Skip to main content
Skip table of contents

Incident Response

Category

Requirement

CSCC

SAMA CSF

ECC-1

Incident Response

Provide detailed reports on assets associated with incidents, prioritize incidents for mitigation, and automate mitigation tasks such as analysis, containment, patching, and changes to configuration.

 

 

3.3.15

2-13-1
2-13-2
2-13-3
2-13-3-2
2-13-4

Lucidum can help you identify assets associated with incidents, prioritize incidents for mitigation, and automate mitigation tasks.

After Lucidum ingests data from your security solutions, Lucidum uses graph data, machine learning, and predictive analytics to detect and classify all assets and users, even those not detected by the solutions in your environment.

You can then create queries to find the highest risks in your environment, export the list, or create dashboards.

You can also view pre-built dashboards, called Value-Oriented Dashboards or VODs. You can easily edit these dashboards to suit your needs or easily create your own custom dashboards.

Lucidum also includes automated actions that aid continuous monitoring. These actions can run as frequently as needed.

These automated actions include sending data to slack, sending data via email, creating Jira tickets, creating ServiceNow CIs, and performing automatic mitigation tasks.

Risk Overview

The Risk Overview dashboard, included with Lucidum, displays information about the assets in the environment and their risk levels.

The Risk Overview dashboard looks like this: 

The Risk Overview dashboard includes:  

  • Assets by Risk Level. This chart displays the number of assets with risk levels of high, medium, and low.

  • High-Risk Assets. This chart displays the daily number of assets with a risk level of “High”.

  • Medium-Risk Assets. This chart displays the daily number of assets with a risk level of “Medium”.

  • Low-Risk Assets. This chart displays the daily number of assets with a risk level of “Low”.

  • Assets At-Risk by Department. This chart displays the departments that have assets with any risk level (high, medium, or low).

  • Most Common Critical CVEs. This chart displays a list of critical CVEs and the number of assets that have been affected by each CVE.

  • Most Common Risk Factors. This chart displays a list of risk factors and the number of assets that have been affected by each risk factor.

  • Top-n Assets by Risk Score. This chart displays the names of assets with the top-100 highest risk scores.

  • Assets At-Risk by Manager. This chart displays the managers that have assets with any risk level (high, medium, or low).

Apple Zero-Day Vulnerability Status Board

In this example, the dashboard monitors a zero-day vulnerability for Mac assets that became known in the summer of 2022. Many of the devices in this example were intelligent conference room control ipads. These devices are orphans: nobody owns them but they are on the network and exploitable. This is another example of how Lucidum finds your “unknown unknowns”.

This dashboard includes charts for:

  • Vulnerable MacOS. Number of assets running a vulnerable version of MacOS.

  • % Vulnerable Macs. Percent of MacOS assets running a vulnerable version of MacOS.

  • Monterey Devices by Sub-Version. Number of assets running each version of MacOS Monterey.

  • Vulnerable MacOS Monterey Devices Over Time. Number of assets running a vulnerable version of MacOS over time. We should see this chart peak on the day the zero-day vulnerability is made public and then decrease as the IT department remediates the vulnerable devices.

  • Vulnerable iOS. Number of assets running a vulnerable version of iOS.

  • % Vulnerable iOS. Percent of iOS assets running a vulnerable version of iOS.

  • Vulnerable iOS Devices Over Time. Number of assets running a vulnerable version of iOS over time. We should see this chart peak on the day the zero-day vulnerability is made public and then decrease as the IT department remediates the devices.

  • Patched MacOS Monterey Devices Over Time. Number of assets running a vulnerable version of MacOS Monterey that have been patched, over time. We should see this chart increase as the IT department remediates the vulnerable devices.

  • Patched iOS Devices Over Time. Number of assets running a vulnerable version of iOS that have been patched, over time. We should see this chart increase as the IT department remediates the vulnerable devices.

Microsoft Exchange Zero-Day Vulnerability Status Board

In this example, the dashboard monitors a zero-day vulnerability for Microsoft Exchange assets. This vulnerability became publicly known in the fall of 2022. Because it affects Exchange assets, many of the affected assets are public-facing.

This dashboard includes charts for:

  • Assets Vulnerable. Displays the total number of assets that are vulnerable to this zero-day vulnerability.

  • Top-10 Asset List by OS. Displays the top-10 assets that are vulnerable to this zero-day vulnerability, by operating system.

