Incidents Operation

Incidents Operation

Detecting a threat is only the beginning of the defense process; effectively managing and resolving that threat is what ultimately secures your organization. The Lumu Portal provides a structured, intuitive workflow to help security teams track the lifecycle of an incident from the moment it is detected to its final remediation. The following figure represents an Incident lifecycle in the Lumu Portal:

Through the Take Action menu located in the Incident Details view, analysts can actively manage the status of an alert, coordinate team efforts, and maintain a clear audit trail of the organization's response. 

Here is a detailed breakdown of the incident statuses and how to operate them:

Open Incidents

By default, every new incident detected by Lumu is categorized as Open. However, to help teams coordinate their efforts and avoid duplicating work, this state is divided into two distinct phases:
  1. Open Pending: The incident has been detected but has not yet been acknowledged or evaluated by an analyst.
  2. Open In Progress: An analyst has actively taken ownership of the incident and the investigation or containment process is currently underway.

Mute Incidents

Use this option to stop new notifications of contacts from a specific adversary. First, you must select a reason to mute the incident. Here, you can choose whether to flag it as not relevant for your organization or to report it as a false positive . If you report it as a false positive, you must provide all the details and supporting evidence for why you believe it to be a false positive.

Once an incident is reported as a false positive, Lumu will investigate it and answer accordingly. Be aware that all incidents from the reported adversary are automatically muted when reported.

Warning
Be aware that this option applies to all further malicious activity from that adversary. Contacts from this adversary will continue to accumulate, but your company will not receive any further notifications.

When selecting this option, you will be requested to leave a comment informing the reason you are taking this action. The comment will be recorded, stored in the incident and shown in the Operation Timeline, then, the incident will be moved to the “Muted” tab.

Unmute Incident

Use the option to unmute an incident that was marked as muted. 

Notes
This option is available only for muted incidents. After closing an incident, it can not be reopened.

When unmuting an incident, please leave a comment listing the actions taken or any information related to the incident unmuting. That comment will be recorded, stored in the incident and shown in the Operation Timeline, then, the incident will be moved to the “Open” tab. 


Close Incident

Use this option to mark an incident as closed after you finalized working on the case. 

Notes
This action can not be undone. After closing an incident, it can not be reopened.

When closing an incident, please leave a comment listing the actions taken or any information related to the incident closure. That comment will be recorded, stored in the incident and shown in the Operation Timeline, then, it will be moved to the “Closed” tab. 


Next Steps: Incident Response Playbooks

Check out the Lumu’s Incident Response Playbooks that are based on the National Institute of Standards and Technology (NIST) Framework to provide you with a clear guidance on how to respond and remeadite each incident detected by Lumu. 

      Get an AI Summary

          • Related Articles

          • Lumu Incident Detections

            In today's evolving threat landscape, perimeter defenses alone are insufficient to protect an organization's critical assets. As adversaries develop more sophisticated methods to bypass traditional security controls, the ability to rapidly detect, ...
          • Data Exfiltration Response Playbook

            The Lumu Data Exfiltration Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life ...
          • Network Brute Force Detection

            Learn how to effectively investigate, contain and remediate this incident by following our Response Playbook. Network Bruteforce incidents are patterns of high-volume, repetitive connection attempts from a source endpoint to a specific service ...
          • Login Brute force Incident Response Playbook

            The Lumu Login Brute force Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life ...
          • Network Bruteforce Incident Response Playbook

            The Lumu Network Bruteforce Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life ...