Skip to main content

Lumu

This Integration is part of the Lumu Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

SecOps operations - Reflect and manage the Lumu Incidents either from XSOAR Cortex or viceversa using the mirroring integration flow, https://lumu.io/ This integration was integrated and tested with version 20230215 of Lumu

Configure Lumu in Cortex#

ParameterDescriptionRequired
Maximum number of incidents to fetch every timeFalse
First fetch time intervalThe time range to consider for the initial data fetch. (<number> <unit>, e.g., 2 minutes, 2 hours, 2 days, 2 months, 2 years). Default is 3 days.False
Server URLTrue
Use system proxy settingsFalse
Trust any certificate (not secure)False
API KeyTrue
Incident OffsetFalse
Total Incident per fetching using lumu endpointFalse
Max time in seconds per fetching using lumu endpointFalse
Fetch incidentsFalse
Incident typeFalse
Incidents Fetch IntervalFalse
Incident Mirroring DirectionSelects which direction you want the incidents mirrored. You can mirror **Incoming** only (from Lumu to Cortex XSOAR), **Outgoing** only (from Cortex XSOAR to Lumu), or both **Incoming And Outgoing**.False
Mirror tagsComment and files that will be marked with this tag will be pushed into Lumu.False

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

lumu-retrieve-labels#


Get a paginated list of all the labels created for the company and its details such as id, name and business relevance. The items are sorted by the label id in ascending order.

Base Command#

lumu-retrieve-labels

Input#

Argument NameDescriptionRequired
pagepage requested.Optional
limititems limit requested. Default is 10.Optional

Context Output#

PathTypeDescription
Lumu.RetrieveLabels.labels.idNumberlabel id
Lumu.RetrieveLabels.labels.nameStringlabel name
Lumu.RetrieveLabels.labels.relevanceNumberlabel relevance
Lumu.RetrieveLabels.paginationInfo.pageNumbercurrent page
Lumu.RetrieveLabels.paginationInfo.itemsNumbercurrent items
Lumu.RetrieveLabels.paginationInfo.nextNumbernext page
Lumu.RetrieveLabels.paginationInfo.prevNumberprevious page

Command example#

!lumu-retrieve-labels

Context Example#

{
"Lumu": {
"RetrieveLabels": {
"labels": [
{
"id": 51,
"name": "Mi Ofi",
"relevance": 1
},
{
"id": 112,
"name": "Lab1",
"relevance": 1
},
{
"id": 113,
"name": "Lab2",
"relevance": 1
},
{
"id": 134,
"name": "cd test",
"relevance": 1
},
{
"id": 147,
"name": "cd",
"relevance": 1
},
{
"id": 173,
"name": "VA 3.1.2 Test",
"relevance": 1
},
{
"id": 218,
"name": "acastaneda",
"relevance": 1
},
{
"id": 227,
"name": "VA 1.3.3 Label",
"relevance": 1
},
{
"id": 280,
"name": "client test",
"relevance": 1
},
{
"id": 331,
"name": "VA 3.1.3",
"relevance": 1
}
],
"paginationInfo": {
"items": 10,
"next": 2,
"page": 1
}
}
}
}

Human Readable Output#

Labels#

IdNameRelevance
51Mi Ofi1
112Lab11
113Lab21
134cd test1
147cd1
173VA 3.1.2 Test1
218acastaneda1
227VA 1.3.3 Label1
280client test1
331VA 3.1.31

paginationInfo#

ItemsNextPage
1021

lumu-retrieve-a-specific-label#


Get details such as id, name and business relevance from a specific label.

{label-id}ID of the specific label

Base Command#

lumu-retrieve-a-specific-label

Input#

Argument NameDescriptionRequired
label_idlabel id requested.Required

Context Output#

PathTypeDescription
Lumu.RetrieveASpecificLabel.idNumberlabel id
Lumu.RetrieveASpecificLabel.nameStringlabel name
Lumu.RetrieveASpecificLabel.relevanceNumberlabel relevance

Command example#

!lumu-retrieve-a-specific-label label_id=51

Context Example#

{
"Lumu": {
"RetrieveASpecificLabel": {
"id": 51,
"name": "Mi Ofi",
"relevance": 1
}
}
}

Human Readable Output#

Label#

IdNameRelevance
51Mi Ofi1

lumu-retrieve-incidents#


Get a paginated list of incidents for the company. The items are listed by the most recent.

Base Command#

lumu-retrieve-incidents

Input#

Argument NameDescriptionRequired
pagepage requested.Optional
limititems limit requested. Default is 10.Optional
fromdatefrom date in ISO string format
e.g. 2023 january 1st, 14:40:14 - 2023-01-01T14:40:14.000Z
e.g. 2023 july 4th, 05:10 - 2023-07-04T05:10:00.000Z.
Optional
todatefrom date in ISO string format
e.g. 2023 january 1st, 14:40:14 - 2023-01-01T14:40:14.000Z
e.g. 2023 july 4th, 05:10 - 2023-07-04T05:10:00.000Z.
Optional
statuschoose status: open,muted,closed. Possible values are: open, muted, closed.Optional
adversary_typeschoose types: C2C,Malware,DGA,Mining,Spam,Phishing. Possible values are: C2C, Malware, DGA, Mining, Spam, Phishing.Optional
labelschoose labels.Optional

Context Output#

PathTypeDescription
Lumu.RetrieveIncidents.items.idStringLumu incident id
Lumu.RetrieveIncidents.items.timestampDateLumu timestamp
Lumu.RetrieveIncidents.items.statusTimestampDateLumu statusTimestamp
Lumu.RetrieveIncidents.items.statusStringLumu status
Lumu.RetrieveIncidents.items.contactsNumberLumu contacts
Lumu.RetrieveIncidents.items.adversariesStringumu adversaries
Lumu.RetrieveIncidents.items.adversaryTypesStringLumu adversaryTypes
Lumu.RetrieveIncidents.items.labelDistributionNumberLumu incident labels
Lumu.RetrieveIncidents.items.totalEndpointsNumberLumu totalEndpoints
Lumu.RetrieveIncidents.items.lastContactDateLumu lastContact
Lumu.RetrieveIncidents.items.unreadBooleanLumu unread
Lumu.RetrieveIncidents.paginationInfo.pageNumbercurrent page
Lumu.RetrieveIncidents.paginationInfo.itemsNumbercurrent items

Command example#

!lumu-retrieve-incidents

Context Example#

{
"Lumu": {
"RetrieveIncidents": [
{
"adversaries": [
"www.chg.com.br"
],
"adversaryId": "www.chg.com.br",
"adversaryTypes": [
"Malware"
],
"contacts": 1,
"description": "Malware family Win32.Remoteadmin.C.Winvnc.Based",
"firstContact": "2023-02-15T13:28:25.537Z",
"hasPlaybackContacts": false,
"id": "ad2b63c0-ad34-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"0": 1
},
"lastContact": "2023-02-15T13:28:25.537Z",
"status": "closed",
"statusTimestamp": "2023-02-15T21:53:41.468Z",
"timestamp": "2023-02-15T13:28:47.356Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"104.156.63.145"
],
"adversaryId": "104.156.63.145",
"adversaryTypes": [
"C2C"
],
"contacts": 10,
"description": "Malware family Agentemis",
"firstContact": "2023-02-15T02:21:59Z",
"hasPlaybackContacts": false,
"id": "8c5efc90-aca5-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"2144": 10
},
"lastContact": "2023-02-15T05:35:40Z",
"status": "open",
"statusTimestamp": "2023-02-14T20:24:14.297Z",
"timestamp": "2023-02-14T20:24:14.297Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"161.97.110.203"
],
"adversaryId": "161.97.110.203",
"adversaryTypes": [
"C2C"
],
"contacts": 1,
"description": "Malware family Katana",
"firstContact": "2023-02-15T02:18:17Z",
"hasPlaybackContacts": false,
"id": "853e3020-aca5-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"2144": 1
},
"lastContact": "2023-02-15T02:18:17Z",
"status": "open",
"statusTimestamp": "2023-02-14T20:24:02.338Z",
"timestamp": "2023-02-14T20:24:02.338Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"rea.co.ke"
],
"adversaryId": "rea.co.ke",
"adversaryTypes": [
"C2C",
"Malware"
],
"contacts": 1,
"description": "Malware family P2PZeuS",
"firstContact": "2023-02-14T17:27:26.791Z",
"hasPlaybackContacts": false,
"id": "e0b39da0-ac8c-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"989": 1
},
"lastContact": "2023-02-14T17:27:26.791Z",
"status": "closed",
"statusTimestamp": "2023-02-14T18:33:38.315Z",
"timestamp": "2023-02-14T17:27:38.362Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"www.puertoballesta.com"
],
"adversaryId": "www.puertoballesta.com",
"adversaryTypes": [
"Phishing"
],
"contacts": 1,
"description": "Phishing domain",
"firstContact": "2023-02-14T17:08:11.751Z",
"hasPlaybackContacts": false,
"id": "91aaaf20-ac8a-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"989": 1
},
"lastContact": "2023-02-14T17:08:11.751Z",
"status": "open",
"statusTimestamp": "2023-02-14T17:24:41.268Z",
"timestamp": "2023-02-14T17:11:06.770Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"bitmovil.mx"
],
"adversaryId": "bitmovil.mx",
"adversaryTypes": [
"Malware"
],
"contacts": 2,
"description": "Heodo",
"firstContact": "2023-02-14T17:05:37.987Z",
"hasPlaybackContacts": false,
"id": "0d207a50-ac8a-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"989": 2
},
"lastContact": "2023-02-14T17:05:37.987Z",
"status": "closed",
"statusTimestamp": "2023-02-14T18:44:09.946Z",
"timestamp": "2023-02-14T17:07:24.405Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"msk.turbolider.ru"
],
"adversaryId": "msk.turbolider.ru",
"adversaryTypes": [
"Phishing"
],
"contacts": 2,
"description": "Phishing domain",
"firstContact": "2023-02-14T16:28:11.169Z",
"hasPlaybackContacts": false,
"id": "99b7bf10-ac84-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"147": 2
},
"lastContact": "2023-02-14T16:28:11.169Z",
"status": "open",
"statusTimestamp": "2023-02-14T16:28:23.297Z",
"timestamp": "2023-02-14T16:28:23.297Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"rspg-spectrum.eu"
],
"adversaryId": "rspg-spectrum.eu",
"adversaryTypes": [
"Phishing"
],
"contacts": 7,
"description": "Phishing domain",
"firstContact": "2023-01-13T18:15:24.305Z",
"hasPlaybackContacts": true,
"id": "903c5580-abef-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"2041": 5,
"4055": 2
},
"lastContact": "2023-02-14T16:01:27.715Z",
"status": "open",
"statusTimestamp": "2023-02-13T22:41:32.376Z",
"timestamp": "2023-02-13T22:41:32.376Z",
"totalEndpoints": 3,
"unread": false
},
{
"adversaries": [
"scalarchives.com"
],
"adversaryId": "scalarchives.com",
"adversaryTypes": [
"Phishing"
],
"contacts": 4,
"description": "Phishing domain",
"firstContact": "2023-01-13T21:44:39.025Z",
"hasPlaybackContacts": true,
"id": "f2571f00-aa43-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"4055": 4
},
"lastContact": "2023-01-13T21:44:39.035Z",
"status": "open",
"statusTimestamp": "2023-02-11T19:40:32.368Z",
"timestamp": "2023-02-11T19:40:32.368Z",
"totalEndpoints": 2,
"unread": false
},
{
"adversaries": [
"portaconexao8.top"
],
"adversaryId": "portaconexao8.top",
"adversaryTypes": [
"Malware"
],
"contacts": 2,
"description": "Malware hash: 55e57c52cd5e1dcfad4e9bcf0eb2f3a5",
"firstContact": "2023-02-11T18:40:09.087Z",
"hasPlaybackContacts": false,
"id": "89658e80-aa3b-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"147": 2
},
"lastContact": "2023-02-11T18:40:09.087Z",
"status": "closed",
"statusTimestamp": "2023-02-15T13:26:02.357Z",
"timestamp": "2023-02-11T18:40:20.328Z",
"totalEndpoints": 1,
"unread": false
}
]
}
}

Human Readable Output#

Incidents#

AdversariesAdversary IdAdversary TypesContactsDescriptionFirst ContactHas Playback ContactsIdLabel DistributionLast ContactStatusStatus TimestampTimestampTotal EndpointsUnread
www.chg.com.brwww.chg.com.brMalware1Malware family Win32.Remoteadmin.C.Winvnc.Based2023-02-15T13:28:25.537Zfalsead2b63c0-ad34-11ed-9fd0-e5fb50c818f60: 12023-02-15T13:28:25.537Zclosed2023-02-15T21:53:41.468Z2023-02-15T13:28:47.356Z1false
104.156.63.145104.156.63.145C2C10Malware family Agentemis2023-02-15T02:21:59Zfalse8c5efc90-aca5-11ed-9fd0-e5fb50c818f62144: 102023-02-15T05:35:40Zopen2023-02-14T20:24:14.297Z2023-02-14T20:24:14.297Z1false
161.97.110.203161.97.110.203C2C1Malware family Katana2023-02-15T02:18:17Zfalse853e3020-aca5-11ed-9fd0-e5fb50c818f62144: 12023-02-15T02:18:17Zopen2023-02-14T20:24:02.338Z2023-02-14T20:24:02.338Z1false
rea.co.kerea.co.keC2C,
Malware
1Malware family P2PZeuS2023-02-14T17:27:26.791Zfalsee0b39da0-ac8c-11ed-9fd0-e5fb50c818f6989: 12023-02-14T17:27:26.791Zclosed2023-02-14T18:33:38.315Z2023-02-14T17:27:38.362Z1false
www.puertoballesta.comwww.puertoballesta.comPhishing1Phishing domain2023-02-14T17:08:11.751Zfalse91aaaf20-ac8a-11ed-9fd0-e5fb50c818f6989: 12023-02-14T17:08:11.751Zopen2023-02-14T17:24:41.268Z2023-02-14T17:11:06.770Z1false
bitmovil.mxbitmovil.mxMalware2Heodo2023-02-14T17:05:37.987Zfalse0d207a50-ac8a-11ed-9fd0-e5fb50c818f6989: 22023-02-14T17:05:37.987Zclosed2023-02-14T18:44:09.946Z2023-02-14T17:07:24.405Z1false
msk.turbolider.rumsk.turbolider.ruPhishing2Phishing domain2023-02-14T16:28:11.169Zfalse99b7bf10-ac84-11ed-9fd0-e5fb50c818f6147: 22023-02-14T16:28:11.169Zopen2023-02-14T16:28:23.297Z2023-02-14T16:28:23.297Z1false
rspg-spectrum.eurspg-spectrum.euPhishing7Phishing domain2023-01-13T18:15:24.305Ztrue903c5580-abef-11ed-9fd0-e5fb50c818f64055: 2
2041: 5
2023-02-14T16:01:27.715Zopen2023-02-13T22:41:32.376Z2023-02-13T22:41:32.376Z3false
scalarchives.comscalarchives.comPhishing4Phishing domain2023-01-13T21:44:39.025Ztruef2571f00-aa43-11ed-9fd0-e5fb50c818f64055: 42023-01-13T21:44:39.035Zopen2023-02-11T19:40:32.368Z2023-02-11T19:40:32.368Z2false
portaconexao8.topportaconexao8.topMalware2Malware hash: 55e57c52cd5e1dcfad4e9bcf0eb2f3a52023-02-11T18:40:09.087Zfalse89658e80-aa3b-11ed-9fd0-e5fb50c818f6147: 22023-02-11T18:40:09.087Zclosed2023-02-15T13:26:02.357Z2023-02-11T18:40:20.328Z1false

paginationInfo#

ItemsNextPage
1021

Command example#

!lumu-retrieve-incidents page=2 status=open adversary-types=Malware labels=1580

Human Readable Output#

Incidents#

No entries.

paginationInfo#

ItemsPagePrev
1021

lumu-retrieve-a-specific-incident-details#


Get details of a specific Incident.

