home

Mobile Endpoint Security

Mobile Endpoint SecuritySecurity Service Edge
Mobile Endpoint SecuritySecurity Service Edge

Lookout Product Documentation

Find answers about using and optimizing Lookout products.

Show Contents

Mobile Endpoint Security

Use the Research Capability

Incident Response Workflow Example

This workflow typically begins when an issue is reported on the MES Issues page. In this example, the issue seems to be with a mobile app. You, the SOC (security operations center) analyst or other user with appropriate permissions could take actions like these:

  1. As part of a routine review of issues, you open the MES Issues page and filter the issues to apps detected in the last 30 days.
  2. During the review, you spot an active threat needing investigation.
  3. Clicking on the issue takes you to a more detailed view of the issue.
    This page summarizes malware detections and other potential risks that the application presents.
  4. You click the View Full App Details shortcut button to go directly to the app details page for the app version under investigation.
    This page provides a more detailed view of risks just summarized on the issue details page.
  5. Wanting to dig deeper, you click the shortcut to the Research details view for the app.
    This page and the research tabs provide complete access to Lookout’s full analysis of the application in question as described in Interacting with Research App Details.
  6. You review the application details in the research analysis results and begin documenting key application characteristics, such as any DNS, IP/FQDN(s), application signer values, or any other data element which is noteworthy.
    You continue to review any interesting application characteristics to collect evidence and iteratively build and refine an analysis hypothesis based on the observations and circumstances to build a list of reliable indicators of compromise (IOCs) for the application/malware family.
  7. When you identify and refine a list of particular IOCs, you can use those IOCs in other activities such as threat hunting other applications which use the same IOCs, outlined in the next section.
    You can add one or more identified domain IOC(s) to the phishing and content protection (PCP) denylist content policy to proactively block any application from communicating with the identified domain(s).

Last updated: November 20, 2024

lookout-footer

Legal Privacy Policy Cookie Policy Transparency Report Compliance Info Compliance Info (Gov)

© 2024 Lookout, Inc. LOOKOUT®, the Lookout Shield Design®, LOOKOUT with Shield Design® and the Lookout multi-color/multi-shaded Wingspan Design® are registered trademarks of Lookout, Inc. in the United States and other countries. DAY OF SHECURITY®, LOOKOUT MOBILE SECURITY®, and POWERED BY LOOKOUT® are registered trademarks of Lookout, Inc. in the United States. Lookout, Inc. maintains common law trademark rights in EVERYTHING IS OK, PROTECTED BY LOOKOUT, CIPHERCLOUD, and the 4 Bar Shield Design.