Skip to main content
Skip table of contents

Incident Response

Category

Requirement

CSCC

SAMA CSF

ECC-1

Incident Response

Provide detailed reports on assets associated with incidents, prioritize incidents for mitigation, and automate mitigation tasks such as analysis, containment, patching, and changes to configuration.

 

 

3.3.15

2-13-1
2-13-2
2-13-3
2-13-3-2
2-13-4

Lucidum can help you identify assets associated with incidents, prioritize incidents for mitigation, and automate mitigation tasks.

After Lucidum ingests data from your security solutions, Lucidum uses graph data, machine learning, and predictive analytics to detect and classify all assets and users, even those not detected by the solutions in your environment.

You can then create queries to find the highest risks in your environment, export the list, or create dashboards.

You can also view pre-built dashboards, called Value-Oriented Dashboards or VODs. You can easily edit these dashboards to suit your needs or easily create your own custom dashboards.

Lucidum also includes automated actions that aid continuous monitoring. These actions can run as frequently as needed.

These automated actions include sending data to slack, sending data via email, creating Jira tickets, creating ServiceNow CIs, and performing automatic mitigation tasks.

Risk Overview

The Risk Overview dashboard, included with Lucidum, displays information about the assets in the environment and their risk levels.

The Risk Overview dashboard looks like this: 

threat_intelligence-risk_overview.png

The Risk Overview dashboard includes:  

  • Assets by Risk Level. This chart displays the number of assets with risk levels of high, medium, and low.

  • High-Risk Assets. This chart displays the daily number of assets with a risk level of “High”.

  • Medium-Risk Assets. This chart displays the daily number of assets with a risk level of “Medium”.

  • Low-Risk Assets. This chart displays the daily number of assets with a risk level of “Low”.

  • Assets At-Risk by Department. This chart displays the departments that have assets with any risk level (high, medium, or low).

  • Most Common Critical CVEs. This chart displays a list of critical CVEs and the number of assets that have been affected by each CVE.

  • Most Common Risk Factors. This chart displays a list of risk factors and the number of assets that have been affected by each risk factor.

  • Top-n Assets by Risk Score. This chart displays the names of assets with the top-100 highest risk scores.

  • Assets At-Risk by Manager. This chart displays the managers that have assets with any risk level (high, medium, or low).

Zero-Day Vulnerabilities for MacOS, Windows 10, and Google Chrome

In this example, the dashboard monitors known zero-day vulnerabilities for MacOS, Windows 10, and Google Chrome.

  • Two MacOS zero-day vulnerabilities from November 2023

  • Three Windows 10 zero-day vulnerabilities from November 2023

  • Google Chrome zero-day vulnerability from December 2023

This dashboard help track systems that require patches and updates to protect against these zero-day vulnerabilities.

zero_day_vulnerabilities.png

This dashboard includes charts for:

  • Vulnerable MacOS Assets. Displays the total number of MacOS assets that are vulnerable to the two MacOS zero-day vulnerabilities.

  • Vulnerable MacOS Assets by Data Classification. Displays the type of data stored on MacOS assets that are vulnerable to the two MacOS zero-day vulnerabilities.

  • Vulnerable MacOS Assets by Department. Displays the departments of MacOs assets that are vulnerable to the two zero-day vulnerabilities.

  • Vulnerable MacOS Assets by Location. Displays the locations of MacOs assets that are vulnerable to the two zero-day vulnerabilities.

  • Vulnerable Windows 10 Assets. Displays the total number of Windows 10 assets that are vulnerable to the three Windows 10 zero-day vulnerabilities.

  • Vulnerable Windows 10 Assets by Data Classification. Displays the type of data stored on Windows 10 assets that are vulnerable to the three Windows 10 zero-day vulnerabilities.

  • Vulnerable Windows 10 Assets by Department. Displays the departments of Windows 10 assets that are vulnerable to the three Windows 10 zero-day vulnerabilities.

  • Vulnerable Windows 10 Assets by Location. Displays the locations of Windows 10 assets that are vulnerable to the three Windows 10 zero-day vulnerabilities.

  • Vulnerable Google Chrome Assets. Displays the total number of Google Chrome assets that are vulnerable to the Google Chrome zero-day vulnerability.

  • Vulnerable Google Chrome Assets by Data Classification. Displays the type of data stored on Google Chrome assets that are vulnerable to the Google Chrome zero-day vulnerability.

  • Vulnerable Google Chrome Assets by Department. Displays the departments of Google Chrome assets that are vulnerable to the Google Chrome zero-day vulnerability.

  • Vulnerable Google Chrome Assets by Location. Displays the locations of Google Chrome assets that are vulnerable to the Google Chrome zero-day vulnerability.

Microsoft Exchange Zero-Day Vulnerability Status Board

In this example, the dashboard monitors a zero-day vulnerability for Microsoft Exchange assets. This vulnerability became publicly known in the fall of 2022. Because it affects Exchange assets, many of the affected assets are public-facing.

ms_exchange_zero_day.png

This dashboard includes charts for:

  • Assets Vulnerable. Displays the total number of assets that are vulnerable to this zero-day vulnerability.

  • Top-10 Asset List by OS. Displays the top-10 assets that are vulnerable to this zero-day vulnerability, by operating system.

  • Assets Vulnerable Over Time. Displays the total number of assets that are vulnerable to this zero-day vulnerability, over time. We should see this chart peak on the day the zero-day vulnerability is made public and then decrease as the IT department remediates the devices.