{incident-uuid}uuid of the specific incident

Base Command#

lumu-retrieve-a-specific-incident-details

Input#

Argument NameDescriptionRequired
lumu_incident_idLumu id requested.Required

Context Output#

PathTypeDescription
Lumu.RetrieveASpecificIncidentDetails.idStringLumu id
Lumu.RetrieveASpecificIncidentDetails.timestampDateLumu timestamp
Lumu.RetrieveASpecificIncidentDetails.isUnreadBooleanLumu isUnread
Lumu.RetrieveASpecificIncidentDetails.contactsNumberLumu contacts
Lumu.RetrieveASpecificIncidentDetails.adversaryIdStringLumu adversaryId
Lumu.RetrieveASpecificIncidentDetails.adversariesStringLumu adversaries
Lumu.RetrieveASpecificIncidentDetails.adversaryTypesStringLumu adversaryTypes
Lumu.RetrieveASpecificIncidentDetails.descriptionStringLumu description
Lumu.RetrieveASpecificIncidentDetails.labelDistributionNumberLumu incident label
Lumu.RetrieveASpecificIncidentDetails.totalEndpointsNumberLumu totalEndpoints
Lumu.RetrieveASpecificIncidentDetails.lastContactDateLumu lastContact
Lumu.RetrieveASpecificIncidentDetails.actions.datetimeDateLumu actions.datetime
Lumu.RetrieveASpecificIncidentDetails.actions.userIdNumberLumu actions.userId
Lumu.RetrieveASpecificIncidentDetails.actions.actionStringLumu actions.action
Lumu.RetrieveASpecificIncidentDetails.actions.commentStringLumu comment
Lumu.RetrieveASpecificIncidentDetails.statusStringLumu status
Lumu.RetrieveASpecificIncidentDetails.statusTimestampDateLumu statusTimestamp
Lumu.RetrieveASpecificIncidentDetails.firstContactDetails.uuidStringLumu firstContactDetails.uuid
Lumu.RetrieveASpecificIncidentDetails.firstContactDetails.datetimeDateLumu firstContactDetails.datetime
Lumu.RetrieveASpecificIncidentDetails.firstContactDetails.hostStringLumu firstContactDetails.host
Lumu.RetrieveASpecificIncidentDetails.firstContactDetails.typesStringLumu firstContactDetails.types
Lumu.RetrieveASpecificIncidentDetails.firstContactDetails.detailsStringLumu firstContactDetails.details
Lumu.RetrieveASpecificIncidentDetails.firstContactDetails.endpointIpStringLumu firstContactDetails.endpointIp
Lumu.RetrieveASpecificIncidentDetails.firstContactDetails.endpointNameStringLumu firstContactDetails.endpointName
Lumu.RetrieveASpecificIncidentDetails.firstContactDetails.labelNumberLumu firstContactDetails.label
Lumu.RetrieveASpecificIncidentDetails.firstContactDetails.sourceTypeStringLumu firstContactDetails.sourceType
Lumu.RetrieveASpecificIncidentDetails.firstContactDetails.sourceIdStringLumu firstContactDetails.sourceId
Lumu.RetrieveASpecificIncidentDetails.firstContactDetails.sourceData.DNSPacketExtraInfo.question.typeStringLumu firstContactDetails.sourceData.DNSPacketExtraInfo.question.type
Lumu.RetrieveASpecificIncidentDetails.firstContactDetails.sourceData.DNSPacketExtraInfo.question.nameStringLumu firstContactDetails.sourceData.DNSPacketExtraInfo.question.name
Lumu.RetrieveASpecificIncidentDetails.firstContactDetails.sourceData.DNSPacketExtraInfo.question.classStringLumu firstContactDetails.sourceData.DNSPacketExtraInfo.question.class
Lumu.RetrieveASpecificIncidentDetails.firstContactDetails.sourceData.DNSPacketExtraInfo.responseCodeStringLumu firstContactDetails.sourceData.DNSPacketExtraInfo.responseCode
Lumu.RetrieveASpecificIncidentDetails.firstContactDetails.sourceData.DNSPacketExtraInfo.flags.authoritativeBooleanLumu firstContactDetails.sourceData.DNSPacketExtraInfo.flags.authoritative
Lumu.RetrieveASpecificIncidentDetails.firstContactDetails.sourceData.DNSPacketExtraInfo.flags.recursion_availableBooleanLumu firstContactDetails.sourceData.DNSPacketExtraInfo.flags.recursion_available
Lumu.RetrieveASpecificIncidentDetails.firstContactDetails.sourceData.DNSPacketExtraInfo.flags.truncated_responseBooleanLumu firstContactDetails.sourceData.DNSPacketExtraInfo.flags.truncated_response
Lumu.RetrieveASpecificIncidentDetails.firstContactDetails.sourceData.DNSPacketExtraInfo.flags.checking_disabledBooleanLumu firstContactDetails.sourceData.DNSPacketExtraInfo.flags.checking_disabled
Lumu.RetrieveASpecificIncidentDetails.firstContactDetails.sourceData.DNSPacketExtraInfo.flags.recursion_desiredBooleanLumu firstContactDetails.sourceData.DNSPacketExtraInfo.flags.recursion_desired
Lumu.RetrieveASpecificIncidentDetails.firstContactDetails.sourceData.DNSPacketExtraInfo.flags.authentic_dataBooleanLumu firstContactDetails.sourceData.DNSPacketExtraInfo.flags.authentic_data
Lumu.RetrieveASpecificIncidentDetails.firstContactDetails.sourceData.DNSPacketExtraInfo.answers.nameStringLumu firstContactDetails.sourceData.DNSPacketExtraInfo.answers.name
Lumu.RetrieveASpecificIncidentDetails.firstContactDetails.sourceData.DNSPacketExtraInfo.answers.typeStringLumu firstContactDetails.sourceData.DNSPacketExtraInfo.answers.type
Lumu.RetrieveASpecificIncidentDetails.firstContactDetails.sourceData.DNSPacketExtraInfo.answers.classStringLumu firstContactDetails.sourceData.DNSPacketExtraInfo.answers.class
Lumu.RetrieveASpecificIncidentDetails.firstContactDetails.sourceData.DNSPacketExtraInfo.answers.ttlNumberLumu firstContactDetails.sourceData.DNSPacketExtraInfo.answers.ttl
Lumu.RetrieveASpecificIncidentDetails.firstContactDetails.sourceData.DNSPacketExtraInfo.answers.dataStringLumu firstContactDetails.sourceData.DNSPacketExtraInfo.answers.data
Lumu.RetrieveASpecificIncidentDetails.firstContactDetails.sourceData.DNSPacketExtraInfo.opCodeStringLumu firstContactDetails.sourceData.DNSPacketExtraInfo.opCode
Lumu.RetrieveASpecificIncidentDetails.firstContactDetails.isPlaybackBooleanLumu firstContactDetails.isPlayback
Lumu.RetrieveASpecificIncidentDetails.lastContactDetails.uuidStringLumu lastContactDetails.uuid
Lumu.RetrieveASpecificIncidentDetails.lastContactDetails.datetimeDateLumu lastContactDetails.datetime
Lumu.RetrieveASpecificIncidentDetails.lastContactDetails.hostStringLumu lastContactDetails.host
Lumu.RetrieveASpecificIncidentDetails.lastContactDetails.typesStringLumu lastContactDetails.types
Lumu.RetrieveASpecificIncidentDetails.lastContactDetails.detailsStringLumu lastContactDetails.details
Lumu.RetrieveASpecificIncidentDetails.lastContactDetails.endpointIpStringLumu lastContactDetails.endpointIp
Lumu.RetrieveASpecificIncidentDetails.lastContactDetails.endpointNameStringLumu lastContactDetails.endpointName
Lumu.RetrieveASpecificIncidentDetails.lastContactDetails.labelNumberLumu lastContactDetails.label
Lumu.RetrieveASpecificIncidentDetails.lastContactDetails.sourceTypeStringLumu lastContactDetails.sourceType
Lumu.RetrieveASpecificIncidentDetails.lastContactDetails.sourceIdStringLumu lastContactDetails.sourceId
Lumu.RetrieveASpecificIncidentDetails.lastContactDetails.sourceData.DNSPacketExtraInfo.question.typeStringLumu lastContactDetails.sourceData.DNSPacketExtraInfo.question.type
Lumu.RetrieveASpecificIncidentDetails.lastContactDetails.sourceData.DNSPacketExtraInfo.question.nameStringLumu lastContactDetails.sourceData.DNSPacketExtraInfo.question.name
Lumu.RetrieveASpecificIncidentDetails.lastContactDetails.sourceData.DNSPacketExtraInfo.question.classStringLumu lastContactDetails.sourceData.DNSPacketExtraInfo.question.class
Lumu.RetrieveASpecificIncidentDetails.lastContactDetails.sourceData.DNSPacketExtraInfo.responseCodeStringLumu lastContactDetails.sourceData.DNSPacketExtraInfo.responseCode
Lumu.RetrieveASpecificIncidentDetails.lastContactDetails.sourceData.DNSPacketExtraInfo.flags.authoritativeBooleanLumu lastContactDetails.sourceData.DNSPacketExtraInfo.flags.authoritative
Lumu.RetrieveASpecificIncidentDetails.lastContactDetails.sourceData.DNSPacketExtraInfo.flags.recursion_availableBooleanLumu lastContactDetails.sourceData.DNSPacketExtraInfo.flags.recursion_available
Lumu.RetrieveASpecificIncidentDetails.lastContactDetails.sourceData.DNSPacketExtraInfo.flags.truncated_responseBooleanLumu lastContactDetails.sourceData.DNSPacketExtraInfo.flags.truncated_response
Lumu.RetrieveASpecificIncidentDetails.lastContactDetails.sourceData.DNSPacketExtraInfo.flags.checking_disabledBooleanLumu lastContactDetails.sourceData.DNSPacketExtraInfo.flags.checking_disabled
Lumu.RetrieveASpecificIncidentDetails.lastContactDetails.sourceData.DNSPacketExtraInfo.flags.recursion_desiredBooleanLumu lastContactDetails.sourceData.DNSPacketExtraInfo.flags.recursion_desired
Lumu.RetrieveASpecificIncidentDetails.lastContactDetails.sourceData.DNSPacketExtraInfo.flags.authentic_dataBooleanLumu lastContactDetails.sourceData.DNSPacketExtraInfo.flags.authentic_data
Lumu.RetrieveASpecificIncidentDetails.lastContactDetails.sourceData.DNSPacketExtraInfo.answers.nameStringLumu lastContactDetails.sourceData.DNSPacketExtraInfo.answers.name
Lumu.RetrieveASpecificIncidentDetails.lastContactDetails.sourceData.DNSPacketExtraInfo.answers.typeStringLumu lastContactDetails.sourceData.DNSPacketExtraInfo.answers.type
Lumu.RetrieveASpecificIncidentDetails.lastContactDetails.sourceData.DNSPacketExtraInfo.answers.classStringLumu lastContactDetails.sourceData.DNSPacketExtraInfo.answers.class
Lumu.RetrieveASpecificIncidentDetails.lastContactDetails.sourceData.DNSPacketExtraInfo.answers.ttlNumberLumu lastContactDetails.sourceData.DNSPacketExtraInfo.answers.ttl
Lumu.RetrieveASpecificIncidentDetails.lastContactDetails.sourceData.DNSPacketExtraInfo.answers.dataStringLumu lastContactDetails.sourceData.DNSPacketExtraInfo.answers.data
Lumu.RetrieveASpecificIncidentDetails.lastContactDetails.sourceData.DNSPacketExtraInfo.opCodeStringLumu lastContactDetails.sourceData.DNSPacketExtraInfo.opCode
Lumu.RetrieveASpecificIncidentDetails.lastContactDetails.isPlaybackBooleanLumu lastContactDetails.isPlayback

Command example#

!lumu-retrieve-a-specific-incident-details lumu_incident_id=7c40be00-a7cf-11ed-9fd0-e5fb50c818f6

Context Example#

{
"Lumu": {
"RetrieveASpecificIncidentDetails": {
"actions": [
{
"action": "comment",
"comment": "test comment",
"datetime": "2023-02-15T12:18:53.523Z",
"userId": 6252
},
{
"action": "comment",
"comment": "from XSOAR Cortex 20230215_121052 jusa a comment 710, hmacsha256:4a72fe5ec25900e165988e155a1f629ceb2b3e0b92127b8b7df04ab8576b86e8",
"datetime": "2023-02-15T12:10:54.152Z",
"userId": 0
},
{
"action": "unmute",
"comment": "from XSOAR Cortex 20230215_120059 , hmacsha256:7e909a46d09f7e2fe9f81b8dbb4e56f39f1ed760744ff9b6ca0d17ca31c5a4c4",
"datetime": "2023-02-15T12:01:03.667Z",
"userId": 0
},
{
"action": "mute",
"comment": "from XSOAR Cortex 20230209_165814 at 1158, hmacsha256:ad2f2ce9951184230647f2feed5856d41fa75500ded13aed5bf78176d825e40b",
"datetime": "2023-02-09T16:58:14.536Z",
"userId": 0
}
],
"adversaries": [
"activity.lumu.io"
],
"adversaryId": "activity.lumu.io",
"adversaryTypes": [
"Spam"
],
"contacts": 8,
"description": "Activity Test Query",
"firstContactDetails": {
"datetime": "2023-02-08T16:41:35.613Z",
"details": [
"Activity Test Query"
],
"endpointIp": "186.29.109.138",
"endpointName": "cd-ho",
"host": "activity.lumu.io",
"isPlayback": false,
"label": 147,
"sourceData": null,
"sourceId": "587ec9d348053ca03a58aeddeccb1b93",
"sourceType": "PublicResolver",
"types": [
"Spam"
],
"uuid": "737f12d0-a7cf-11ed-972b-0f9b6b3c6ffd"
},
"hasPlaybackContacts": false,
"id": "7c40be00-a7cf-11ed-9fd0-e5fb50c818f6",
"isUnread": false,
"labelDistribution": {
"0": 2,
"147": 1,
"1885": 2,
"2254": 1,
"989": 2
},
"lastContact": "2023-02-15T16:59:47.142Z",
"lastContactDetails": {
"datetime": "2023-02-15T16:59:47.142Z",
"details": [
"Activity Test Query"
],
"endpointIp": "192.168.1.100",
"endpointName": "LUMU-100",
"host": "activity.lumu.io",
"isPlayback": false,
"label": 0,
"sourceData": {
"DNSQueryExtraInfo": {
"queryType": "A"
}
},
"sourceId": "6d942a7a-d287-415e-9c09-3d6632a6a976",
"sourceType": "custom_collector",
"types": [
"Spam"
],
"uuid": "26fd6e60-ad52-11ed-8d57-0f9b6b8d54f0"
},
"status": "open",
"statusTimestamp": "2023-02-15T12:01:03.667Z",
"timestamp": "2023-02-08T16:41:50.304Z",
"totalEndpoints": 6
}
}
}

Human Readable Output#

Incident#

AdversariesAdversary IdAdversary TypesContactsDescriptionFirst Contact DetailsHas Playback ContactsIdIs UnreadLabel DistributionLast ContactLast Contact DetailsStatusStatus TimestampTimestampTotal Endpoints
activity.lumu.ioactivity.lumu.ioSpam8Activity Test Queryuuid: 737f12d0-a7cf-11ed-972b-0f9b6b3c6ffd
datetime: 2023-02-08T16:41:35.613Z
host: activity.lumu.io
types: Spam
details: Activity Test Query
endpointIp: 186.29.109.138
endpointName: cd-ho
label: 147
sourceType: PublicResolver
sourceId: 587ec9d348053ca03a58aeddeccb1b93
sourceData: null
isPlayback: false
false7c40be00-a7cf-11ed-9fd0-e5fb50c818f6false147: 1
2254: 1
1885: 2
989: 2
0: 2
2023-02-15T16:59:47.142Zuuid: 26fd6e60-ad52-11ed-8d57-0f9b6b8d54f0
datetime: 2023-02-15T16:59:47.142Z
host: activity.lumu.io
types: Spam
details: Activity Test Query
endpointIp: 192.168.1.100
endpointName: LUMU-100
label: 0
sourceType: custom_collector
sourceId: 6d942a7a-d287-415e-9c09-3d6632a6a976
sourceData: {"DNSQueryExtraInfo": {"queryType": "A"}}
isPlayback: false
open2023-02-15T12:01:03.667Z2023-02-08T16:41:50.304Z6

Actions#

ActionCommentDatetimeUser Id
commenttest comment2023-02-15T12:18:53.523Z6252
commentfrom XSOAR Cortex 20230215_121052 jusa a comment 710, hmacsha256:4a72fe5ec25900e165988e155a1f629ceb2b3e0b92127b8b7df04ab8576b86e82023-02-15T12:10:54.152Z0
unmutefrom XSOAR Cortex 20230215_120059 , hmacsha256:7e909a46d09f7e2fe9f81b8dbb4e56f39f1ed760744ff9b6ca0d17ca31c5a4c42023-02-15T12:01:03.667Z0
mutefrom XSOAR Cortex 20230209_165814 at 1158, hmacsha256:ad2f2ce9951184230647f2feed5856d41fa75500ded13aed5bf78176d825e40b2023-02-09T16:58:14.536Z0

lumu-retrieve-a-specific-incident-context#


Get details of a specific Incident.

{incident-uuid}uuid of the specific incident

Base Command#

lumu-retrieve-a-specific-incident-context

Input#

Argument NameDescriptionRequired
lumu_incident_idLumu id requested.Required
hashLumu hash type.Optional

Context Output#

PathTypeDescription
Lumu.RetrieveASpecificIncidentContext.adversary_idStringLumu adversary_id
Lumu.RetrieveASpecificIncidentContext.currently_activeBooleanLumu currently_active
Lumu.RetrieveASpecificIncidentContext.deactivated_onDateLumu deactivated_on
Lumu.RetrieveASpecificIncidentContext.mitre.details.tacticStringLumu mitre.details.tactic
Lumu.RetrieveASpecificIncidentContext.mitre.details.techniquesStringLumu mitre.details.techniques
Lumu.RetrieveASpecificIncidentContext.mitre.matrixStringLumu mitre.matrix
Lumu.RetrieveASpecificIncidentContext.mitre.versionStringLumu mitre.version
Lumu.RetrieveASpecificIncidentContext.related_filesStringLumu related_files
Lumu.RetrieveASpecificIncidentContext.threat_detailsStringLumu threat_details
Lumu.RetrieveASpecificIncidentContext.threat_triggersStringLumu threat_triggers
Lumu.RetrieveASpecificIncidentContext.playbooksStringLumu playbooks
Lumu.RetrieveASpecificIncidentContext.external_resourcesStringLumu external_resources
Lumu.RetrieveASpecificIncidentContext.timestampDateLumu timestamp

Command example#

!lumu-retrieve-a-specific-incident-context lumu_incident_id=6eddaf40-938c-11ed-b0f8-a7e340234a4e hash=SHA256

Context Example#

{
"Lumu": {
"RetrieveASpecificIncidentContext": {
"adversary_id": "jits.ac.in",
"currently_active": true,
"external_resources": [
"https://blog.quosec.net/posts/grap_qakbot_navigation/",
"https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/",
"https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-1/",
"https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf",
"https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot",
"https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf",
"https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/",
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf",
"https://urlhaus.abuse.ch/host/jits.ac.in/",
"https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7",
"https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/",
"https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html",
"https://twitter.com/redcanary/status/1334224861628039169",
"https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf",
"https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/",
"https://blog.morphisec.com/qakbot-qbot-maldoc-two-new-techniques",
"https://www.virustotal.com/gui/domain/jits.ac.in/relations"
],
"mitre": {
"details": [
{
"tactic": "command-and-control",
"techniques": [
"T1071"
]
}
],
"matrix": "enterprise",
"version": "8.2"
},
"playbooks": [
"https://docs.lumu.io/portal/en/kb/articles/malware-incident-response-playbook"
],
"threat_details": [
"qbot",
"Gafgyt",
"Qakbot",
"Quakbot",
"Qbot",
"lizkebab",
"torlus",
"PinkSlipBot",
"Bashlite",
"Akbot",
"Pinkslipbot",
"Qbot ",
"gayfgt"
],
"threat_triggers": [
"https://jits.ac.in/TS.php"
],
"timestamp": "2023-02-15T21:59:16.261Z"
}
}
}

Human Readable Output#

Incident#

Adversary _ IdCurrently _ ActiveExternal _ ResourcesMitrePlaybooksThreat _ DetailsThreat _ TriggersTimestamp
jits.ac.intruehttps://blog.quosec.net/posts/grap_qakbot_navigation/,
https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/,
https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-1/,
https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf,
https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot,
https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf,
https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/,
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf,
https://urlhaus.abuse.ch/host/jits.ac.in/,
https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7,
https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/,
https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html,
https://twitter.com/redcanary/status/1334224861628039169,
https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf,
https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/,
https://blog.morphisec.com/qakbot-qbot-maldoc-two-new-techniques,
https://www.virustotal.com/gui/domain/jits.ac.in/relations
details: {'tactic': 'command-and-control', 'techniques': ['T1071']}
matrix: enterprise
version: 8.2
https://docs.lumu.io/portal/en/kb/articles/malware-incident-response-playbookqbot,
Gafgyt,
Qakbot,
Quakbot,
Qbot,
lizkebab,
torlus,
PinkSlipBot,
Bashlite,
Akbot,
Pinkslipbot,
Qbot ,
gayfgt
https://jits.ac.in/TS.php2023-02-15T21:59:16.261Z

lumu-comment-a-specific-incident#


Get a paginated list of open incidents for the company. The items are listed by the most recent.

