Overview of Actions

Actions for Microsoft Defender #

Lucidum includes the following Actions for Microsoft Defender:

• Isolate Machine. Disconnects one or more devices from the network while retaining connectivity to the Defender for Endpoint service, which continues to monitor the device.

• Unisolate Machine. Reconnects one or more devices to the network.

Actions for Microsoft Sentinel #

Lucidum includes the following Actions for Microsoft Sentinel:

• Send Data. Sends a custom set of Lucidum data to Microsoft Sentinel.

Actions for Microsoft Teams #

Lucidum includes the following Actions for Microsoft Teams:

• Post on Teams. Sends a custom set of Lucidum data to Microsoft Teams.

Actions for Opsgenie #

Lucidum includes the following Actions for Opsgenie:

• Create Alert. Send an alert from Lucidum to Opsgenie. Opsgenie will deliver the alert according to its policies.

Actions for Rapid7 #

Lucidum includes the following Actions for Rapid7:

• Create a New List of IPs/Hosts for Scanning. Send a list of IPs/host names to Rapid7 for scanning.

Actions for ServiceNow #

Lucidum includes the following Actions for ServiceNow:

• Create ServiceNow Assets (IRE API). Creates one or more new configuration items (CIs) in ServiceNow.

• Create/Update ServiceNow Assets (IRE API). Creates one or more new configuration items (CIs) in ServiceNow. If the one or more of the CIs already exist, this action updates the existing CIs.

Actions for Slack #

Lucidum includes the following Actions for Slack:

• Post on Slack. Sends data (outputfields) from the specified records (from the base query) to a slack channel.

Actions for Snowflake #

Lucidum includes the following Actions for Snowflake:

• Send Data. Sends a custom set of Lucidum data to SnowFlake.

Actions for Splunk #

Lucidum includes the following Actions for Splunk:

• Send Data. Sends a custom set of Lucidum data to Splunk.

Actions for Sumo Logic #

Lucidum includes the following Actions for Sumo Logic:

• Send Data. Sends a custom set of Lucidum data to Sumo Logic.

Actions for Tenable Vulnerability Management #

Lucidum includes the following Actions for Tenable Vulnerability Management:

• Send to Tenable Vulnerability Management Assets. Sends a custom set of Lucidum data to Tenable Vulnerability Management to import as assets.

• Launch Tenable Vulnerability Management Scan. Launches a scan in Tenable Vulnerability Management with a specified list of assets.

• Add to Tenable Vulnerability Management Target Group. Adds a list of assets to a target group in Tenable Vulnerability Management . A target group includes a list of targets to scan.

Webhooks #

Lucidum allows you to create custom actions using webhooks.

Workflow for Creating Configurations and Actions in Lucidum #

Create a New Configuration #

Workflow Using Clone to Create a New Action #

1. Choose Actions from the left pane.

2. In the Actions page, choose from the action types in the Categories pane or click on an icon in the right pane.

3. To clone an action, in the Configured Actions pane, find the action you want to clone and click the clone icon (two pages). An action specifies the task to execute, the data to include in the action, and how frequently to execute the action.

4. Lucidum displays the Clone Action page.

5. Provide a new name in the Action Name field.

6. Edit one or more values in one or more pages and click the Next (>) icon.

7. Save the action.

NOTE: Save is not enabled until you provide a new name for the action.

8. Lucidum automatically sets the action the Enabled. You can disable the action using the enable/disable toggle in the Configured Actions pane.

9. Lucidum automatically tests the action when you save it and automatically executes the action at the time and recurrence you defined in the action.

Alternative Workflow for Creating an Action #

You can also create an action when viewing the results of a query. To do this:

1. Create a query from the Query button. For details, see the chapter on Creating Queries.

2. Click the Show Results (checklist) icon to open the Query Result page

3. The Query Results page displays a the results of query.

   

4. In the Query Results page, click the Create a recurring action (arrows) icon.

5. In the Send to Actions page, select an action type.

   

6. Lucidum displays the Create a New Action page, with the query already loaded in the Filters page.

   
7. Follow the steps in the section on Creating an Action. You can skip the steps about defining Filters, because the filter is now populated.

Workflow for Editing a Configuration #

To edit an existing configuration , follow these steps:

1. Choose Actions from the left pane.

2. In the Actions page, click an icon in the right pane.

3. To create a configuration for the action, click the Configuration (gear) icon in the upper left. A configuration provides the connection and authorization information to communicate with the external solution.

4. In the Manage Action Configurations page, find the configuration you want to edit and click its Edit (pencil) icon.

   

5. You can edit one or more fields in the configuration.
6. Click Save to save your changes.

Workflow for Editing an Action #

To edit an existing actions, follow these steps:

1. Choose Actions from the left pane.

2. In the Actions page, choose from the action types in the Categories pane or click on an icon in the right pane.

3. In the Configured Actions pane, find the action you want to edit. Click its Edit (pencil) icon.

   

4. You can edit fields in the General page, the Filters page, the Schedule page, or the Details page.

5. Click the Save Profile (disc) icon to save your changes.

Viewing Status of an Existing Action and Executing an Action On-Demand #

To view information about an existing action:

1. Choose Actions from the left pane.

2. In the Actions page, click an icon in the right pane.

3. The Configured Actions pane displays information about the status of each action and provides options to execute the action on-demand:

1. Red toggle icon. Action is enabled and has errors.
2. Green toggle icon. Action is enabled and does not have errors.
3. Gray toggle icon. Action is disabled.
4. Orange toggle icon. Action is currently executing.
5. Red Last Run Time. Action had errors during last run.
6. Blue Next Run Time. Action is scheduled to run in the future.
7. Green Last Run Time. Action executed successfully during last run.
8. Orange Last Run Time. Action is currently executing.
9. Airplane icon. Executes the action on-demand (now).

Action Logs #

You can view general logs and detailed logs about each Lucidum actions.

To view these logs:

1. Choose Actions from the left pane.

2. In the Actions page, click an icon in the right pane.

3. In the Configured Actions pane, select the View Logs icon.

4. The Action Logs modal page appears:

   

5. The Action Logs modal displays:

   • Status. Specifies whether the last execution of the action was successful (green) or failed (red).

   • Triggered At. The date and time the action was last triggered.

   • Records. Number of records included in the action.

   • Actions. Download the log file for the last execution of the action.

6. To download a detailed log file for an execution of the action, click on the download icon in the Actions column.

7. Lucidum downloads a .csv file to your local computer. The .csv file includes the payload for the action. You specify this payload in the Output Fields field of the action.

8. An example log file looks like this:

   

   • This action found nine assets that match the Filter in the Filters page.

   • For each of those assets, the action sent the values from the fields specified in Output Fields in the Details page to Tenable Vulnerability Management . In our example, the fields in the payload are Data Sources, First Time Seen, IP Address, Last Time Seen, Lucidum Asset Name, and Lucidum User Name.

Action Limits in Lucidum #

• Each action can include up to 5,000 records.

• You can trigger actions to run as frequently as every 5 minutes.