromise Overview

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. In this ...