Base Command#

lumu-comment-a-specific-incident

Input#

Argument NameDescriptionRequired
lumu_incident_idLumu incident id requested.Required
commentLumu comment requested.Optional

Context Output#

PathTypeDescription
Lumu.CommentASpecificIncident.statusCodenumberLumu statusCode

Command example#

!lumu-comment-a-specific-incident comment="from cortex, palo alto" lumu_incident_id=7c40be00-a7cf-11ed-9fd0-e5fb50c818f6

Context Example#

{
"Lumu": {
"CommentASpecificIncident": {
"response": "",
"statusCode": 200
}
}
}

Human Readable Output#

Comment added to the incident successfully.

lumu-retrieve-open-incidents#


Get a paginated list of open incidents for the company. The items are listed by the most recent.

Base Command#

lumu-retrieve-open-incidents

Input#

Argument NameDescriptionRequired
pagepage requested .Optional
limititem limit requested . Default is 10.Optional
adversary_typeschoose types: C2C,Malware,DGA,Mining,Spam,Phishing. Possible values are: C2C, Malware, DGA, Mining, Spam, Phishing.Optional
labelsLumu labels requested.Optional

Context Output#

PathTypeDescription
Lumu.RetrieveOpenIncidents.items.idStringLumu incident id
Lumu.RetrieveOpenIncidents.items.timestampDateLumu timestamp
Lumu.RetrieveOpenIncidents.items.statusTimestampDateLumu statusTimestamp
Lumu.RetrieveOpenIncidents.items.statusStringLumu status
Lumu.RetrieveOpenIncidents.items.contactsNumberLumu contacts
Lumu.RetrieveOpenIncidents.items.adversariesStringLumu adversaries
Lumu.RetrieveOpenIncidents.items.adversaryIdStringLumu adversaryId
Lumu.RetrieveOpenIncidents.items.adversaryTypesStringLumu adversaryTypes
Lumu.RetrieveOpenIncidents.items.descriptionStringLumu description
Lumu.RetrieveOpenIncidents.items.labelDistributionNumberLumu labelDistribution
Lumu.RetrieveOpenIncidents.items.totalEndpointsNumberLumu totalEndpoints
Lumu.RetrieveOpenIncidents.items.lastContactDateLumu lastContact
Lumu.RetrieveOpenIncidents.items.unreadBooleanLumu unread
Lumu.RetrieveOpenIncidents.paginationInfo.pageNumbercurrent page
Lumu.RetrieveOpenIncidents.paginationInfo.itemsNumbercurrent items

Command example#

!lumu-retrieve-open-incidents

Context Example#

{
"Lumu": {
"RetrieveOpenIncidents": [
{
"adversaries": [
"activity.lumu.io"
],
"adversaryId": "activity.lumu.io",
"adversaryTypes": [
"Spam"
],
"contacts": 8,
"description": "Activity Test Query",
"firstContact": "2023-02-08T16:41:35.613Z",
"hasPlaybackContacts": false,
"id": "7c40be00-a7cf-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"0": 2,
"147": 1,
"1885": 2,
"2254": 1,
"989": 2
},
"lastContact": "2023-02-15T16:59:47.142Z",
"status": "open",
"statusTimestamp": "2023-02-15T12:01:03.667Z",
"timestamp": "2023-02-08T16:41:50.304Z",
"totalEndpoints": 6,
"unread": false
},
{
"adversaries": [
"104.156.63.145"
],
"adversaryId": "104.156.63.145",
"adversaryTypes": [
"C2C"
],
"contacts": 10,
"description": "Malware family Agentemis",
"firstContact": "2023-02-15T02:21:59Z",
"hasPlaybackContacts": false,
"id": "8c5efc90-aca5-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"2144": 10
},
"lastContact": "2023-02-15T05:35:40Z",
"status": "open",
"statusTimestamp": "2023-02-14T20:24:14.297Z",
"timestamp": "2023-02-14T20:24:14.297Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"161.97.110.203"
],
"adversaryId": "161.97.110.203",
"adversaryTypes": [
"C2C"
],
"contacts": 1,
"description": "Malware family Katana",
"firstContact": "2023-02-15T02:18:17Z",
"hasPlaybackContacts": false,
"id": "853e3020-aca5-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"2144": 1
},
"lastContact": "2023-02-15T02:18:17Z",
"status": "open",
"statusTimestamp": "2023-02-14T20:24:02.338Z",
"timestamp": "2023-02-14T20:24:02.338Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"www.puertoballesta.com"
],
"adversaryId": "www.puertoballesta.com",
"adversaryTypes": [
"Phishing"
],
"contacts": 1,
"description": "Phishing domain",
"firstContact": "2023-02-14T17:08:11.751Z",
"hasPlaybackContacts": false,
"id": "91aaaf20-ac8a-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"989": 1
},
"lastContact": "2023-02-14T17:08:11.751Z",
"status": "open",
"statusTimestamp": "2023-02-14T17:24:41.268Z",
"timestamp": "2023-02-14T17:11:06.770Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"msk.turbolider.ru"
],
"adversaryId": "msk.turbolider.ru",
"adversaryTypes": [
"Phishing"
],
"contacts": 2,
"description": "Phishing domain",
"firstContact": "2023-02-14T16:28:11.169Z",
"hasPlaybackContacts": false,
"id": "99b7bf10-ac84-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"147": 2
},
"lastContact": "2023-02-14T16:28:11.169Z",
"status": "open",
"statusTimestamp": "2023-02-14T16:28:23.297Z",
"timestamp": "2023-02-14T16:28:23.297Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"rspg-spectrum.eu"
],
"adversaryId": "rspg-spectrum.eu",
"adversaryTypes": [
"Phishing"
],
"contacts": 7,
"description": "Phishing domain",
"firstContact": "2023-01-13T18:15:24.305Z",
"hasPlaybackContacts": true,
"id": "903c5580-abef-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"2041": 5,
"4055": 2
},
"lastContact": "2023-02-14T16:01:27.715Z",
"status": "open",
"statusTimestamp": "2023-02-13T22:41:32.376Z",
"timestamp": "2023-02-13T22:41:32.376Z",
"totalEndpoints": 3,
"unread": false
},
{
"adversaries": [
"scalarchives.com"
],
"adversaryId": "scalarchives.com",
"adversaryTypes": [
"Phishing"
],
"contacts": 4,
"description": "Phishing domain",
"firstContact": "2023-01-13T21:44:39.025Z",
"hasPlaybackContacts": true,
"id": "f2571f00-aa43-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"4055": 4
},
"lastContact": "2023-01-13T21:44:39.035Z",
"status": "open",
"statusTimestamp": "2023-02-11T19:40:32.368Z",
"timestamp": "2023-02-11T19:40:32.368Z",
"totalEndpoints": 2,
"unread": false
},
{
"adversaries": [
"www.ascentive.com"
],
"adversaryId": "www.ascentive.com",
"adversaryTypes": [
"Malware"
],
"contacts": 9,
"description": "Malware family Trojan.Win32.Generic",
"firstContact": "2023-02-09T16:04:59.540Z",
"hasPlaybackContacts": false,
"id": "e6a0cc30-a893-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"1885": 1,
"2144": 7,
"989": 1
},
"lastContact": "2023-02-14T23:34:09.414Z",
"status": "open",
"statusTimestamp": "2023-02-09T16:07:50.131Z",
"timestamp": "2023-02-09T16:07:50.131Z",
"totalEndpoints": 3,
"unread": false
},
{
"adversaries": [
"ac20mail.in"
],
"adversaryId": "ac20mail.in",
"adversaryTypes": [
"Spam"
],
"contacts": 1,
"description": "Disposable email host",
"firstContact": "2023-01-28T05:29:26.009Z",
"hasPlaybackContacts": false,
"id": "ce5753e0-9ecc-11ed-a0c7-dd6f8e69d343",
"labelDistribution": {
"4301": 1
},
"lastContact": "2023-01-28T05:29:26.009Z",
"status": "open",
"statusTimestamp": "2023-02-09T15:55:27.960Z",
"timestamp": "2023-01-28T05:29:59.070Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"dimar.cl"
],
"adversaryId": "dimar.cl",
"adversaryTypes": [
"Malware"
],
"contacts": 2,
"description": "Malicious domain",
"firstContact": "2023-02-07T08:10:51.125Z",
"hasPlaybackContacts": false,
"id": "cf26cf90-a7e5-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"51": 2
},
"lastContact": "2023-02-07T08:10:51.125Z",
"status": "open",
"statusTimestamp": "2023-02-08T19:21:38.313Z",
"timestamp": "2023-02-08T19:21:38.313Z",
"totalEndpoints": 1,
"unread": false
}
]
}
}

Human Readable Output#

Incidents#

AdversariesAdversary IdAdversary TypesContactsDescriptionFirst ContactHas Playback ContactsIdLabel DistributionLast ContactStatusStatus TimestampTimestampTotal EndpointsUnread
activity.lumu.ioactivity.lumu.ioSpam8Activity Test Query2023-02-08T16:41:35.613Zfalse7c40be00-a7cf-11ed-9fd0-e5fb50c818f6147: 1
2254: 1
1885: 2
989: 2
0: 2
2023-02-15T16:59:47.142Zopen2023-02-15T12:01:03.667Z2023-02-08T16:41:50.304Z6false
104.156.63.145104.156.63.145C2C10Malware family Agentemis2023-02-15T02:21:59Zfalse8c5efc90-aca5-11ed-9fd0-e5fb50c818f62144: 102023-02-15T05:35:40Zopen2023-02-14T20:24:14.297Z2023-02-14T20:24:14.297Z1false
161.97.110.203161.97.110.203C2C1Malware family Katana2023-02-15T02:18:17Zfalse853e3020-aca5-11ed-9fd0-e5fb50c818f62144: 12023-02-15T02:18:17Zopen2023-02-14T20:24:02.338Z2023-02-14T20:24:02.338Z1false
www.puertoballesta.comwww.puertoballesta.comPhishing1Phishing domain2023-02-14T17:08:11.751Zfalse91aaaf20-ac8a-11ed-9fd0-e5fb50c818f6989: 12023-02-14T17:08:11.751Zopen2023-02-14T17:24:41.268Z2023-02-14T17:11:06.770Z1false
msk.turbolider.rumsk.turbolider.ruPhishing2Phishing domain2023-02-14T16:28:11.169Zfalse99b7bf10-ac84-11ed-9fd0-e5fb50c818f6147: 22023-02-14T16:28:11.169Zopen2023-02-14T16:28:23.297Z2023-02-14T16:28:23.297Z1false
rspg-spectrum.eurspg-spectrum.euPhishing7Phishing domain2023-01-13T18:15:24.305Ztrue903c5580-abef-11ed-9fd0-e5fb50c818f64055: 2
2041: 5
2023-02-14T16:01:27.715Zopen2023-02-13T22:41:32.376Z2023-02-13T22:41:32.376Z3false
scalarchives.comscalarchives.comPhishing4Phishing domain2023-01-13T21:44:39.025Ztruef2571f00-aa43-11ed-9fd0-e5fb50c818f64055: 42023-01-13T21:44:39.035Zopen2023-02-11T19:40:32.368Z2023-02-11T19:40:32.368Z2false
www.ascentive.comwww.ascentive.comMalware9Malware family Trojan.Win32.Generic2023-02-09T16:04:59.540Zfalsee6a0cc30-a893-11ed-9fd0-e5fb50c818f6989: 1
2144: 7
1885: 1
2023-02-14T23:34:09.414Zopen2023-02-09T16:07:50.131Z2023-02-09T16:07:50.131Z3false
ac20mail.inac20mail.inSpam1Disposable email host2023-01-28T05:29:26.009Zfalsece5753e0-9ecc-11ed-a0c7-dd6f8e69d3434301: 12023-01-28T05:29:26.009Zopen2023-02-09T15:55:27.960Z2023-01-28T05:29:59.070Z1false
dimar.cldimar.clMalware2Malicious domain2023-02-07T08:10:51.125Zfalsecf26cf90-a7e5-11ed-9fd0-e5fb50c818f651: 22023-02-07T08:10:51.125Zopen2023-02-08T19:21:38.313Z2023-02-08T19:21:38.313Z1false

paginationInfo#

ItemsNextPage
1021

Command example#

!lumu-retrieve-open-incidents adversary-types=Spam labels=1791

Context Example#

{
"Lumu": {
"RetrieveOpenIncidents": [
{
"adversaries": [
"jits.ac.in"
],
"adversaryId": "jits.ac.in",
"adversaryTypes": [
"Malware"
],
"contacts": 5,
"description": "QakBot",
"firstContact": "2023-01-13T21:51:12.190Z",
"hasPlaybackContacts": false,
"id": "6eddaf40-938c-11ed-b0f8-a7e340234a4e",
"labelDistribution": {
"1791": 1,
"4301": 1,
"548": 3
},
"lastContact": "2023-01-27T21:23:34.329Z",
"status": "open",
"statusTimestamp": "2023-02-08T00:29:50.824Z",
"timestamp": "2023-01-13T21:51:28.308Z",
"totalEndpoints": 3,
"unread": false
},
{
"adversaries": [
"msgos.com"
],
"adversaryId": "msgos.com",
"adversaryTypes": [
"Spam"
],
"contacts": 3,
"description": "Disposable email host",
"firstContact": "2023-01-13T21:51:10.312Z",
"hasPlaybackContacts": false,
"id": "6edc4fb0-938c-11ed-b0f8-a7e340234a4e",
"labelDistribution": {
"1791": 1,
"4055": 1,
"4301": 1
},
"lastContact": "2023-01-27T21:16:25.261Z",
"status": "open",
"statusTimestamp": "2023-01-13T21:51:28.299Z",
"timestamp": "2023-01-13T21:51:28.299Z",
"totalEndpoints": 3,
"unread": false
},
{
"adversaries": [
"netwonder.net"
],
"adversaryId": "netwonder.net",
"adversaryTypes": [
"Malware"
],
"contacts": 9,
"description": "Malware family Nivdort",
"firstContact": "2023-01-13T21:50:53.247Z",
"hasPlaybackContacts": false,
"id": "642934c0-938c-11ed-b0f8-a7e340234a4e",
"labelDistribution": {
"1791": 2,
"2144": 6,
"4301": 1
},
"lastContact": "2023-01-27T21:21:19.861Z",
"status": "open",
"statusTimestamp": "2023-01-13T21:51:10.348Z",
"timestamp": "2023-01-13T21:51:10.348Z",
"totalEndpoints": 3,
"unread": false
},
{
"adversaries": [
"subwaybookreview.com"
],
"adversaryId": "subwaybookreview.com",
"adversaryTypes": [
"Malware"
],
"contacts": 2,
"description": "Malware family Exploit.Msoffice.Generic",
"firstContact": "2023-01-13T21:50:38.599Z",
"hasPlaybackContacts": false,
"id": "59641870-938c-11ed-b0f8-a7e340234a4e",
"labelDistribution": {
"1791": 1,
"4301": 1
},
"lastContact": "2023-01-27T21:33:59.964Z",
"status": "open",
"statusTimestamp": "2023-01-13T21:50:52.279Z",
"timestamp": "2023-01-13T21:50:52.279Z",
"totalEndpoints": 2,
"unread": true
},
{
"adversaries": [
"michaeleaston.com"
],
"adversaryId": "michaeleaston.com",
"adversaryTypes": [
"Malware"
],
"contacts": 3,
"description": "Malware family Trojan.Agent.Bg.Script",
"firstContact": "2023-01-13T21:49:50.220Z",
"hasPlaybackContacts": false,
"id": "405525e0-938c-11ed-b0f8-a7e340234a4e",
"labelDistribution": {
"1791": 1,
"4301": 1,
"989": 1
},
"lastContact": "2023-01-27T21:16:25.995Z",
"status": "open",
"statusTimestamp": "2023-01-13T21:50:10.238Z",
"timestamp": "2023-01-13T21:50:10.238Z",
"totalEndpoints": 3,
"unread": false
},
{
"adversaries": [
"cane.pw"
],
"adversaryId": "cane.pw",
"adversaryTypes": [
"Spam"
],
"contacts": 2,
"description": "Disposable email host",
"firstContact": "2023-01-13T21:49:28.515Z",
"hasPlaybackContacts": false,
"id": "304360e0-938c-11ed-b0f8-a7e340234a4e",
"labelDistribution": {
"1791": 1,
"4301": 1
},
"lastContact": "2023-01-27T21:16:25.956Z",
"status": "open",
"statusTimestamp": "2023-01-13T21:49:43.278Z",
"timestamp": "2023-01-13T21:49:43.278Z",
"totalEndpoints": 2,
"unread": true
},
{
"adversaries": [
"cek.pm"
],
"adversaryId": "cek.pm",
"adversaryTypes": [
"Spam"
],
"contacts": 2,
"description": "Disposable email host",
"firstContact": "2023-01-13T21:47:46.473Z",
"hasPlaybackContacts": false,
"id": "f1a7da00-938b-11ed-b0f8-a7e340234a4e",
"labelDistribution": {
"1791": 1,
"4301": 1
},
"lastContact": "2023-01-27T21:16:25.744Z",
"status": "open",
"statusTimestamp": "2023-01-13T21:47:58.240Z",
"timestamp": "2023-01-13T21:47:58.240Z",
"totalEndpoints": 2,
"unread": true
},
{
"adversaries": [
"anothercity.ru"
],
"adversaryId": "anothercity.ru",
"adversaryTypes": [
"Malware"
],
"contacts": 2,
"description": "Malware family Backdoor.Peg.Php.Generic",
"firstContact": "2023-01-13T21:46:26.925Z",
"hasPlaybackContacts": false,
"id": "c329ff00-938b-11ed-b0f8-a7e340234a4e",
"labelDistribution": {
"1791": 1,
"4301": 1
},
"lastContact": "2023-01-27T21:16:25.912Z",
"status": "open",
"statusTimestamp": "2023-01-13T21:46:40.240Z",
"timestamp": "2023-01-13T21:46:40.240Z",
"totalEndpoints": 2,
"unread": false
},
{
"adversaries": [
"tormail.org"
],
"adversaryId": "tormail.org",
"adversaryTypes": [
"Spam"
],
"contacts": 4,
"description": "Disposable email host",
"firstContact": "2023-01-13T21:46:15.650Z",
"hasPlaybackContacts": false,
"id": "bc0a4400-938b-11ed-b0f8-a7e340234a4e",
"labelDistribution": {
"1791": 1,
"2144": 2,
"4301": 1
},
"lastContact": "2023-01-27T21:03:07.761Z",
"status": "open",
"statusTimestamp": "2023-01-13T21:46:28.288Z",
"timestamp": "2023-01-13T21:46:28.288Z",
"totalEndpoints": 3,
"unread": true
},
{
"adversaries": [
"businessbackend.com"
],
"adversaryId": "businessbackend.com",
"adversaryTypes": [
"Spam"
],
"contacts": 2,
"description": "Disposable email host",
"firstContact": "2023-01-13T21:46:06.886Z",
"hasPlaybackContacts": false,
"id": "ba390670-938b-11ed-b0f8-a7e340234a4e",
"labelDistribution": {
"1791": 1,
"4301": 1
},
"lastContact": "2023-01-27T21:03:35.699Z",
"status": "open",
"statusTimestamp": "2023-01-13T21:46:25.239Z",
"timestamp": "2023-01-13T21:46:25.239Z",
"totalEndpoints": 2,
"unread": true
}
]
}
}

