Watch this video on
This training session provides a comprehensive walkthrough of the Lumu portal, specifically focusing on the management and analysis of security incidents. The presenter demonstrates how users can investigate malicious activities like Command and Control (C2C) and ransomware families such as Sodinokibi by utilizing features like the MITRE ATT&CK Matrix, incident response playbooks, and compromise radar. A key highlight is the introduction of a new email reporting feature that enables users to share detailed incident findings and PDF reports with external stakeholders or vendors directly from the portal.
Takeaways
- External Reporting Feature: Lumu now allows the generation and emailing of incident reports to external parties, providing a PDF summary that includes all granular details and functional links found within the portal.
- Dual-Feed Integration: The FortiGate integration generates two separate URLs: a domain/URL threat feed and an IP address block list, both of which must be configured as external connectors.
- Threat Scope: Users can customize the integration to block specific threat categories, including malware, C2C, spam, phishing, and crypto-mining, with an initial sync covering the last 30 days of detected adversaries.
- Configuration Best Practices: For FortiGate external connectors, it is recommended to set the refresh rate to 30 minutes and deactivate the HTTP setting during the setup process.
- Automated Enforcement: Real-time protection is achieved by adding the Lumu threat feeds to “Security Profiles” (Web Filter) and “Firewall Policies,” setting the action to “block” or “deny” for all identified malicious traffic.