  • Assets Vulnerable Over Time. Displays the total number of assets that are vulnerable to this zero-day vulnerability, over time. We should see this chart peak on the day the zero-day vulnerability is made public and then decrease as the IT department remediates the devices.

  • Vulnerable Asset List. Displays the name of each vulnerable asset.

  • Top-10 Asset List by Department. Displays the top-10 assets that are vulnerable to this zero-day vulnerability, by department.

  • Public IP Address. Displays the number of devices that are that are vulnerable to this zero-day vulnerability and also have a public-facing IP address.

  • Top-10 Assets by Site. Displays the top-10 assets that are vulnerable to this zero-day vulnerability, by site.

Chrome Zero-Day Vulnerability Status Board

In this example, the dashboard monitors a zero-day vulnerability for the Chrome browser and applications.

This dashboard includes charts for:

  • Total Compute Assets. Displays the total number of Chrome compute assets.

  • Compute Assets w/Chrome CVEs. Displays the total number of Chrome compute assets with zero-day vulnerabilities.

  • Chrome Browsers w/Zero-Day CVEs. Displays the total number of Chrome browsers with zero-day vulnerabilities.

  • Data Sources Reporting. Displays the data sources that Lucidum used to ingest data about Chrome assets and this zero-day vulnerability.

  • Chrome Browsers w/Zero-Day CVEs by Location. Displays the total number of Chrome browsers with zero-day vulnerabilities, by location.

  • Computer Assets w/Chrome CVEs List. Displays the name of each Chrome compute asset and the number of high vulnerabilities on each Chrome compute asset.

  • Chrome Browsers w/Zero-Day CVEs by OS. Displays the total number of Chrome browsers with zero-day vulnerabilities, by operating system.

  • Chrome Browsers w/Zero-Day CVEs by Country. Displays the total number of Chrome browsers with zero-day vulnerabilities, by country.

Lucidum Actions

Lucidum includes automated actions that aid continuous monitoring. These actions can run as frequently as needed.

Actions for AWS

  • Stop Instance. Stops one or more AWS instances.

  • Start Instance. Starts one or more previously stopped AWS instances.

  • Tag Instance. Adds a tag (descriptive key: value pair) to one or more AWS instances.

  • Untag Instance. Removes a tag (descriptive key: value pair) from one or more AWS instances.

Actions for Active Directory

  • Change Computer Group. Changes the AD group membership for one or more assets.

  • Disable Computer. Disables one or more computer objects in AD. When a computer object is disabled in AD, domain accounts cannot log in to the computer.

  • Enable Computer. Enables one or more computer objects in AD. When a computer object is enabled in AD, domain accounts can log in to the computer.

  • Change Computer OU. Changes the AD OU (organizational unit) for one or more computers.

  • Change User Group. Changes the AD group membership for one or more users.

  • Disable User. Disables one or more user objects in AD. When a user object is disabled in AD, the user cannot log in to the domain.

  • Enable User. Enables one or more user objects in AD. When a user object is enabled in AD, the user can log in to the domain.

  • Change User OU. Changes the AD OU (organizational unit) for one or more users.

Actions for Automox

  • Patch Device. Applies all available software patches to one or more devices.

  • Reboot Device. Reboots one or more devices.

Actions for Email

  • Send Email. Sends data about one or more assets or users to one or more recipients.

Actions for Jira Cloud Platform

  • Create Jira Issue. Creates a Jira issue. For each record that matches the base query, the output fields are attached to the Jira ticket.

Actions for Microsoft Defender

  • Isolate Machine. Disconnects one or more devices from the network while retaining connectivity to the Defender for Endpoint service, which continues to monitor the device.

  • Unisolate Machine. Reconnects one or more devices to the network.

Devices that are behind a full VPN tunnel won't be able to reach the Microsoft Defender for Endpoint cloud service after the device is isolated. Microsoft recommends using a split-tunneling VPN for Microsoft Defender for Endpoint traffic.

Actions for Opsgenie

  • Create Alert. Send an alert from Lucidum to Opsgenie. Opsgenie will deliver the alert according to its policies.

Actions for ServiceNow

  • Create ServiceNow Assets (IRE API). Creates one or more new configuration items (CIs) in ServiceNow.

  • Create/Update ServiceNow Assets (IRE API). Creates one or more new configuration items (CIs) in ServiceNow. If the one or more of the CIs already exist, this action updates the existing CIs.

Actions for Slack

  • Post on Slack. Sends data (outputfields) from the specified records (from the base query) to a slack channel.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close