Human Readable Output#

Incidents#

AdversariesAdversary IdAdversary TypesContactsDescriptionFirst ContactHas Playback ContactsIdLabel DistributionLast ContactStatusStatus TimestampTimestampTotal EndpointsUnread
jits.ac.injits.ac.inMalware5QakBot2023-01-13T21:51:12.190Zfalse6eddaf40-938c-11ed-b0f8-a7e340234a4e1791: 1
548: 3
4301: 1
2023-01-27T21:23:34.329Zopen2023-02-08T00:29:50.824Z2023-01-13T21:51:28.308Z3false
msgos.commsgos.comSpam3Disposable email host2023-01-13T21:51:10.312Zfalse6edc4fb0-938c-11ed-b0f8-a7e340234a4e1791: 1
4055: 1
4301: 1
2023-01-27T21:16:25.261Zopen2023-01-13T21:51:28.299Z2023-01-13T21:51:28.299Z3false
netwonder.netnetwonder.netMalware9Malware family Nivdort2023-01-13T21:50:53.247Zfalse642934c0-938c-11ed-b0f8-a7e340234a4e1791: 2
2144: 6
4301: 1
2023-01-27T21:21:19.861Zopen2023-01-13T21:51:10.348Z2023-01-13T21:51:10.348Z3false
subwaybookreview.comsubwaybookreview.comMalware2Malware family Exploit.Msoffice.Generic2023-01-13T21:50:38.599Zfalse59641870-938c-11ed-b0f8-a7e340234a4e1791: 1
4301: 1
2023-01-27T21:33:59.964Zopen2023-01-13T21:50:52.279Z2023-01-13T21:50:52.279Z2true
michaeleaston.commichaeleaston.comMalware3Malware family Trojan.Agent.Bg.Script2023-01-13T21:49:50.220Zfalse405525e0-938c-11ed-b0f8-a7e340234a4e1791: 1
989: 1
4301: 1
2023-01-27T21:16:25.995Zopen2023-01-13T21:50:10.238Z2023-01-13T21:50:10.238Z3false
cane.pwcane.pwSpam2Disposable email host2023-01-13T21:49:28.515Zfalse304360e0-938c-11ed-b0f8-a7e340234a4e1791: 1
4301: 1
2023-01-27T21:16:25.956Zopen2023-01-13T21:49:43.278Z2023-01-13T21:49:43.278Z2true
cek.pmcek.pmSpam2Disposable email host2023-01-13T21:47:46.473Zfalsef1a7da00-938b-11ed-b0f8-a7e340234a4e1791: 1
4301: 1
2023-01-27T21:16:25.744Zopen2023-01-13T21:47:58.240Z2023-01-13T21:47:58.240Z2true
anothercity.ruanothercity.ruMalware2Malware family Backdoor.Peg.Php.Generic2023-01-13T21:46:26.925Zfalsec329ff00-938b-11ed-b0f8-a7e340234a4e1791: 1
4301: 1
2023-01-27T21:16:25.912Zopen2023-01-13T21:46:40.240Z2023-01-13T21:46:40.240Z2false
tormail.orgtormail.orgSpam4Disposable email host2023-01-13T21:46:15.650Zfalsebc0a4400-938b-11ed-b0f8-a7e340234a4e1791: 1
2144: 2
4301: 1
2023-01-27T21:03:07.761Zopen2023-01-13T21:46:28.288Z2023-01-13T21:46:28.288Z3true
businessbackend.combusinessbackend.comSpam2Disposable email host2023-01-13T21:46:06.886Zfalseba390670-938b-11ed-b0f8-a7e340234a4e1791: 1
4301: 1
2023-01-27T21:03:35.699Zopen2023-01-13T21:46:25.239Z2023-01-13T21:46:25.239Z2true

paginationInfo#

ItemsNextPage
1021

lumu-retrieve-muted-incidents#


Get a paginated list of muted incidents for the company. The items are listed by the most recent.

Base Command#

lumu-retrieve-muted-incidents

Input#

Argument NameDescriptionRequired
pagepage requested .Optional
limititems limit requested . Default is 10.Optional
adversary_typeschoose types: C2C,Malware,DGA,Mining,Spam,Phishing. Possible values are: C2C, Malware, DGA, Mining, Spam, Phishing.Optional
labelsLumu labels requested .Optional

Context Output#

PathTypeDescription
Lumu.RetrieveMutedIncidents.items.idStringLumu incident id
Lumu.RetrieveMutedIncidents.items.timestampDateLumu timestamp
Lumu.RetrieveMutedIncidents.items.statusTimestampDateLumu statusTimestamp
Lumu.RetrieveMutedIncidents.items.statusStringLumu status
Lumu.RetrieveMutedIncidents.items.contactsNumberLumu contacts
Lumu.RetrieveMutedIncidents.items.adversariesStringLumu adversaries
Lumu.RetrieveMutedIncidents.items.adversaryIdStringLumu adversaryId
Lumu.RetrieveMutedIncidents.items.adversaryTypesStringLumu adversaryTypes
Lumu.RetrieveMutedIncidents.items.descriptionStringLumu description
Lumu.RetrieveMutedIncidents.items.labelDistributionNumberLumu labelDistribution
Lumu.RetrieveMutedIncidents.items.totalEndpointsNumberLumu totalEndpoints
Lumu.RetrieveMutedIncidents.items.lastContactDateLumu lastContact
Lumu.RetrieveMutedIncidents.items.unreadBooleanLumu unread
Lumu.RetrieveMutedIncidents.paginationInfo.pageNumbercurrent page
Lumu.RetrieveMutedIncidents.paginationInfo.itemsNumbercurrent items

Command example#

!lumu-retrieve-muted-incidents

Context Example#

{
"Lumu": {
"RetrieveMutedIncidents": [
{
"adversaries": [
"12finance.com"
],
"adversaryId": "12finance.com",
"adversaryTypes": [
"Mining"
],
"contacts": 11,
"description": "CryptoMining domain",
"firstContact": "2022-12-23T14:46:54Z",
"hasPlaybackContacts": false,
"id": "721ed640-82d2-11ed-a600-d53ba4d2bb70",
"labelDistribution": {
"2148": 1,
"2254": 10
},
"lastContact": "2022-12-23T22:30:10.448Z",
"status": "muted",
"statusTimestamp": "2022-12-27T02:39:14.360Z",
"timestamp": "2022-12-23T14:59:48.772Z",
"totalEndpoints": 4,
"unread": false
},
{
"adversaries": [
"www.digeus.com"
],
"adversaryId": "www.digeus.com",
"adversaryTypes": [
"Malware"
],
"contacts": 2,
"description": "Malware family Application.Deceptor.ANL",
"firstContact": "2022-12-12T23:20:56.706Z",
"hasPlaybackContacts": false,
"id": "ab056a80-7a73-11ed-a600-d53ba4d2bb70",
"labelDistribution": {
"147": 1,
"218": 1
},
"lastContact": "2022-12-22T20:37:02.228Z",
"status": "muted",
"statusTimestamp": "2022-12-15T20:59:51.796Z",
"timestamp": "2022-12-12T23:21:12.744Z",
"totalEndpoints": 2,
"unread": false
},
{
"adversaries": [
"jameshallybone.co.uk"
],
"adversaryId": "jameshallybone.co.uk",
"adversaryTypes": [
"Malware"
],
"contacts": 8,
"description": "Malicious domain",
"firstContact": "2022-11-21T21:46:01.425Z",
"hasPlaybackContacts": false,
"id": "f06a50c0-69e5-11ed-89c2-6136df938368",
"labelDistribution": {
"1651": 1,
"3811": 1,
"989": 6
},
"lastContact": "2022-12-05T16:03:05.322Z",
"status": "muted",
"statusTimestamp": "2022-12-13T20:48:09.825Z",
"timestamp": "2022-11-21T21:46:22.028Z",
"totalEndpoints": 3,
"unread": false
},
{
"adversaries": [
"3.223.53.1"
],
"adversaryId": "3.223.53.1",
"adversaryTypes": [
"Spam"
],
"contacts": 1,
"description": "Activity Test Query",
"firstContact": "2022-12-12T17:09:20.331Z",
"hasPlaybackContacts": false,
"id": "8b6f8c70-7a71-11ed-a600-d53ba4d2bb70",
"labelDistribution": {
"218": 1
},
"lastContact": "2022-12-12T17:09:20.331Z",
"status": "muted",
"statusTimestamp": "2022-12-12T23:21:43.833Z",
"timestamp": "2022-12-12T23:06:00.759Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"coovigomez.com"
],
"adversaryId": "coovigomez.com",
"adversaryTypes": [
"Mining"
],
"contacts": 1,
"description": "CryptoMining domain",
"firstContact": "2022-11-12T23:31:33Z",
"hasPlaybackContacts": false,
"id": "149207b0-6471-11ed-b373-192ba321fedf",
"labelDistribution": {
"2148": 1
},
"lastContact": "2022-11-12T23:31:33Z",
"status": "muted",
"statusTimestamp": "2022-11-17T18:56:09.751Z",
"timestamp": "2022-11-14T23:07:15.755Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"barbombon.com."
],
"adversaryId": "barbombon.com.",
"adversaryTypes": [
"Malware"
],
"contacts": 2,
"description": "Malware family Trojan.Script.Generic",
"firstContact": "2022-10-28T19:39:13.452Z",
"hasPlaybackContacts": false,
"id": "47bbc6c0-56f8-11ed-987a-cd6f8ff058b8",
"labelDistribution": {
"1651": 2
},
"lastContact": "2022-10-28T19:44:10.172Z",
"status": "muted",
"statusTimestamp": "2022-10-31T21:51:02.594Z",
"timestamp": "2022-10-28T19:39:47.372Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"coasttickets.com"
],
"adversaryId": "coasttickets.com",
"adversaryTypes": [
"Malware"
],
"contacts": 1,
"description": "Malware family Trojan.Downloader.Psdownload.MSIL.Generic",
"firstContact": "2022-09-22T15:19:42.152Z",
"hasPlaybackContacts": true,
"id": "11c5a410-41fd-11ed-8751-63984e51f242",
"labelDistribution": {
"548": 1
},
"lastContact": "2022-09-22T15:19:42.152Z",
"status": "muted",
"statusTimestamp": "2022-10-28T17:06:32.994Z",
"timestamp": "2022-10-02T02:51:09.905Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"dark-utilities.pw"
],
"adversaryId": "dark-utilities.pw",
"adversaryTypes": [
"Mining"
],
"contacts": 2,
"description": "CryptoMining domain",
"firstContact": "2022-10-27T16:47:40Z",
"hasPlaybackContacts": false,
"id": "8da63fc0-5618-11ed-987a-cd6f8ff058b8",
"labelDistribution": {
"2148": 1,
"2267": 1
},
"lastContact": "2022-10-27T17:12:45.099Z",
"status": "muted",
"statusTimestamp": "2022-10-27T17:57:57.931Z",
"timestamp": "2022-10-27T16:58:17.404Z",
"totalEndpoints": 2,
"unread": false
},
{
"adversaries": [
"www.com-about.com"
],
"adversaryId": "www.com-about.com",
"adversaryTypes": [
"Malware"
],
"contacts": 1,
"description": "Malware family Downloader.Riskware.A.Atoz",
"firstContact": "2022-10-25T20:45:41.154Z",
"hasPlaybackContacts": false,
"id": "046a19c0-54a6-11ed-9df2-6538d9561738",
"labelDistribution": {
"3635": 1
},
"lastContact": "2022-10-25T20:45:41.154Z",
"status": "muted",
"statusTimestamp": "2022-10-25T21:17:21.376Z",
"timestamp": "2022-10-25T20:45:53.372Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"nexttime.ovh"
],
"adversaryId": "nexttime.ovh",
"adversaryTypes": [
"Malware",
"Mining"
],
"contacts": 5,
"description": "Malicious domain",
"firstContact": "2022-10-25T21:13:43.551Z",
"hasPlaybackContacts": false,
"id": "ef8ee900-54a9-11ed-9df2-6538d9561738",
"labelDistribution": {
"3635": 5
},
"lastContact": "2022-10-26T22:45:31.230Z",
"status": "muted",
"statusTimestamp": "2022-10-25T21:16:15.909Z",
"timestamp": "2022-10-25T21:13:56.368Z",
"totalEndpoints": 1,
"unread": false
}
]
}
}

Human Readable Output#

Incidents#

AdversariesAdversary IdAdversary TypesContactsDescriptionFirst ContactHas Playback ContactsIdLabel DistributionLast ContactStatusStatus TimestampTimestampTotal EndpointsUnread
12finance.com12finance.comMining11CryptoMining domain2022-12-23T14:46:54Zfalse721ed640-82d2-11ed-a600-d53ba4d2bb702148: 1
2254: 10
2022-12-23T22:30:10.448Zmuted2022-12-27T02:39:14.360Z2022-12-23T14:59:48.772Z4false
www.digeus.comwww.digeus.comMalware2Malware family Application.Deceptor.ANL2022-12-12T23:20:56.706Zfalseab056a80-7a73-11ed-a600-d53ba4d2bb70147: 1
218: 1
2022-12-22T20:37:02.228Zmuted2022-12-15T20:59:51.796Z2022-12-12T23:21:12.744Z2false
jameshallybone.co.ukjameshallybone.co.ukMalware8Malicious domain2022-11-21T21:46:01.425Zfalsef06a50c0-69e5-11ed-89c2-6136df938368989: 6
1651: 1
3811: 1
2022-12-05T16:03:05.322Zmuted2022-12-13T20:48:09.825Z2022-11-21T21:46:22.028Z3false
3.223.53.13.223.53.1Spam1Activity Test Query2022-12-12T17:09:20.331Zfalse8b6f8c70-7a71-11ed-a600-d53ba4d2bb70218: 12022-12-12T17:09:20.331Zmuted2022-12-12T23:21:43.833Z2022-12-12T23:06:00.759Z1false
coovigomez.comcoovigomez.comMining1CryptoMining domain2022-11-12T23:31:33Zfalse149207b0-6471-11ed-b373-192ba321fedf2148: 12022-11-12T23:31:33Zmuted2022-11-17T18:56:09.751Z2022-11-14T23:07:15.755Z1false
barbombon.com.barbombon.com.Malware2Malware family Trojan.Script.Generic2022-10-28T19:39:13.452Zfalse47bbc6c0-56f8-11ed-987a-cd6f8ff058b81651: 22022-10-28T19:44:10.172Zmuted2022-10-31T21:51:02.594Z2022-10-28T19:39:47.372Z1false
coasttickets.comcoasttickets.comMalware1Malware family Trojan.Downloader.Psdownload.MSIL.Generic2022-09-22T15:19:42.152Ztrue11c5a410-41fd-11ed-8751-63984e51f242548: 12022-09-22T15:19:42.152Zmuted2022-10-28T17:06:32.994Z2022-10-02T02:51:09.905Z1false
dark-utilities.pwdark-utilities.pwMining2CryptoMining domain2022-10-27T16:47:40Zfalse8da63fc0-5618-11ed-987a-cd6f8ff058b82148: 1
2267: 1
2022-10-27T17:12:45.099Zmuted2022-10-27T17:57:57.931Z2022-10-27T16:58:17.404Z2false
www.com-about.comwww.com-about.comMalware1Malware family Downloader.Riskware.A.Atoz2022-10-25T20:45:41.154Zfalse046a19c0-54a6-11ed-9df2-6538d95617383635: 12022-10-25T20:45:41.154Zmuted2022-10-25T21:17:21.376Z2022-10-25T20:45:53.372Z1false
nexttime.ovhnexttime.ovhMalware,
Mining
5Malicious domain2022-10-25T21:13:43.551Zfalseef8ee900-54a9-11ed-9df2-6538d95617383635: 52022-10-26T22:45:31.230Zmuted2022-10-25T21:16:15.909Z2022-10-25T21:13:56.368Z1false

paginationInfo#

ItemsNextPage
1021

Command example#

!lumu-retrieve-muted-incidents labels=1651 adversary-types=Malware

Context Example#

{
"Lumu": {
"RetrieveMutedIncidents": [
{
"adversaries": [
"jameshallybone.co.uk"
],
"adversaryId": "jameshallybone.co.uk",
"adversaryTypes": [
"Malware"
],
"contacts": 8,
"description": "Malicious domain",
"firstContact": "2022-11-21T21:46:01.425Z",
"hasPlaybackContacts": false,
"id": "f06a50c0-69e5-11ed-89c2-6136df938368",
"labelDistribution": {
"1651": 1,
"3811": 1,
"989": 6
},
"lastContact": "2022-12-05T16:03:05.322Z",
"status": "muted",
"statusTimestamp": "2022-12-13T20:48:09.825Z",
"timestamp": "2022-11-21T21:46:22.028Z",
"totalEndpoints": 3,
"unread": false
},
{
"adversaries": [
"barbombon.com."
],
"adversaryId": "barbombon.com.",
"adversaryTypes": [
"Malware"
],
"contacts": 2,
"description": "Malware family Trojan.Script.Generic",
"firstContact": "2022-10-28T19:39:13.452Z",
"hasPlaybackContacts": false,
"id": "47bbc6c0-56f8-11ed-987a-cd6f8ff058b8",
"labelDistribution": {
"1651": 2
},
"lastContact": "2022-10-28T19:44:10.172Z",
"status": "muted",
"statusTimestamp": "2022-10-31T21:51:02.594Z",
"timestamp": "2022-10-28T19:39:47.372Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"secure.runescape.com-oc.ru"
],
"adversaryId": "secure.runescape.com-oc.ru",
"adversaryTypes": [
"Malware"
],
"contacts": 47,
"description": "Malicious domain",
"firstContact": "2022-07-07T06:47:29.452Z",
"hasPlaybackContacts": false,
"id": "dc758440-fdc0-11ec-80a5-f16f41289f2f",
"labelDistribution": {
"1651": 4,
"989": 43
},
"lastContact": "2022-12-05T16:03:05.328Z",
"status": "muted",
"statusTimestamp": "2022-07-07T20:15:16.997Z",
"timestamp": "2022-07-07T06:48:51.588Z",
"totalEndpoints": 2,
"unread": false
},
{
"adversaries": [
"asapcallcenter.net"
],
"adversaryId": "asapcallcenter.net",
"adversaryTypes": [
"C2C"
],
"contacts": 5,
"description": "Malware family KINS",
"hasPlaybackContacts": false,
"id": "2720e2a0-a0c9-11ec-af58-8da2705ed08a",
"labelDistribution": {
"1651": 3,
"548": 1,
"864": 1
},
"lastContact": "2022-07-09T15:53:55.423Z",
"status": "muted",
"statusTimestamp": "2022-03-10T23:59:14.933Z",
"timestamp": "2022-03-10T23:23:54.698Z",
"totalEndpoints": 3,
"unread": false
}
]
}
}

Human Readable Output#

Incidents#

AdversariesAdversary IdAdversary TypesContactsDescriptionFirst ContactHas Playback ContactsIdLabel DistributionLast ContactStatusStatus TimestampTimestampTotal EndpointsUnread
jameshallybone.co.ukjameshallybone.co.ukMalware8Malicious domain2022-11-21T21:46:01.425Zfalsef06a50c0-69e5-11ed-89c2-6136df938368989: 6
1651: 1
3811: 1
2022-12-05T16:03:05.322Zmuted2022-12-13T20:48:09.825Z2022-11-21T21:46:22.028Z3false
barbombon.com.barbombon.com.Malware2Malware family Trojan.Script.Generic2022-10-28T19:39:13.452Zfalse47bbc6c0-56f8-11ed-987a-cd6f8ff058b81651: 22022-10-28T19:44:10.172Zmuted2022-10-31T21:51:02.594Z2022-10-28T19:39:47.372Z1false
secure.runescape.com-oc.rusecure.runescape.com-oc.ruMalware47Malicious domain2022-07-07T06:47:29.452Zfalsedc758440-fdc0-11ec-80a5-f16f41289f2f1651: 4
989: 43
2022-12-05T16:03:05.328Zmuted2022-07-07T20:15:16.997Z2022-07-07T06:48:51.588Z2false
asapcallcenter.netasapcallcenter.netC2C5Malware family KINSfalse2720e2a0-a0c9-11ec-af58-8da2705ed08a864: 1
1651: 3
548: 1
2022-07-09T15:53:55.423Zmuted2022-03-10T23:59:14.933Z2022-03-10T23:23:54.698Z3false

paginationInfo#

ItemsPage
101

lumu-retrieve-closed-incidents#


Get a paginated list of closed incidents for the company. The items are listed by the most recent.

