Overview of Actions

What Are Actions?

Lucidum includes a feature called Actions. Actions are automations that are triggered by query results.

Actions include sending email messages, posting a message to slack, creating tickets, isolating infected devices, or making changes to Active Directory, among other options.

For example, you can define an action that sends an email to the IT team if Lucidum discovers one or more assets without endpoint protection.

Lucidum also includes a type of action for webhooks. For details on webhooks, see the manual Using Webhooks in Lucidum.

Structure of Actions

Actions include two pieces

• A configuration that provides the connection and authorization information to communicate with the external solution.

• An action that specifies the task to execute, the data to include in the action, and how frequently to execute the action.

List of Actions

Actions for AWS EC2

• Stop Instance. Stops one or more AWS instances. For details on what happens when you stop an AWS instance, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Stop_Start.html#what-happens-stop/.

• Start Instance. Starts one or more previously stopped AWS instances. For details on what happens when you start an AWS instance, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Stop_Start.html#what-happens-start/.

• Tag Instance. Adds a tag (descriptive key: value pair) to one or more AWS instances. For details on tagging, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html.

• Untag Instance. Removes a tag (descriptive key: value pair) from one or more AWS instances. For details on tagging, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html.

Actions for Active Directory

• Change Computer Group. Changes the AD group membership for one or more assets.

• Disable Computer. Disables one or more computer objects in AD. When a computer object is disabled in AD, domain accounts cannot log in to the computer.

• Enable Computer. Enables one or more computer objects in AD. When a computer object is enabled in AD, domain accounts can log in to the computer.

• Change Computer OU. Changes the AD OU (organizational unit) for one or more computers.

• Change User Group. Changes the AD group membership for one or more users.

• Disable User. Disables one or more user objects in AD. When a user object is disabled in AD, the user cannot log in to the domain.

• Enable User. Enables one or more user objects in AD. When a user object is enabled in AD, the user can log in to the domain.

• Change User OU. Changes the AD OU (organizational unit) for one or more users.

Actions for Automox

• Patch Device. Applies all available software patches to one or more devices.

• Reboot Device. Reboots one or more devices.

Actions for Email

• Send Email. Sends data about one or more assets or users to one or more recipients.

Actions for Jira Cloud Platform

• Create Jira Issue. Creates a Jira issue. For each record that matches the base query, the output fields are attached to the Jira ticket.

Actions for Microsoft Defender

• Isolate Machine. Disconnects one or more devices from the network while retaining connectivity to the Defender for Endpoint service, which continues to monitor the device.

• Unisolate Machine. Reconnects one or more devices to the network.

Devices that are behind a full VPN tunnel won't be able to reach the Microsoft Defender for Endpoint cloud service after the device is isolated. Microsoft recommends using a split-tunneling VPN for Microsoft Defender for Endpoint traffic.

Actions for Microsoft Sentinel

• Send Data. Sends a custom set of Lucidum data to Microsoft Sentinel.

Actions for Opsgenie

• Create Alert. Send an alert from Lucidum to Opsgenie. Opsgenie will deliver the alert according to its policies.

Actions for ServiceNow

• Create ServiceNow Assets (IRE API). Creates one or more new configuration items (CIs) in ServiceNow.

• Create/Update ServiceNow Assets (IRE API). Creates one or more new configuration items (CIs) in ServiceNow. If the one or more of the CIs already exist, this action updates the existing CIs.

Actions for Slack

• Post on Slack. Sends data (outputfields) from the specified records (from the base query) to a slack channel.

Workflow for Creating Actions in Lucidum

To create an action in Lucidum, follow these steps:

1. Choose Action Center from the left pane.

2. In the Action Center, choose from the action types in the Channels pane.

3. To create a configuration for the action, click the Manage Configuration button. A configuration provides the connection and authorization information to communicate with the external solution.

4. Save the configuration.

5. To create an action, click the Create a new action button. An action specifies the task to execute, the data to include in the action, and how frequently to execute the action.

6. Save the action.

7. Lucidum automatically executes the action at the time and recurrence you defined in the action.

You can apply an existing configuration to more than one action. If a configuration already exists, you might be able to re-use the existing configuration and might not need to create a new one.

Action Limits in Lucidum

• Each action can include up to 5,000 records.

• You can trigger actions to run as frequently as every 5 minutes.