  • Vulnerable Asset List. Displays the name of each vulnerable asset.

  • Top-10 Asset List by Department. Displays the top-10 assets that are vulnerable to this zero-day vulnerability, by department.

  • Public IP Address. Displays the number of devices that are that are vulnerable to this zero-day vulnerability and also have a public-facing IP address.

  • Top-10 Assets by Site. Displays the top-10 assets that are vulnerable to this zero-day vulnerability, by site.

Lucidum Actions

Lucidum includes automated actions that aid continuous monitoring. These actions can run as frequently as needed.

Actions for Active Directory

Lucidum includes the following Actions for Active Directory:

  • Change Computer Group. Changes the AD group membership for one or more assets.

  • Disable Computer. Disables one or more computer objects in AD. When a computer object is disabled in AD, domain accounts cannot log in to the computer.

  • Enable Computer. Enables one or more computer objects in AD. When a computer object is enabled in AD, domain accounts can log in to the computer.

  • Change Computer OU. Changes the AD OU (organizational unit) for one or more computers.

  • Change User Group. Changes the AD group membership for one or more users.

  • Disable User. Disables one or more user objects in AD. When a user object is disabled in AD, the user cannot log in to the domain.

  • Enable User. Enables one or more user objects in AD. When a user object is enabled in AD, the user can log in to the domain.

  • Change User OU. Changes the AD OU (organizational unit) for one or more users.

Actions for AWS EC2

Lucidum includes the following Actions for AWS EC2:

Actions for Automox

Lucidum includes the following Actions for Automox:

  • Patch Device. Applies all available software patches to one or more devices.

  • Reboot Device. Reboots one or more devices.

Actions for Elastic Cloud

Lucidum includes the following Actions for Elastic Cloud:

  • Send to Elastic Cloud Index. Sends a custom set of Lucidum data to Elastic Cloud.

Actions for Email

Lucidum includes the following Actions for Email:

  • Send Email. Sends data about one or more assets or users to one or more recipients.

Actions for Google Chronical

Lucidum includes the following Actions for Google Chronicle:

  • Send Data. Sends a custom set of Lucidum data to Google Chronicle.

8.0.0 or later

Actions for Google Cloud Platform

  • Send Data to GCP Storage. Sends a custom set of Lucidum data to GCP.

Actions for Hunters

Lucidum includes the following Actions for Hunters:

  • Send Data. Sends a custom set of Lucidum data to Hunters.

Actions for Jira Cloud Platform

Lucidum includes the following Actions for Jira Cloud:

  • Create Jira Issue. Creates a Jira issue. For each record that matches the base query, the output fields are attached to the Jira ticket.

8.0.0 or later

Actions for Microsoft Azure

  • Send Data to Azure Blob. Sends a custom set of Lucidum data to Azure.

Actions for Microsoft Defender

Lucidum includes the following Actions for Microsoft Defender:

  • Isolate Machine. Disconnects one or more devices from the network while retaining connectivity to the Defender for Endpoint service, which continues to monitor the device.

  • Unisolate Machine. Reconnects one or more devices to the network.

Devices that are behind a full VPN tunnel won't be able to reach the Microsoft Defender for Endpoint cloud service after the device is isolated. Microsoft recommends using a split-tunneling VPN for Microsoft Defender for Endpoint traffic.

Actions for Microsoft Sentinel

Lucidum includes the following Actions for Microsoft Sentinel:

  • Send Data. Sends a custom set of Lucidum data to Microsoft Sentinel.

Actions for Microsoft Teams

Lucidum includes the following Actions for Microsoft Teams:

  • Post on Teams. Sends a custom set of Lucidum data to Microsoft Teams.

Actions for Opsgenie

Lucidum includes the following Actions for Opsgenie:

  • Create Alert. Send an alert from Lucidum to Opsgenie. Opsgenie will deliver the alert according to its policies.

Actions for Rapid7

Lucidum includes the following Actions for Rapid7:

  • Create a New List of IPs/Hosts for Scanning. Send a list of IPs/host names to Rapid7 for scanning.

Actions for ServiceNow

Lucidum includes the following Actions for ServiceNow:

  • Create ServiceNow Assets (IRE API). Creates one or more new configuration items (CIs) in ServiceNow.

  • Create/Update ServiceNow Assets (IRE API). Creates one or more new configuration items (CIs) in ServiceNow. If the one or more of the CIs already exist, this action updates the existing CIs.

Actions for Slack

Lucidum includes the following Actions for Slack:

  • Post on Slack. Sends data (outputfields) from the specified records (from the base query) to a slack channel.

Actions for Splunk

Lucidum includes the following Actions for Splunk:

  • Send Data. Sends a custom set of Lucidum data to Splunk.

Actions of Sumo Logic

Lucidum includes the following Actions for Sumo Logic:

  • Send Data. Sends a custom set of Lucidum data to Sumo Logic.

Actions for Tenable Vulnerability Management

Lucidum includes the following Actions for Tenable Vulnerability Management:

  • Send to Tenable Vulnerability Management Assets. Sends a custom set of Lucidum data to Tenable Vulnerability Management to import as assets.

  • Launch Tenable Vulnerability Management Scan. Launches a scan in Tenable Vulnerability Management with a specified list of assets.

  • Add to Tenable Vulnerability Management Target Group. Adds a list of assets to a target group in Tenable Vulnerability Management. A target group includes a list of targets to scan.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.