Base Command#

lumu-retrieve-closed-incidents

Input#

Argument NameDescriptionRequired
pagepage requested .Optional
limititems limit requested . Default is 10.Optional
adversary_typeschoose types: C2C,Malware,DGA,Mining,Spam,Phishing. Possible values are: C2C, Malware, DGA, Mining, Spam, Phishing.Optional
labelsLumu labels requested.Optional

Context Output#

PathTypeDescription
Lumu.RetrieveClosedIncidents.items.idStringLumu incident id
Lumu.RetrieveClosedIncidents.items.timestampDateLumu timestamp
Lumu.RetrieveClosedIncidents.items.statusTimestampDateLumu statusTimestamp
Lumu.RetrieveClosedIncidents.items.statusStringLumu status
Lumu.RetrieveClosedIncidents.items.contactsNumberLumu contacts
Lumu.RetrieveClosedIncidents.items.adversariesStringLumu adversaries
Lumu.RetrieveClosedIncidents.items.adversaryIdStringLumu adversaryId
Lumu.RetrieveClosedIncidents.items.adversaryTypesStringLumu adversaryTypes
Lumu.RetrieveClosedIncidents.items.descriptionStringLumu description
Lumu.RetrieveClosedIncidents.items.labelDistributionNumberLumu labelDistribution
Lumu.RetrieveClosedIncidents.items.totalEndpointsNumberLumu totalEndpoints
Lumu.RetrieveClosedIncidents.items.lastContactDateLumu lastContact
Lumu.RetrieveClosedIncidents.items.unreadBooleanLumu unread
Lumu.RetrieveClosedIncidents.paginationInfo.pageNumbercurrent page
Lumu.RetrieveClosedIncidents.paginationInfo.itemsNumbercurrent items
Lumu.RetrieveClosedIncidents.paginationInfo.nextNumbernext page

Command example#

!lumu-retrieve-closed-incidents

Context Example#

{
"Lumu": {
"RetrieveClosedIncidents": [
{
"adversaries": [
"www.chg.com.br"
],
"adversaryId": "www.chg.com.br",
"adversaryTypes": [
"Malware"
],
"contacts": 1,
"description": "Malware family Win32.Remoteadmin.C.Winvnc.Based",
"firstContact": "2023-02-15T13:28:25.537Z",
"hasPlaybackContacts": false,
"id": "ad2b63c0-ad34-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"0": 1
},
"lastContact": "2023-02-15T13:28:25.537Z",
"status": "closed",
"statusTimestamp": "2023-02-15T21:53:41.468Z",
"timestamp": "2023-02-15T13:28:47.356Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"italive.it"
],
"adversaryId": "italive.it",
"adversaryTypes": [
"Phishing"
],
"contacts": 1,
"description": "Phishing domain",
"firstContact": "2023-01-28T03:37:56.088Z",
"hasPlaybackContacts": false,
"id": "3e5f6480-9ebd-11ed-a0c7-dd6f8e69d343",
"labelDistribution": {
"4301": 1
},
"lastContact": "2023-01-28T03:37:56.088Z",
"status": "closed",
"statusTimestamp": "2023-02-15T13:28:32.355Z",
"timestamp": "2023-01-28T03:38:35.080Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"www.chg.com.br"
],
"adversaryId": "www.chg.com.br",
"adversaryTypes": [
"Malware"
],
"contacts": 1,
"description": "Malware family Win32.Remoteadmin.C.Winvnc.Based",
"firstContact": "2023-02-10T23:58:44.455Z",
"hasPlaybackContacts": false,
"id": "e65b3f60-a99e-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"0": 1
},
"lastContact": "2023-02-10T23:58:44.455Z",
"status": "closed",
"statusTimestamp": "2023-02-15T13:28:07.991Z",
"timestamp": "2023-02-10T23:59:05.302Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"portaconexao8.top"
],
"adversaryId": "portaconexao8.top",
"adversaryTypes": [
"Malware"
],
"contacts": 2,
"description": "Malware hash: 55e57c52cd5e1dcfad4e9bcf0eb2f3a5",
"firstContact": "2023-02-11T18:40:09.087Z",
"hasPlaybackContacts": false,
"id": "89658e80-aa3b-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"147": 2
},
"lastContact": "2023-02-11T18:40:09.087Z",
"status": "closed",
"statusTimestamp": "2023-02-15T13:26:02.357Z",
"timestamp": "2023-02-11T18:40:20.328Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"bitmovil.mx"
],
"adversaryId": "bitmovil.mx",
"adversaryTypes": [
"Malware"
],
"contacts": 2,
"description": "Heodo",
"firstContact": "2023-02-14T17:05:37.987Z",
"hasPlaybackContacts": false,
"id": "0d207a50-ac8a-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"989": 2
},
"lastContact": "2023-02-14T17:05:37.987Z",
"status": "closed",
"statusTimestamp": "2023-02-14T18:44:09.946Z",
"timestamp": "2023-02-14T17:07:24.405Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"rea.co.ke"
],
"adversaryId": "rea.co.ke",
"adversaryTypes": [
"C2C",
"Malware"
],
"contacts": 1,
"description": "Malware family P2PZeuS",
"firstContact": "2023-02-14T17:27:26.791Z",
"hasPlaybackContacts": false,
"id": "e0b39da0-ac8c-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"989": 1
},
"lastContact": "2023-02-14T17:27:26.791Z",
"status": "closed",
"statusTimestamp": "2023-02-14T18:33:38.315Z",
"timestamp": "2023-02-14T17:27:38.362Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"rea.co.ke"
],
"adversaryId": "rea.co.ke",
"adversaryTypes": [
"C2C",
"Malware"
],
"contacts": 21,
"description": "Malware family P2PZeuS",
"firstContact": "2022-12-12T16:36:02.228Z",
"hasPlaybackContacts": false,
"id": "726849c0-7a6b-11ed-a600-d53ba4d2bb70",
"labelDistribution": {
"1885": 1,
"2254": 19,
"2267": 1
},
"lastContact": "2023-01-03T23:31:50.938Z",
"status": "closed",
"statusTimestamp": "2023-02-14T17:26:47.897Z",
"timestamp": "2022-12-12T22:22:21.788Z",
"totalEndpoints": 5,
"unread": false
},
{
"adversaries": [
"www.chg.com.br"
],
"adversaryId": "www.chg.com.br",
"adversaryTypes": [
"Malware"
],
"contacts": 1,
"description": "Malware family Win32.Remoteadmin.C.Winvnc.Based",
"firstContact": "2023-02-10T22:39:28.912Z",
"hasPlaybackContacts": false,
"id": "d42c40b0-a993-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"0": 1
},
"lastContact": "2023-02-10T22:39:28.912Z",
"status": "closed",
"statusTimestamp": "2023-02-10T22:41:07.512Z",
"timestamp": "2023-02-10T22:39:50.331Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"www.chg.com.br"
],
"adversaryId": "www.chg.com.br",
"adversaryTypes": [
"Malware"
],
"contacts": 1,
"description": "Malware family Win32.Remoteadmin.C.Winvnc.Based",
"firstContact": "2023-02-10T21:56:41.360Z",
"hasPlaybackContacts": false,
"id": "d98a0f20-a98d-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"0": 1
},
"lastContact": "2023-02-10T21:56:41.360Z",
"status": "closed",
"statusTimestamp": "2023-02-10T22:37:37.379Z",
"timestamp": "2023-02-10T21:57:02.354Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"www.chg.com.br"
],
"adversaryId": "www.chg.com.br",
"adversaryTypes": [
"Malware"
],
"contacts": 1,
"description": "Malware family Win32.Remoteadmin.C.Winvnc.Based",
"firstContact": "2023-02-10T21:41:27.961Z",
"hasPlaybackContacts": false,
"id": "b9e93490-a98b-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"0": 1
},
"lastContact": "2023-02-10T21:41:27.961Z",
"status": "closed",
"statusTimestamp": "2023-02-10T21:56:37.507Z",
"timestamp": "2023-02-10T21:41:50.297Z",
"totalEndpoints": 1,
"unread": false
}
]
}
}

Human Readable Output#

Incidents#

AdversariesAdversary IdAdversary TypesContactsDescriptionFirst ContactHas Playback ContactsIdLabel DistributionLast ContactStatusStatus TimestampTimestampTotal EndpointsUnread
www.chg.com.brwww.chg.com.brMalware1Malware family Win32.Remoteadmin.C.Winvnc.Based2023-02-15T13:28:25.537Zfalsead2b63c0-ad34-11ed-9fd0-e5fb50c818f60: 12023-02-15T13:28:25.537Zclosed2023-02-15T21:53:41.468Z2023-02-15T13:28:47.356Z1false
italive.ititalive.itPhishing1Phishing domain2023-01-28T03:37:56.088Zfalse3e5f6480-9ebd-11ed-a0c7-dd6f8e69d3434301: 12023-01-28T03:37:56.088Zclosed2023-02-15T13:28:32.355Z2023-01-28T03:38:35.080Z1false
www.chg.com.brwww.chg.com.brMalware1Malware family Win32.Remoteadmin.C.Winvnc.Based2023-02-10T23:58:44.455Zfalsee65b3f60-a99e-11ed-9fd0-e5fb50c818f60: 12023-02-10T23:58:44.455Zclosed2023-02-15T13:28:07.991Z2023-02-10T23:59:05.302Z1false
portaconexao8.topportaconexao8.topMalware2Malware hash: 55e57c52cd5e1dcfad4e9bcf0eb2f3a52023-02-11T18:40:09.087Zfalse89658e80-aa3b-11ed-9fd0-e5fb50c818f6147: 22023-02-11T18:40:09.087Zclosed2023-02-15T13:26:02.357Z2023-02-11T18:40:20.328Z1false
bitmovil.mxbitmovil.mxMalware2Heodo2023-02-14T17:05:37.987Zfalse0d207a50-ac8a-11ed-9fd0-e5fb50c818f6989: 22023-02-14T17:05:37.987Zclosed2023-02-14T18:44:09.946Z2023-02-14T17:07:24.405Z1false
rea.co.kerea.co.keC2C,
Malware
1Malware family P2PZeuS2023-02-14T17:27:26.791Zfalsee0b39da0-ac8c-11ed-9fd0-e5fb50c818f6989: 12023-02-14T17:27:26.791Zclosed2023-02-14T18:33:38.315Z2023-02-14T17:27:38.362Z1false
rea.co.kerea.co.keC2C,
Malware
21Malware family P2PZeuS2022-12-12T16:36:02.228Zfalse726849c0-7a6b-11ed-a600-d53ba4d2bb702267: 1
1885: 1
2254: 19
2023-01-03T23:31:50.938Zclosed2023-02-14T17:26:47.897Z2022-12-12T22:22:21.788Z5false
www.chg.com.brwww.chg.com.brMalware1Malware family Win32.Remoteadmin.C.Winvnc.Based2023-02-10T22:39:28.912Zfalsed42c40b0-a993-11ed-9fd0-e5fb50c818f60: 12023-02-10T22:39:28.912Zclosed2023-02-10T22:41:07.512Z2023-02-10T22:39:50.331Z1false
www.chg.com.brwww.chg.com.brMalware1Malware family Win32.Remoteadmin.C.Winvnc.Based2023-02-10T21:56:41.360Zfalsed98a0f20-a98d-11ed-9fd0-e5fb50c818f60: 12023-02-10T21:56:41.360Zclosed2023-02-10T22:37:37.379Z2023-02-10T21:57:02.354Z1false
www.chg.com.brwww.chg.com.brMalware1Malware family Win32.Remoteadmin.C.Winvnc.Based2023-02-10T21:41:27.961Zfalseb9e93490-a98b-11ed-9fd0-e5fb50c818f60: 12023-02-10T21:41:27.961Zclosed2023-02-10T21:56:37.507Z2023-02-10T21:41:50.297Z1false

paginationInfo#

ItemsNextPage
1021

Command example#

!lumu-retrieve-closed-incidents labels=0 adversary-types=Mining,Spam

Context Example#

{
"Lumu": {
"RetrieveClosedIncidents": [
{
"adversaries": [
"www.chg.com.br"
],
"adversaryId": "www.chg.com.br",
"adversaryTypes": [
"Malware"
],
"contacts": 1,
"description": "Malware family Win32.Remoteadmin.C.Winvnc.Based",
"firstContact": "2023-02-15T13:28:25.537Z",
"hasPlaybackContacts": false,
"id": "ad2b63c0-ad34-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"0": 1
},
"lastContact": "2023-02-15T13:28:25.537Z",
"status": "closed",
"statusTimestamp": "2023-02-15T21:53:41.468Z",
"timestamp": "2023-02-15T13:28:47.356Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"www.chg.com.br"
],
"adversaryId": "www.chg.com.br",
"adversaryTypes": [
"Malware"
],
"contacts": 1,
"description": "Malware family Win32.Remoteadmin.C.Winvnc.Based",
"firstContact": "2023-02-10T23:58:44.455Z",
"hasPlaybackContacts": false,
"id": "e65b3f60-a99e-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"0": 1
},
"lastContact": "2023-02-10T23:58:44.455Z",
"status": "closed",
"statusTimestamp": "2023-02-15T13:28:07.991Z",
"timestamp": "2023-02-10T23:59:05.302Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"www.chg.com.br"
],
"adversaryId": "www.chg.com.br",
"adversaryTypes": [
"Malware"
],
"contacts": 1,
"description": "Malware family Win32.Remoteadmin.C.Winvnc.Based",
"firstContact": "2023-02-10T22:39:28.912Z",
"hasPlaybackContacts": false,
"id": "d42c40b0-a993-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"0": 1
},
"lastContact": "2023-02-10T22:39:28.912Z",
"status": "closed",
"statusTimestamp": "2023-02-10T22:41:07.512Z",
"timestamp": "2023-02-10T22:39:50.331Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"www.chg.com.br"
],
"adversaryId": "www.chg.com.br",
"adversaryTypes": [
"Malware"
],
"contacts": 1,
"description": "Malware family Win32.Remoteadmin.C.Winvnc.Based",
"firstContact": "2023-02-10T21:56:41.360Z",
"hasPlaybackContacts": false,
"id": "d98a0f20-a98d-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"0": 1
},
"lastContact": "2023-02-10T21:56:41.360Z",
"status": "closed",
"statusTimestamp": "2023-02-10T22:37:37.379Z",
"timestamp": "2023-02-10T21:57:02.354Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"www.chg.com.br"
],
"adversaryId": "www.chg.com.br",
"adversaryTypes": [
"Malware"
],
"contacts": 1,
"description": "Malware family Win32.Remoteadmin.C.Winvnc.Based",
"firstContact": "2023-02-10T21:41:27.961Z",
"hasPlaybackContacts": false,
"id": "b9e93490-a98b-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"0": 1
},
"lastContact": "2023-02-10T21:41:27.961Z",
"status": "closed",
"statusTimestamp": "2023-02-10T21:56:37.507Z",
"timestamp": "2023-02-10T21:41:50.297Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"www.chg.com.br"
],
"adversaryId": "www.chg.com.br",
"adversaryTypes": [
"Malware"
],
"contacts": 10,
"description": "Malware family Win32.Remoteadmin.C.Winvnc.Based",
"firstContact": "2023-02-03T19:01:00Z",
"hasPlaybackContacts": false,
"id": "d0ce2800-a3f5-11ed-a0c7-dd6f8e69d343",
"labelDistribution": {
"0": 7,
"989": 3
},
"lastContact": "2023-02-10T21:40:12.762Z",
"status": "closed",
"statusTimestamp": "2023-02-10T21:41:34.408Z",
"timestamp": "2023-02-03T19:06:08.384Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"activity.lumu.io"
],
"adversaryId": "activity.lumu.io",
"adversaryTypes": [
"Spam"
],
"contacts": 5,
"description": "Activity Test Query",
"firstContact": "2022-12-20T14:37:02.228Z",
"hasPlaybackContacts": false,
"id": "460dd2d0-a740-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"0": 5
},
"lastContact": "2022-12-20T14:37:02.228Z",
"status": "closed",
"statusTimestamp": "2023-02-08T00:57:03.424Z",
"timestamp": "2023-02-07T23:36:41.341Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"activity.lumu.io"
],
"adversaryId": "activity.lumu.io",
"adversaryTypes": [
"Spam"
],
"contacts": 2,
"description": "Activity Test Query",
"firstContact": "2022-12-20T14:37:02.228Z",
"hasPlaybackContacts": false,
"id": "9e9238e0-a73d-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"0": 2
},
"lastContact": "2022-12-20T14:37:02.228Z",
"status": "closed",
"statusTimestamp": "2023-02-07T23:20:42.817Z",
"timestamp": "2023-02-07T23:17:41.358Z",
"totalEndpoints": 1,
"unread": false
},
{
"adversaries": [
"activity.lumu.io"
],
"adversaryId": "activity.lumu.io",
"adversaryTypes": [
"Spam"
],
"contacts": 12,
"description": "Activity Test Query",
"firstContact": "2023-02-07T15:51:15.463Z",
"hasPlaybackContacts": false,
"id": "826dd220-a6ff-11ed-9fd0-e5fb50c818f6",
"labelDistribution": {
"0": 11,
"989": 1
},
"lastContact": "2023-02-07T15:51:15.463Z",
"status": "closed",
"statusTimestamp": "2023-02-07T23:08:53.658Z",
"timestamp": "2023-02-07T15:53:05.346Z",
"totalEndpoints": 3,
"unread": false
},
{
"adversaries": [
"activity.lumu.io"
],
"adversaryId": "activity.lumu.io",
"adversaryTypes": [
"Spam"
],
"contacts": 3,
"description": "Activity Test Query",
"firstContact": "2022-12-20T14:37:02.228Z",
"hasPlaybackContacts": false,
"id": "eb611160-a638-11ed-a0c7-dd6f8e69d343",
"labelDistribution": {
"0": 3
},
"lastContact": "2022-12-20T14:37:02.228Z",
"status": "closed",
"statusTimestamp": "2023-02-06T16:19:52.211Z",
"timestamp": "2023-02-06T16:11:31.574Z",
"totalEndpoints": 1,
"unread": false
}
]
}
}

Human Readable Output#

Incidents#

AdversariesAdversary IdAdversary TypesContactsDescriptionFirst ContactHas Playback ContactsIdLabel DistributionLast ContactStatusStatus TimestampTimestampTotal EndpointsUnread
www.chg.com.brwww.chg.com.brMalware1Malware family Win32.Remoteadmin.C.Winvnc.Based2023-02-15T13:28:25.537Zfalsead2b63c0-ad34-11ed-9fd0-e5fb50c818f60: 12023-02-15T13:28:25.537Zclosed2023-02-15T21:53:41.468Z2023-02-15T13:28:47.356Z1false
www.chg.com.brwww.chg.com.brMalware1Malware family Win32.Remoteadmin.C.Winvnc.Based2023-02-10T23:58:44.455Zfalsee65b3f60-a99e-11ed-9fd0-e5fb50c818f60: 12023-02-10T23:58:44.455Zclosed2023-02-15T13:28:07.991Z2023-02-10T23:59:05.302Z1false
www.chg.com.brwww.chg.com.brMalware1Malware family Win32.Remoteadmin.C.Winvnc.Based2023-02-10T22:39:28.912Zfalsed42c40b0-a993-11ed-9fd0-e5fb50c818f60: 12023-02-10T22:39:28.912Zclosed2023-02-10T22:41:07.512Z2023-02-10T22:39:50.331Z1false
www.chg.com.brwww.chg.com.brMalware1Malware family Win32.Remoteadmin.C.Winvnc.Based2023-02-10T21:56:41.360Zfalsed98a0f20-a98d-11ed-9fd0-e5fb50c818f60: 12023-02-10T21:56:41.360Zclosed2023-02-10T22:37:37.379Z2023-02-10T21:57:02.354Z1false
www.chg.com.brwww.chg.com.brMalware1Malware family Win32.Remoteadmin.C.Winvnc.Based2023-02-10T21:41:27.961Zfalseb9e93490-a98b-11ed-9fd0-e5fb50c818f60: 12023-02-10T21:41:27.961Zclosed2023-02-10T21:56:37.507Z2023-02-10T21:41:50.297Z1false
www.chg.com.brwww.chg.com.brMalware10Malware family Win32.Remoteadmin.C.Winvnc.Based2023-02-03T19:01:00Zfalsed0ce2800-a3f5-11ed-a0c7-dd6f8e69d343989: 3
0: 7
2023-02-10T21:40:12.762Zclosed2023-02-10T21:41:34.408Z2023-02-03T19:06:08.384Z1false
activity.lumu.ioactivity.lumu.ioSpam5Activity Test Query2022-12-20T14:37:02.228Zfalse460dd2d0-a740-11ed-9fd0-e5fb50c818f60: 52022-12-20T14:37:02.228Zclosed2023-02-08T00:57:03.424Z2023-02-07T23:36:41.341Z1false
activity.lumu.ioactivity.lumu.ioSpam2Activity Test Query2022-12-20T14:37:02.228Zfalse9e9238e0-a73d-11ed-9fd0-e5fb50c818f60: 22022-12-20T14:37:02.228Zclosed2023-02-07T23:20:42.817Z2023-02-07T23:17:41.358Z1false
activity.lumu.ioactivity.lumu.ioSpam12Activity Test Query2023-02-07T15:51:15.463Zfalse826dd220-a6ff-11ed-9fd0-e5fb50c818f6989: 1
0: 11
2023-02-07T15:51:15.463Zclosed2023-02-07T23:08:53.658Z2023-02-07T15:53:05.346Z3false
activity.lumu.ioactivity.lumu.ioSpam3Activity Test Query2022-12-20T14:37:02.228Zfalseeb611160-a638-11ed-a0c7-dd6f8e69d3430: 32022-12-20T14:37:02.228Zclosed2023-02-06T16:19:52.211Z2023-02-06T16:11:31.574Z1false

paginationInfo#

ItemsNextPage
1021

lumu-retrieve-endpoints-by-incident#


Get a paginated summary of the endpoints affected by a specified incident.

{incident-uuid}uuid of the specific incident

Base Command#

lumu-retrieve-endpoints-by-incident

Input#

Argument NameDescriptionRequired
lumu_incident_idLumu incident id requested.Required
pagepage requested .Optional
limititems limit requested . Default is 10.Optional

Context Output#

PathTypeDescription
Lumu.RetrieveEndpointsByIncident.items.labelNumberLumu label
Lumu.RetrieveEndpointsByIncident.items.endpointStringLumu endpoint
Lumu.RetrieveEndpointsByIncident.items.totalNumberLumu total
Lumu.RetrieveEndpointsByIncident.items.firstDateLumu first
Lumu.RetrieveEndpointsByIncident.items.lastDateLumu last
Lumu.RetrieveEndpointsByIncident.paginationInfo.pageNumbercurrent page
Lumu.RetrieveEndpointsByIncident.paginationInfo.itemsNumbercurrent items

Command example#

!lumu-retrieve-endpoints-by-incident lumu_incident_id=7c40be00-a7cf-11ed-9fd0-e5fb50c818f6

Context Example#

{
"Lumu": {
"RetrieveEndpointsByIncident": [
{
"endpoint": "LUMU-100",
"first": "2023-02-15T16:59:47.142Z",
"label": 0,
"last": "2023-02-15T16:59:47.142Z",
"lastSourceId": "6d942a7a-d287-415e-9c09-3d6632a6a976",
"lastSourceType": "custom_collector",
"total": 1
},
{
"endpoint": "Loacal-nesfapdm",
"first": "2022-12-20T14:37:02.228Z",
"label": 0,
"last": "2022-12-20T14:37:02.228Z",
"lastSourceId": "6d942a7a-d287-415e-9c09-3d6632a6a976",
"lastSourceType": "custom_collector",
"total": 1
},
{
"endpoint": "cd-ho",
"first": "2023-02-08T16:41:35.613Z",
"label": 147,
"last": "2023-02-08T16:41:35.613Z",
"lastSourceId": "587ec9d348053ca03a58aeddeccb1b93",
"lastSourceType": "PublicResolver",
"total": 1
},
{
"endpoint": "fgiraldo",
"first": "2023-02-10T14:23:45Z",
"label": 1885,
"last": "2023-02-10T15:15:16Z",
"lastSourceId": "c91a9a48-274f-430e-989e-cc237b594621",
"lastSourceType": "integration",
"total": 2
},
{
"endpoint": "63620343863.instance-1",
"first": "2023-02-13T17:01:43.204Z",
"label": 2254,
"last": "2023-02-13T17:01:43.204Z",
"lastSourceId": "4358d167-3af0-4821-9f7b-ee58824ff87b",
"lastSourceType": "integration",
"total": 1
},
{
"endpoint": "DESKTOP-LUMU",
"first": "2023-02-09T15:22:01.450Z",
"label": 989,
"last": "2023-02-09T15:22:30.732Z",
"lastSourceId": "c5ae44a0-8c53-11ed-8008-11cbedd55f0c",
"lastSourceType": "windows_agent",
"total": 2
}
]
}
}

Human Readable Output#

Incident endpoints#

EndpointFirstLabelLastLast Source IdLast Source TypeTotal
LUMU-1002023-02-15T16:59:47.142Z02023-02-15T16:59:47.142Z6d942a7a-d287-415e-9c09-3d6632a6a976custom_collector1
Loacal-nesfapdm2022-12-20T14:37:02.228Z02022-12-20T14:37:02.228Z6d942a7a-d287-415e-9c09-3d6632a6a976custom_collector1
cd-ho2023-02-08T16:41:35.613Z1472023-02-08T16:41:35.613Z587ec9d348053ca03a58aeddeccb1b93PublicResolver1
fgiraldo2023-02-10T14:23:45Z18852023-02-10T15:15:16Zc91a9a48-274f-430e-989e-cc237b594621integration2
63620343863.instance-12023-02-13T17:01:43.204Z22542023-02-13T17:01:43.204Z4358d167-3af0-4821-9f7b-ee58824ff87bintegration1
DESKTOP-LUMU2023-02-09T15:22:01.450Z9892023-02-09T15:22:30.732Zc5ae44a0-8c53-11ed-8008-11cbedd55f0cwindows_agent2

paginationInfo#

ItemsPage
101

lumu-mark-incident-as-read#


This transaction does not require any additional body parameters.

{incident-uuid}uuid of the specific incident

To associate a specific user to this transaction, include the header Lumu-User-Id with the user id as a value. Read more.

Base Command#

lumu-mark-incident-as-read

Input#

Argument NameDescriptionRequired
lumu_incident_idLumu incident id.Required

Context Output#

PathTypeDescription
Lumu.MarkIncidentAsRead.statusCodeunknownLumu statusCode

Command example#

!lumu-mark-incident-as-read lumu_incident_id=7c40be00-a7cf-11ed-9fd0-e5fb50c818f6

Context Example#

{
"Lumu": {
"MarkIncidentAsRead": ""
}
}

Human Readable Output#

Marked as read the incident successfully.

lumu-mute-incident#


{incident-uuid}uuid of the specific incident

To associate a specific user to this transaction, include the header Lumu-User-Id with the user id as a value. Read more.

Base Command#

lumu-mute-incident

Input#

Argument NameDescriptionRequired
lumu_incident_idLumu incident id requested.Required
commentLumu comment requested.Optional

Context Output#

PathTypeDescription
Lumu.MuteIncident.statusCodeunknownLumu statusCode

Command example#

!lumu-mute-incident lumu_incident_id=7c40be00-a7cf-11ed-9fd0-e5fb50c818f6 comment="mute from cortex"

Context Example#

{
"Lumu": {
"MuteIncident": {
"response": "",
"statusCode": 200
}
}
}

Human Readable Output#

Muted the incident successfully.

lumu-unmute-incident#


{incident-uuid}uuid of the specific incident

To associate a specific user to this transaction, include the header Lumu-User-Id with the user id as a value. Read more.

Base Command#

lumu-unmute-incident

Input#

Argument NameDescriptionRequired
lumu_incident_idLumu incident id requested.Required
commentLumu comment requested.Optional

Context Output#

PathTypeDescription
Lumu.UnmuteIncident.statusCodeunknownLumu statusCode

Command example#

!lumu-unmute-incident lumu_incident_id=7c40be00-a7cf-11ed-9fd0-e5fb50c818f6 comment="unmute from cortex"

Context Example#

{
"Lumu": {
"UnmuteIncident": {
"response": "",
"statusCode": 200
}
}
}

Human Readable Output#

Unmute the incident successfully.

lumu-consult-incidents-updates-through-rest#


Lumu provides an endpoint to consult real-time updates on incident operations through REST when Websocket is not available.

Note: the date format in the updates received from the endpoint is in the UTC time zone and follows standards published in RFC 3339 and ISO 8601

{company-key}Your company's unique API key available at the Lumu Portal

Base Command#

lumu-consult-incidents-updates-through-rest

Input#

Argument NameDescriptionRequired
offsetLumu offset requested.Optional
limititems limit requested . Default is 10.Optional
timetime requested .Optional

Context Output#

PathTypeDescription
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentClosed.companyIdStringLumu companyId
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentClosed.incident.idStringLumu incident id
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentClosed.incident.timestampDateLumu timestamp
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentClosed.incident.statusTimestampDateLumu statusTimestamp
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentClosed.incident.statusStringLumu status
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentClosed.incident.contactsNumberLumu contacts
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentClosed.incident.adversariesStringLumu adversaries
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentClosed.incident.adversaryIdStringLumu adversaryId
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentClosed.incident.adversaryTypesStringLumu adversaryTypes
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentClosed.incident.descriptionStringLumu description
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentClosed.incident.labelDistributionNumberLumu labelDistribution
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentClosed.incident.totalEndpointsNumberLumu totalEndpoints
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentClosed.incident.lastContactDateLumu lastContact
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentClosed.incident.unreadBooleanLumu unread
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentClosed.incident.hasPlaybackContactsBooleanLumu hasPlaybackContacts
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentClosed.incident.firstContactDateLumu firstContact
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentClosed.commentStringLumu comment
Lumu.ConsultIncidentsUpdatesThroughRest.updates.OpenIncidentsStatusUpdated.companyIdStringLumu companyId
Lumu.ConsultIncidentsUpdatesThroughRest.updates.OpenIncidentsStatusUpdated.openIncidentsStatus.openIncidentsNumberLumu openIncidents
Lumu.ConsultIncidentsUpdatesThroughRest.updates.OpenIncidentsStatusUpdated.openIncidentsStatus.totalContactsNumberLumu totalContacts
Lumu.ConsultIncidentsUpdatesThroughRest.updates.OpenIncidentsStatusUpdated.openIncidentsStatus.typeDistribution.DGANumberLumu DGA
Lumu.ConsultIncidentsUpdatesThroughRest.updates.OpenIncidentsStatusUpdated.openIncidentsStatus.typeDistribution.C2CNumberLumu C2C
Lumu.ConsultIncidentsUpdatesThroughRest.updates.OpenIncidentsStatusUpdated.openIncidentsStatus.typeDistribution.Network ScanNumberLumu Network Scan
Lumu.ConsultIncidentsUpdatesThroughRest.updates.OpenIncidentsStatusUpdated.openIncidentsStatus.typeDistribution.MiningNumberLumu Mining
Lumu.ConsultIncidentsUpdatesThroughRest.updates.OpenIncidentsStatusUpdated.openIncidentsStatus.typeDistribution.PhishingNumberLumu Phishing
Lumu.ConsultIncidentsUpdatesThroughRest.updates.OpenIncidentsStatusUpdated.openIncidentsStatus.typeDistribution.SpamNumberLumu Spam
Lumu.ConsultIncidentsUpdatesThroughRest.updates.OpenIncidentsStatusUpdated.openIncidentsStatus.typeDistribution.MalwareNumberLumu Malware
Lumu.ConsultIncidentsUpdatesThroughRest.updates.OpenIncidentsStatusUpdated.openIncidentsStatus.totalEndpointsNumberLumu totalEndpoints
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentUnmuted.companyIdStringLumu companyId
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentUnmuted.incident.idStringLumu id
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentUnmuted.incident.timestampDateLumu timestamp
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentUnmuted.incident.statusTimestampDateLumu statusTimestamp
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentUnmuted.incident.statusStringLumu status
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentUnmuted.incident.contactsNumberLumu contacts
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentUnmuted.incident.adversariesStringLumu adversaries
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentUnmuted.incident.adversaryIdStringLumu adversaryId
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentUnmuted.incident.adversaryTypesStringLumu adversaryTypes
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentUnmuted.incident.descriptionStringLumu description
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentUnmuted.incident.labelDistributionNumberLumu labelDistribution
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentUnmuted.incident.totalEndpointsNumberLumu totalEndpoints
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentUnmuted.incident.lastContactDateLumu lastContact
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentUnmuted.incident.unreadBooleanLumu unread
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentUnmuted.incident.hasPlaybackContactsBooleanLumu hasPlaybackContacts
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentUnmuted.incident.firstContactDateLumu firstContact
Lumu.ConsultIncidentsUpdatesThroughRest.updates.IncidentUnmuted.commentStringLumu comment
Lumu.ConsultIncidentsUpdatesThroughRest.updates.NewIncidentCreated.companyIdStringLumu companyId
Lumu.ConsultIncidentsUpdatesThroughRest.updates.NewIncidentCreated.incident.idStringLumu id
Lumu.ConsultIncidentsUpdatesThroughRest.updates.NewIncidentCreated.incident.timestampDateLumu timestamp
Lumu.ConsultIncidentsUpdatesThroughRest.updates.NewIncidentCreated.incident.statusTimestampDateLumu statusTimestamp
Lumu.ConsultIncidentsUpdatesThroughRest.updates.NewIncidentCreated.incident.statusStringLumu status
Lumu.ConsultIncidentsUpdatesThroughRest.updates.NewIncidentCreated.incident.contactsNumberLumu contacts
Lumu.ConsultIncidentsUpdatesThroughRest.updates.NewIncidentCreated.incident.adversariesStringLumu adversaries
Lumu.ConsultIncidentsUpdatesThroughRest.updates.NewIncidentCreated.incident.adversaryIdStringLumu adversaryId
Lumu.ConsultIncidentsUpdatesThroughRest.updates.NewIncidentCreated.incident.adversaryTypesStringLumu adversaryTypes
Lumu.ConsultIncidentsUpdatesThroughRest.updates.NewIncidentCreated.incident.descriptionStringLumu description
Lumu.ConsultIncidentsUpdatesThroughRest.updates.NewIncidentCreated.incident.labelDistributionNumberLumu labelDistribution
Lumu.ConsultIncidentsUpdatesThroughRest.updates.NewIncidentCreated.incident.totalEndpointsNumberLumu totalEndpoints
Lumu.ConsultIncidentsUpdatesThroughRest.updates.NewIncidentCreated.incident.lastContactDateLumu lastContact
Lumu.ConsultIncidentsUpdatesThroughRest.updates.NewIncidentCreated.incident.unreadBooleanLumu unread
Lumu.ConsultIncidentsUpdatesThroughRest.updates.NewIncidentCreated.incident.hasPlaybackContactsBooleanLumu hasPlaybackContacts
Lumu.ConsultIncidentsUpdatesThroughRest.updates.NewIncidentCreated.incident.firstContactDateLumu firstContact
Lumu.ConsultIncidentsUpdatesThroughRest.updates.NewIncidentCreated.openIncidentsStats.openIncidentsNumberLumu openIncidents
Lumu.ConsultIncidentsUpdatesThroughRest.updates.NewIncidentCreated.openIncidentsStats.totalContactsNumberLumu totalContacts
Lumu.ConsultIncidentsUpdatesThroughRest.updates.NewIncidentCreated.openIncidentsStats.typeDistribution.DGANumberLumu DGA
Lumu.ConsultIncidentsUpdatesThroughRest.updates.NewIncidentCreated.openIncidentsStats.typeDistribution.C2CNumberLumu C2C
Lumu.ConsultIncidentsUpdatesThroughRest.updates.NewIncidentCreated.openIncidentsStats.typeDistribution.Network ScanNumberLumu Network Scan
Lumu.ConsultIncidentsUpdatesThroughRest.updates.NewIncidentCreated.openIncidentsStats.typeDistribution.MiningNumberLumu Mining
Lumu.ConsultIncidentsUpdatesThroughRest.updates.NewIncidentCreated.openIncidentsStats.typeDistribution.PhishingNumberLumu Phishing
Lumu.ConsultIncidentsUpdatesThroughRest.updates.NewIncidentCreated.openIncidentsStats.typeDistribution.SpamNumberLumu Spam
Lumu.ConsultIncidentsUpdatesThroughRest.updates.NewIncidentCreated.openIncidentsStats.typeDistribution.MalwareNumberLumu Malware
Lumu.ConsultIncidentsUpdatesThroughRest.updates.NewIncidentCreated.openIncidentsStats.totalEndpointsNumberLumu totalEndpoints
Lumu.ConsultIncidentsUpdatesThroughRest.offsetNumberLumu next offset

Command example#

!lumu-consult-incidents-updates-through-rest items=4 offset=1096305 time=4

Context Example#

{
"Lumu": {
"ConsultIncidentsUpdatesThroughRest": {
"offset": 1096578,
"updates": [
{
"IncidentUpdated": {
"companyId": "10228d9c-ff18-4251-ac19-514185e00f17",
"contactSummary": {
"adversaryHost": "activity.lumu.io",
"endpointIp": "192.168.0.13",
"endpointName": "Loacal-nesfpdm",
"fromPlayback": false,
"timestamp": "2022-12-20T14:37:02.228Z",
"uuid": "c45b8540-8073-11ed-b5ad-23f20297b7bb"
},
"incident": {
"adversaries": [
"activity.lumu.io"
],
"adversaryId": "activity.lumu.io",
"adversaryTypes": [
"Spam"
],
"contacts": 15,
"description": "Activity Test Query",
"firstContact": "2023-02-01T15:13:41.904Z",
"hasPlaybackContacts": false,
"id": "182f3950-a243-11ed-a0c7-dd6f8e69d343",
"labelDistribution": {
"0": 2,
"1792": 1,
"989": 12
},
"lastContact": "2023-02-03T16:44:00.395Z",
"status": "open",
"statusTimestamp": "2023-02-01T15:14:17.061Z",
"timestamp": "2023-02-01T15:14:17.061Z",
"totalEndpoints": 5,
"unread": false
},
"openIncidentsStats": {
"labelDistribution": {
"0": 35,
"1179": 2,
"147": 27,
"1580": 147,
"1651": 14,
"1791": 81,
"1792": 2,
"1885": 3,
"2144": 29,
"2148": 247,
"218": 4,
"2254": 89,
"2267": 11,
"2280": 28,
"2692": 1,
"2821": 1,
"2974": 20,
"3005": 1,
"3077": 30,
"3179": 1,
"3182": 4,
"3628": 1,
"3635": 2,
"3771": 1,
"3774": 1,
"3811": 7,
"4055": 134,
"4061": 10,
"4232": 2,
"4301": 393,
"548": 25,
"805": 9,
"864": 3,
"989": 72
},
"openIncidents": 1124,
"totalContacts": 10311,
"totalEndpoints": 209,
"typeDistribution": {
"C2C": 106,
"DGA": 10,
"Inappropriate content": 1,
"Malware": 666,
"Mining": 274,
"Network Scan": 6,
"Phishing": 31,
"Spam": 265
}
}
}
},
{
"IncidentUpdated": {
"companyId": "10228d9c-ff18-4251-ac19-514185e00f17",
"contactSummary": {
"adversaryHost": "activity.lumu.io",
"endpointIp": "192.168.0.13",
"endpointName": "Loacal-nesfpdm",
"fromPlayback": false,
"timestamp": "2022-12-20T14:37:02.228Z",
"uuid": "c45b8540-8073-11ed-ab18-23f2022bdf77"
},
"incident": {
"adversaries": [
"activity.lumu.io"
],
"adversaryId": "activity.lumu.io",
"adversaryTypes": [
"Spam"
],
"contacts": 16,
"description": "Activity Test Query",
"firstContact": "2023-02-01T15:13:41.904Z",
"hasPlaybackContacts": false,
"id": "182f3950-a243-11ed-a0c7-dd6f8e69d343",
"labelDistribution": {
"0": 3,
"1792": 1,
"989": 12
},
"lastContact": "2023-02-03T16:44:00.395Z",
"status": "open",
"statusTimestamp": "2023-02-01T15:14:17.061Z",
"timestamp": "2023-02-01T15:14:17.061Z",
"totalEndpoints": 5,
"unread": false
},
"openIncidentsStats": {
"labelDistribution": {
"0": 35,
"1179": 2,
"147": 27,
"1580": 147,
"1651": 14,
"1791": 81,
"1792": 2,
"1885": 3,
"2144": 29,
"2148": 247,
"218": 4,
"2254": 89,
"2267": 11,
"2280": 28,
"2692": 1,
"2821": 1,
"2974": 20,
"3005": 1,
"3077": 30,
"3179": 1,
"3182": 4,
"3628": 1,
"3635": 2,
"3771": 1,
"3774": 1,
"3811": 7,
"4055": 134,
"4061": 10,
"4232": 2,
"4301": 393,
"548": 25,
"805": 9,
"864": 3,
"989": 72
},
"openIncidents": 1124,
"totalContacts": 10312,
"totalEndpoints": 209,
"typeDistribution": {
"C2C": 106,
"DGA": 10,
"Inappropriate content": 1,
"Malware": 666,
"Mining": 274,
"Network Scan": 6,
"Phishing": 31,
"Spam": 265
}
}
}
},
{
"IncidentUpdated": {
"companyId": "10228d9c-ff18-4251-ac19-514185e00f17",
"contactSummary": {
"adversaryHost": "activity.lumu.io",
"endpointIp": "192.168.0.13",
"endpointName": "Loacal-nesfpdm",
"fromPlayback": false,
"timestamp": "2022-12-20T14:37:02.228Z",
"uuid": "c45b8540-8073-11ed-a675-23f2020a8d4c"
},
"incident": {
"adversaries": [
"activity.lumu.io"
],
"adversaryId": "activity.lumu.io",
"adversaryTypes": [
"Spam"
],
"contacts": 17,
"description": "Activity Test Query",
"firstContact": "2023-02-01T15:13:41.904Z",
"hasPlaybackContacts": false,
"id": "182f3950-a243-11ed-a0c7-dd6f8e69d343",
"labelDistribution": {
"0": 4,
"1792": 1,
"989": 12
},
"lastContact": "2023-02-03T16:44:00.395Z",
"status": "open",
"statusTimestamp": "2023-02-01T15:14:17.061Z",
"timestamp": "2023-02-01T15:14:17.061Z",
"totalEndpoints": 5,
"unread": false
},
"openIncidentsStats": {
"labelDistribution": {
"0": 35,
"1179": 2,
"147": 27,
"1580": 147,
"1651": 14,
"1791": 81,
"1792": 2,
"1885": 3,
"2144": 29,
"2148": 247,
"218": 4,
"2254": 89,
"2267": 11,
"2280": 28,
"2692": 1,
"2821": 1,
"2974": 20,
"3005": 1,
"3077": 30,
"3179": 1,
"3182": 4,
"3628": 1,
"3635": 2,
"3771": 1,
"3774": 1,
"3811": 7,
"4055": 134,
"4061": 10,
"4232": 2,
"4301": 393,
"548": 25,
"805": 9,
"864": 3,
"989": 72
},
"openIncidents": 1124,
"totalContacts": 10313,
"totalEndpoints": 209,
"typeDistribution": {
"C2C": 106,
"DGA": 10,
"Inappropriate content": 1,
"Malware": 666,
"Mining": 274,
"Network Scan": 6,
"Phishing": 31,
"Spam": 265
}
}
}
},
{
"IncidentUpdated": {
"companyId": "10228d9c-ff18-4251-ac19-514185e00f17",
"contactSummary": {
"adversaryHost": "activity.lumu.io",
"endpointIp": "192.168.0.13",
"endpointName": "Loacal-nesfpdm",
"fromPlayback": false,
"timestamp": "2022-12-20T14:37:02.228Z",
"uuid": "c45b8540-8073-11ed-ba29-23f202e1cb1a"
},
"incident": {
"adversaries": [
"activity.lumu.io"
],
"adversaryId": "activity.lumu.io",
"adversaryTypes": [
"Spam"
],
"contacts": 18,
"description": "Activity Test Query",
"firstContact": "2023-02-01T15:13:41.904Z",
"hasPlaybackContacts": false,
"id": "182f3950-a243-11ed-a0c7-dd6f8e69d343",
"labelDistribution": {
"0": 5,
"1792": 1,
"989": 12
},
"lastContact": "2023-02-03T16:44:00.395Z",
"status": "open",
"statusTimestamp": "2023-02-01T15:14:17.061Z",
"timestamp": "2023-02-01T15:14:17.061Z",
"totalEndpoints": 5,
"unread": false
},
"openIncidentsStats": {
"labelDistribution": {
"0": 35,
"1179": 2,
"147": 27,
"1580": 147,
"1651": 14,
"1791": 81,
"1792": 2,
"1885": 3,
"2144": 29,
"2148": 247,
"218": 4,
"2254": 89,
"2267": 11,
"2280": 28,
"2692": 1,
"2821": 1,
"2974": 20,
"3005": 1,
"3077": 30,
"3179": 1,
"3182": 4,
"3628": 1,
"3635": 2,
"3771": 1,
"3774": 1,
"3811": 7,
"4055": 134,
"4061": 10,
"4232": 2,
"4301": 393,
"548": 25,
"805": 9,
"864": 3,
"989": 72
},
"openIncidents": 1124,
"totalContacts": 10314,
"totalEndpoints": 209,
"typeDistribution": {
"C2C": 106,
"DGA": 10,
"Inappropriate content": 1,
"Malware": 666,
"Mining": 274,
"Network Scan": 6,
"Phishing": 31,
"Spam": 265
}
}
}
},
{
"IncidentUpdated": {
"companyId": "10228d9c-ff18-4251-ac19-514185e00f17",
"contactSummary": {
"adversaryHost": "activity.lumu.io",
"endpointIp": "192.168.0.13",
"endpointName": "Loacal-nesfpdm",
"fromPlayback": false,
"timestamp": "2022-12-20T14:37:02.228Z",
"uuid": "c45b8540-8073-11ed-8392-23f20218d429"
},
"incident": {
"adversaries": [
"activity.lumu.io"
],
"adversaryId": "activity.lumu.io",
"adversaryTypes": [
"Spam"
],
"contacts": 19,
"description": "Activity Test Query",
"firstContact": "2023-02-01T15:13:41.904Z",
"hasPlaybackContacts": false,
"id": "182f3950-a243-11ed-a0c7-dd6f8e69d343",
"labelDistribution": {
"0": 6,
"1792": 1,
"989": 12
},
"lastContact": "2023-02-03T16:44:00.395Z",
"status": "open",
"statusTimestamp": "2023-02-01T15:14:17.061Z",
"timestamp": "2023-02-01T15:14:17.061Z",
"totalEndpoints": 5,
"unread": false
},
"openIncidentsStats": {
"labelDistribution": {
"0": 35,
"1179": 2,
"147": 27,
"1580": 147,
"1651": 14,
"1791": 81,
"1792": 2,
"1885": 3,
"2144": 29,
"2148": 247,
"218": 4,
"2254": 89,
"2267": 11,
"2280": 28,
"2692": 1,
"2821": 1,
"2974": 20,
"3005": 1,
"3077": 30,
"3179": 1,
"3182": 4,
"3628": 1,
"3635": 2,
"3771": 1,
"3774": 1,
"3811": 7,
"4055": 134,
"4061": 10,
"4232": 2,
"4301": 393,
"548": 25,
"805": 9,
"864": 3,
"989": 72
},
"openIncidents": 1124,
"totalContacts": 10315,
"totalEndpoints": 209,
"typeDistribution": {
"C2C": 106,
"DGA": 10,
"Inappropriate content": 1,
"Malware": 666,
"Mining": 274,
"Network Scan": 6,
"Phishing": 31,
"Spam": 265
}
}
}
},
{
"IncidentUpdated": {
"companyId": "10228d9c-ff18-4251-ac19-514185e00f17",
"contactSummary": {
"adversaryHost": "activity.lumu.io",
"endpointIp": "192.168.0.13",
"endpointName": "Loacal-nesfpdm",
"fromPlayback": false,
"timestamp": "2022-12-20T14:37:02.228Z",
"uuid": "c45b8540-8073-11ed-abb1-23f202b7a63d"
},
"incident": {
"adversaries": [
"activity.lumu.io"
],
"adversaryId": "activity.lumu.io",
"adversaryTypes": [
"Spam"
],
"contacts": 20,
"description": "Activity Test Query",
"firstContact": "2023-02-01T15:13:41.904Z",
"hasPlaybackContacts": false,
"id": "182f3950-a243-11ed-a0c7-dd6f8e69d343",
"labelDistribution": {
"0": 7,
"1792": 1,
"989": 12
},
"lastContact": "2023-02-03T16:44:00.395Z",
"status": "open",
"statusTimestamp": "2023-02-01T15:14:17.061Z",
"timestamp": "2023-02-01T15:14:17.061Z",
"totalEndpoints": 5,
"unread": false
},
"openIncidentsStats": {
"labelDistribution": {
"0": 35,
"1179": 2,
"147": 27,
"1580": 147,
"1651": 14,
"1791": 81,
"1792": 2,
"1885": 3,
"2144": 29,
"2148": 247,
"218": 4,
"2254": 89,
"2267": 11,
"2280": 28,
"2692": 1,
"2821": 1,
"2974": 20,
"3005": 1,
"3077": 30,
"3179": 1,
"3182": 4,
"3628": 1,
"3635": 2,
"3771": 1,
"3774": 1,
"3811": 7,
"4055": 134,
"4061": 10,
"4232": 2,
"4301": 393,
"548": 25,
"805": 9,
"864": 3,
"989": 72
},
"openIncidents": 1124,
"totalContacts": 10316,
"totalEndpoints": 209,
"typeDistribution": {
"C2C": 106,
"DGA": 10,
"Inappropriate content": 1,
"Malware": 666,
"Mining": 274,
"Network Scan": 6,
"Phishing": 31,
"Spam": 265
}
}
}
},
{
"IncidentCommentAdded": {
"comment": "from XSOAR Cortex 20230206_135000 test comment, hmacsha256:efa407ced8d7cdedef4ed94e3730e3242996bd7ebf394c1e694d0b9a3f1087c6",
"companyId": "10228d9c-ff18-4251-ac19-514185e00f17",
"incidentId": "182f3950-a243-11ed-a0c7-dd6f8e69d343"
}
},
{
"IncidentCommentAdded": {
"comment": "comment 854",
"companyId": "10228d9c-ff18-4251-ac19-514185e00f17",
"incidentId": "182f3950-a243-11ed-a0c7-dd6f8e69d343"
}
},
{
"IncidentMarkedAsRead": {
"companyId": "10228d9c-ff18-4251-ac19-514185e00f17",
"incidentId": "790f0700-9ec4-11ed-a0c7-dd6f8e69d343"
}
},
{
"IncidentMuted": {
"comment": "test",
"companyId": "10228d9c-ff18-4251-ac19-514185e00f17",
"incident": {
"adversaries": [
"obobbo.com"
],
"adversaryId": "obobbo.com",
"adversaryTypes": [
"Spam"
],
"contacts": 1,
"description": "Disposable email host",
"firstContact": "2023-01-28T04:29:57.692Z",
"hasPlaybackContacts": false,
"id": "790f0700-9ec4-11ed-a0c7-dd6f8e69d343",
"labelDistribution": {
"4301": 1
},
"lastContact": "2023-01-28T04:29:57.692Z",
"status": "muted",
"statusTimestamp": "2023-02-06T15:01:54.199Z",
"timestamp": "2023-01-28T04:30:20.016Z",
"totalEndpoints": 1,
"unread": false
},
"reason": "irrelevant"
}
}
]
}
}
}

Human Readable Output#

Results#

offsetupdates
1096578{'IncidentUpdated': {'companyId': '10228d9c-ff18-4251-ac19-514185e00f17', 'incident': {'id': '182f3950-a243-11ed-a0c7-dd6f8e69d343', 'timestamp': '2023-02-01T15:14:17.061Z', 'statusTimestamp': '2023-02-01T15:14:17.061Z', 'status': 'open', 'contacts': 15, 'adversaries': ['activity.lumu.io'], 'adversaryId': 'activity.lumu.io', 'adversaryTypes': ['Spam'], 'description': 'Activity Test Query', 'labelDistribution': {'1792': 1, '989': 12, '0': 2}, 'totalEndpoints': 5, 'lastContact': '2023-02-03T16:44:00.395Z', 'unread': False, 'hasPlaybackContacts': False, 'firstContact': '2023-02-01T15:13:41.904Z'}, 'openIncidentsStats': {'openIncidents': 1124, 'totalContacts': 10311, 'typeDistribution': {'DGA': 10, 'C2C': 106, 'Network Scan': 6, 'Mining': 274, 'Inappropriate content': 1, 'Phishing': 31, 'Spam': 265, 'Malware': 666}, 'labelDistribution': {'1792': 2, '147': 27, '3771': 1, '2254': 89, '4061': 10, '3774': 1, '3077': 30, '2280': 28, '3182': 4, '1885': 3, '2267': 11, '805': 9, '1791': 81, '2148': 247, '548': 25, '3635': 2, '989': 72, '3179': 1, '3005': 1, '4055': 134, '4301': 393, '1179': 2, '864': 3, '2144': 29, '1580': 147, '3811': 7, '4232': 2, '0': 35, '2974': 20, '3628': 1, '218': 4, '2692': 1, '1651': 14, '2821': 1}, 'totalEndpoints': 209}, 'contactSummary': {'uuid': 'c45b8540-8073-11ed-b5ad-23f20297b7bb', 'timestamp': '2022-12-20T14:37:02.228Z', 'adversaryHost': 'activity.lumu.io', 'endpointIp': '192.168.0.13', 'endpointName': 'Loacal-nesfpdm', 'fromPlayback': False}}},
{'IncidentUpdated': {'companyId': '10228d9c-ff18-4251-ac19-514185e00f17', 'incident': {'id': '182f3950-a243-11ed-a0c7-dd6f8e69d343', 'timestamp': '2023-02-01T15:14:17.061Z', 'statusTimestamp': '2023-02-01T15:14:17.061Z', 'status': 'open', 'contacts': 16, 'adversaries': ['activity.lumu.io'], 'adversaryId': 'activity.lumu.io', 'adversaryTypes': ['Spam'], 'description': 'Activity Test Query', 'labelDistribution': {'1792': 1, '989': 12, '0': 3}, 'totalEndpoints': 5, 'lastContact': '2023-02-03T16:44:00.395Z', 'unread': False, 'hasPlaybackContacts': False, 'firstContact': '2023-02-01T15:13:41.904Z'}, 'openIncidentsStats': {'openIncidents': 1124, 'totalContacts': 10312, 'typeDistribution': {'DGA': 10, 'C2C': 106, 'Network Scan': 6, 'Mining': 274, 'Inappropriate content': 1, 'Phishing': 31, 'Spam': 265, 'Malware': 666}, 'labelDistribution': {'1792': 2, '147': 27, '3771': 1, '2254': 89, '4061': 10, '3774': 1, '3077': 30, '2280': 28, '3182': 4, '1885': 3, '2267': 11, '805': 9, '1791': 81, '2148': 247, '548': 25, '3635': 2, '989': 72, '3179': 1, '3005': 1, '4055': 134, '4301': 393, '1179': 2, '864': 3, '2144': 29, '1580': 147, '3811': 7, '4232': 2, '0': 35, '2974': 20, '3628': 1, '218': 4, '2692': 1, '1651': 14, '2821': 1}, 'totalEndpoints': 209}, 'contactSummary': {'uuid': 'c45b8540-8073-11ed-ab18-23f2022bdf77', 'timestamp': '2022-12-20T14:37:02.228Z', 'adversaryHost': 'activity.lumu.io', 'endpointIp': '192.168.0.13', 'endpointName': 'Loacal-nesfpdm', 'fromPlayback': False}}},
{'IncidentUpdated': {'companyId': '10228d9c-ff18-4251-ac19-514185e00f17', 'incident': {'id': '182f3950-a243-11ed-a0c7-dd6f8e69d343', 'timestamp': '2023-02-01T15:14:17.061Z', 'statusTimestamp': '2023-02-01T15:14:17.061Z', 'status': 'open', 'contacts': 17, 'adversaries': ['activity.lumu.io'], 'adversaryId': 'activity.lumu.io', 'adversaryTypes': ['Spam'], 'description': 'Activity Test Query', 'labelDistribution': {'1792': 1, '989': 12, '0': 4}, 'totalEndpoints': 5, 'lastContact': '2023-02-03T16:44:00.395Z', 'unread': False, 'hasPlaybackContacts': False, 'firstContact': '2023-02-01T15:13:41.904Z'}, 'openIncidentsStats': {'openIncidents': 1124, 'totalContacts': 10313, 'typeDistribution': {'DGA': 10, 'C2C': 106, 'Network Scan': 6, 'Mining': 274, 'Inappropriate content': 1, 'Phishing': 31, 'Spam': 265, 'Malware': 666}, 'labelDistribution': {'1792': 2, '147': 27, '3771': 1, '2254': 89, '4061': 10, '3774': 1, '3077': 30, '2280': 28, '3182': 4, '1885': 3, '2267': 11, '805': 9, '1791': 81, '2148': 247, '548': 25, '3635': 2, '989': 72, '3179': 1, '3005': 1, '4055': 134, '4301': 393, '1179': 2, '864': 3, '2144': 29, '1580': 147, '3811': 7, '4232': 2, '0': 35, '2974': 20, '3628': 1, '218': 4, '2692': 1, '1651': 14, '2821': 1}, 'totalEndpoints': 209}, 'contactSummary': {'uuid': 'c45b8540-8073-11ed-a675-23f2020a8d4c', 'timestamp': '2022-12-20T14:37:02.228Z', 'adversaryHost': 'activity.lumu.io', 'endpointIp': '192.168.0.13', 'endpointName': 'Loacal-nesfpdm', 'fromPlayback': False}}},
{'IncidentUpdated': {'companyId': '10228d9c-ff18-4251-ac19-514185e00f17', 'incident': {'id': '182f3950-a243-11ed-a0c7-dd6f8e69d343', 'timestamp': '2023-02-01T15:14:17.061Z', 'statusTimestamp': '2023-02-01T15:14:17.061Z', 'status': 'open', 'contacts': 18, 'adversaries': ['activity.lumu.io'], 'adversaryId': 'activity.lumu.io', 'adversaryTypes': ['Spam'], 'description': 'Activity Test Query', 'labelDistribution': {'1792': 1, '989': 12, '0': 5}, 'totalEndpoints': 5, 'lastContact': '2023-02-03T16:44:00.395Z', 'unread': False, 'hasPlaybackContacts': False, 'firstContact': '2023-02-01T15:13:41.904Z'}, 'openIncidentsStats': {'openIncidents': 1124, 'totalContacts': 10314, 'typeDistribution': {'DGA': 10, 'C2C': 106, 'Network Scan': 6, 'Mining': 274, 'Inappropriate content': 1, 'Phishing': 31, 'Spam': 265, 'Malware': 666}, 'labelDistribution': {'1792': 2, '147': 27, '3771': 1, '2254': 89, '4061': 10, '3774': 1, '3077': 30, '2280': 28, '3182': 4, '1885': 3, '2267': 11, '805': 9, '1791': 81, '2148': 247, '548': 25, '3635': 2, '989': 72, '3179': 1, '3005': 1, '4055': 134, '4301': 393, '1179': 2, '864': 3, '2144': 29, '1580': 147, '3811': 7, '4232': 2, '0': 35, '2974': 20, '3628': 1, '218': 4, '2692': 1, '1651': 14, '2821': 1}, 'totalEndpoints': 209}, 'contactSummary': {'uuid': 'c45b8540-8073-11ed-ba29-23f202e1cb1a', 'timestamp': '2022-12-20T14:37:02.228Z', 'adversaryHost': 'activity.lumu.io', 'endpointIp': '192.168.0.13', 'endpointName': 'Loacal-nesfpdm', 'fromPlayback': False}}},
{'IncidentUpdated': {'companyId': '10228d9c-ff18-4251-ac19-514185e00f17', 'incident': {'id': '182f3950-a243-11ed-a0c7-dd6f8e69d343', 'timestamp': '2023-02-01T15:14:17.061Z', 'statusTimestamp': '2023-02-01T15:14:17.061Z', 'status': 'open', 'contacts': 19, 'adversaries': ['activity.lumu.io'], 'adversaryId': 'activity.lumu.io', 'adversaryTypes': ['Spam'], 'description': 'Activity Test Query', 'labelDistribution': {'1792': 1, '989': 12, '0': 6}, 'totalEndpoints': 5, 'lastContact': '2023-02-03T16:44:00.395Z', 'unread': False, 'hasPlaybackContacts': False, 'firstContact': '2023-02-01T15:13:41.904Z'}, 'openIncidentsStats': {'openIncidents': 1124, 'totalContacts': 10315, 'typeDistribution': {'DGA': 10, 'C2C': 106, 'Network Scan': 6, 'Mining': 274, 'Inappropriate content': 1, 'Phishing': 31, 'Spam': 265, 'Malware': 666}, 'labelDistribution': {'1792': 2, '147': 27, '3771': 1, '2254': 89, '4061': 10, '3774': 1, '3077': 30, '2280': 28, '3182': 4, '1885': 3, '2267': 11, '805': 9, '1791': 81, '2148': 247, '548': 25, '3635': 2, '989': 72, '3179': 1, '3005': 1, '4055': 134, '4301': 393, '1179': 2, '864': 3, '2144': 29, '1580': 147, '3811': 7, '4232': 2, '0': 35, '2974': 20, '3628': 1, '218': 4, '2692': 1, '1651': 14, '2821': 1}, 'totalEndpoints': 209}, 'contactSummary': {'uuid': 'c45b8540-8073-11ed-8392-23f20218d429', 'timestamp': '2022-12-20T14:37:02.228Z', 'adversaryHost': 'activity.lumu.io', 'endpointIp': '192.168.0.13', 'endpointName': 'Loacal-nesfpdm', 'fromPlayback': False}}},
{'IncidentUpdated': {'companyId': '10228d9c-ff18-4251-ac19-514185e00f17', 'incident': {'id': '182f3950-a243-11ed-a0c7-dd6f8e69d343', 'timestamp': '2023-02-01T15:14:17.061Z', 'statusTimestamp': '2023-02-01T15:14:17.061Z', 'status': 'open', 'contacts': 20, 'adversaries': ['activity.lumu.io'], 'adversaryId': 'activity.lumu.io', 'adversaryTypes': ['Spam'], 'description': 'Activity Test Query', 'labelDistribution': {'1792': 1, '989': 12, '0': 7}, 'totalEndpoints': 5, 'lastContact': '2023-02-03T16:44:00.395Z', 'unread': False, 'hasPlaybackContacts': False, 'firstContact': '2023-02-01T15:13:41.904Z'}, 'openIncidentsStats': {'openIncidents': 1124, 'totalContacts': 10316, 'typeDistribution': {'DGA': 10, 'C2C': 106, 'Network Scan': 6, 'Mining': 274, 'Inappropriate content': 1, 'Phishing': 31, 'Spam': 265, 'Malware': 666}, 'labelDistribution': {'1792': 2, '147': 27, '3771': 1, '2254': 89, '4061': 10, '3774': 1, '3077': 30, '2280': 28, '3182': 4, '1885': 3, '2267': 11, '805': 9, '1791': 81, '2148': 247, '548': 25, '3635': 2, '989': 72, '3179': 1, '3005': 1, '4055': 134, '4301': 393, '1179': 2, '864': 3, '2144': 29, '1580': 147, '3811': 7, '4232': 2, '0': 35, '2974': 20, '3628': 1, '218': 4, '2692': 1, '1651': 14, '2821': 1}, 'totalEndpoints': 209}, 'contactSummary': {'uuid': 'c45b8540-8073-11ed-abb1-23f202b7a63d', 'timestamp': '2022-12-20T14:37:02.228Z', 'adversaryHost': 'activity.lumu.io', 'endpointIp': '192.168.0.13', 'endpointName': 'Loacal-nesfpdm', 'fromPlayback': False}}},
{'IncidentCommentAdded': {'companyId': '10228d9c-ff18-4251-ac19-514185e00f17', 'incidentId': '182f3950-a243-11ed-a0c7-dd6f8e69d343', 'comment': 'from XSOAR Cortex 20230206_135000 test comment, hmacsha256:efa407ced8d7cdedef4ed94e3730e3242996bd7ebf394c1e694d0b9a3f1087c6'}},
{'IncidentCommentAdded': {'companyId': '10228d9c-ff18-4251-ac19-514185e00f17', 'incidentId': '182f3950-a243-11ed-a0c7-dd6f8e69d343', 'comment': 'comment 854'}},
{'IncidentMarkedAsRead': {'companyId': '10228d9c-ff18-4251-ac19-514185e00f17', 'incidentId': '790f0700-9ec4-11ed-a0c7-dd6f8e69d343'}},
{'IncidentMuted': {'companyId': '10228d9c-ff18-4251-ac19-514185e00f17', 'incident': {'id': '790f0700-9ec4-11ed-a0c7-dd6f8e69d343', 'timestamp': '2023-01-28T04:30:20.016Z', 'statusTimestamp': '2023-02-06T15:01:54.199Z', 'status': 'muted', 'contacts': 1, 'adversaries': ['obobbo.com'], 'adversaryId': 'obobbo.com', 'adversaryTypes': ['Spam'], 'description': 'Disposable email host', 'labelDistribution': {'4301': 1}, 'totalEndpoints': 1, 'lastContact': '2023-01-28T04:29:57.692Z', 'unread': False, 'hasPlaybackContacts': False, 'firstContact': '2023-01-28T04:29:57.692Z'}, 'comment': 'test', 'reason': 'irrelevant'}}

lumu-close-incident#


{incident-uuid}uuid of the specific incident

To associate a specific user to this transaction, include the header Lumu-User-Id with the user id as a value. Read more.

Base Command#

lumu-close-incident

Input#

Argument NameDescriptionRequired
lumu_incident_idLumu incident id.Required
commentLumu comment requested.Optional

Context Output#

PathTypeDescription
Lumu.CloseIncident.statusCodeunknownLumu statusCode

Command example#

!lumu-close-incident lumu_incident_id=7c40be00-a7cf-11ed-9fd0-e5fb50c818f6 comment="closed from Cortex"

Context Example#

{
"Lumu": {
"CloseIncident": {
"response": "",
"statusCode": 200
}
}
}

Human Readable Output#

Closed the incident successfully.

get-modified-remote-data#


mirror process

Base Command#

get-modified-remote-data

Input#

Argument NameDescriptionRequired
lastUpdatelastUpdate .Optional

Context Output#

There is no context output for this command.

get-remote-data#


mirror process

Base Command#

get-remote-data

Input#

Argument NameDescriptionRequired
lastUpdatelastUpdate .Required
idid .Required

Context Output#

There is no context output for this command.

get-mapping-fields#


mirror process

Base Command#

get-mapping-fields

Input#

Argument NameDescriptionRequired

Context Output#

There is no context output for this command.

lumu-clear-cache#


Lumu clear cache, only trigger if it mandatory

Base Command#

lumu-clear-cache

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
Lumu.ClearCachestringLumu clear cache

Command example#

!lumu-clear-cache

Context Example#

{
"Lumu": {
"ClearCache": "cache cleared get_integration_context()={'cache': [], 'lumu_incidentsId': []}"
}
}

Human Readable Output#

cache cleared get_integration_context()={'cache': [], 'lumu_incidentsId': []}

update-remote-system#


mirror process

Base Command#

update-remote-system

Input#

Argument NameDescriptionRequired
datadata .Required
entriesentries .Optional
incident_changedincident_changed .Optional
remote_incident_idremote_incident_id .Optional

Context Output#

There is no context output for this command.

lumu-get-cache#


Lumu get cache

Base Command#

lumu-get-cache

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
Lumu.GetCache.cachestringLumu cache
Lumu.GetCache.lumu_incidentsIdstringLumu incident ids processed

Command example#

!lumu-get-cache

Context Example#

{
"Lumu": {
"GetCache": {
"cache": [],
"lumu_incidentsId": [
"e65b3f60-a99e-11ed-9fd0-e5fb50c818f6",
"8c5efc90-aca5-11ed-9fd0-e5fb50c818f6",
"903c5580-abef-11ed-9fd0-e5fb50c818f6",
"ad2b63c0-ad34-11ed-9fd0-e5fb50c818f6",
"229d4030-9eba-11ed-a0c7-dd6f8e69d343",
"50240240-9ec0-11ed-a0c7-dd6f8e69d343",
"02355f90-9ecd-11ed-a0c7-dd6f8e69d343",
"099a9e80-2ec0-11ed-9b90-a51546bb08b5",
"0fe32870-9ec3-11ed-a0c7-dd6f8e69d343",
"73661810-9ec5-11ed-a0c7-dd6f8e69d343",
"3e5f6480-9ebd-11ed-a0c7-dd6f8e69d343",
"89658e80-aa3b-11ed-9fd0-e5fb50c818f6",
"f2571f00-aa43-11ed-9fd0-e5fb50c818f6",
"853e3020-aca5-11ed-9fd0-e5fb50c818f6",
"6522d180-9ec5-11ed-a0c7-dd6f8e69d343",
"fd6788c0-561b-11ed-987a-cd6f8ff058b8",
"e6a0cc30-a893-11ed-9fd0-e5fb50c818f6",
"38183850-8bbb-11ed-b0f8-a7e340234a4e",
"a82e5550-9ec8-11ed-a0c7-dd6f8e69d343",
"0d207a50-ac8a-11ed-9fd0-e5fb50c818f6",
"7c40be00-a7cf-11ed-9fd0-e5fb50c818f6",
"99b7bf10-ac84-11ed-9fd0-e5fb50c818f6",
"91aaaf20-ac8a-11ed-9fd0-e5fb50c818f6",
"726849c0-7a6b-11ed-a600-d53ba4d2bb70",
"e0b39da0-ac8c-11ed-9fd0-e5fb50c818f6",
"ec869190-85aa-11ed-a600-d53ba4d2bb70",
"672a8c90-9ebe-11ed-a0c7-dd6f8e69d343"
]
}
}
}

Human Readable Output#

Cache#

Lumu _ Incidents Id
e65b3f60-a99e-11ed-9fd0-e5fb50c818f6,
8c5efc90-aca5-11ed-9fd0-e5fb50c818f6,
903c5580-abef-11ed-9fd0-e5fb50c818f6,
ad2b63c0-ad34-11ed-9fd0-e5fb50c818f6,
229d4030-9eba-11ed-a0c7-dd6f8e69d343,
50240240-9ec0-11ed-a0c7-dd6f8e69d343,
02355f90-9ecd-11ed-a0c7-dd6f8e69d343,
099a9e80-2ec0-11ed-9b90-a51546bb08b5,
0fe32870-9ec3-11ed-a0c7-dd6f8e69d343,
73661810-9ec5-11ed-a0c7-dd6f8e69d343,
3e5f6480-9ebd-11ed-a0c7-dd6f8e69d343,
89658e80-aa3b-11ed-9fd0-e5fb50c818f6,
f2571f00-aa43-11ed-9fd0-e5fb50c818f6,
853e3020-aca5-11ed-9fd0-e5fb50c818f6,
6522d180-9ec5-11ed-a0c7-dd6f8e69d343,
fd6788c0-561b-11ed-987a-cd6f8ff058b8,
e6a0cc30-a893-11ed-9fd0-e5fb50c818f6,
38183850-8bbb-11ed-b0f8-a7e340234a4e,
a82e5550-9ec8-11ed-a0c7-dd6f8e69d343,
0d207a50-ac8a-11ed-9fd0-e5fb50c818f6,
7c40be00-a7cf-11ed-9fd0-e5fb50c818f6,
99b7bf10-ac84-11ed-9fd0-e5fb50c818f6,
91aaaf20-ac8a-11ed-9fd0-e5fb50c818f6,
726849c0-7a6b-11ed-a600-d53ba4d2bb70,
e0b39da0-ac8c-11ed-9fd0-e5fb50c818f6,
ec869190-85aa-11ed-a600-d53ba4d2bb70,
672a8c90-9ebe-11ed-a0c7-dd6f8e69d343

Incident Mirroring#

You can enable incident mirroring between Cortex XSOAR incidents and Lumu corresponding events (available from Cortex XSOAR version 6.0.0). To set up the mirroring:

  1. Enable Fetching incidents in your instance configuration.

  2. In the Mirroring Direction integration parameter, select in which direction the incidents should be mirrored:

    OptionDescription
    NoneTurns off incident mirroring.
    IncomingAny changes in Lumu events (mirroring incoming fields) will be reflected in Cortex XSOAR incidents.
    OutgoingAny changes in Cortex XSOAR incidents will be reflected in Lumu events (outgoing mirrored fields).
    Incoming And OutgoingChanges in Cortex XSOAR incidents and Lumu events will be reflected in both directions.

Newly fetched incidents will be mirrored in the chosen direction. However, this selection does not affect existing incidents. Important Note: To ensure the mirroring works as expected, mappers are required, both for incoming and outgoing, to map the expected fields in Cortex XSOAR and Lumu.