How to monitor, investigate, and respond to incidents

Effective incident monitoring and investigation require clear visibility into user activity and system events. Audit logs allow you to reconstruct a detailed timeline of actions, which can help explain what happened, when it occurred, and who was involved. 

Lucid's audit logs capture key events across your account, including content-related actions such as when a document was created, downloaded, opened, or deleted. 

To export audit logs to CSV or JSON format, follow these steps:

1. Navigate to the admin panel and select the audit log page under the Compliance tab.
2. Use the date picker to select your desired timeframe within the past 180 days.
3. Once all events within your timeframe are found, a success banner will appear.
4. Choose either Export as JSON or Export as CSV, depending on your preferred file type.
5. To the far-right side of the search results, click Export.

If you would like to use our audit log API, you can reference our developer documentation for more details. If you wish to pull Lucid's audit events to a permanent data store (such as Splunk), you can use our SIEM connection script.

Admins can easily view a document’s full revision history through Discovery or content inspection, allowing them to track changes, review past versions, and identify who made specific edits. This functionality is especially helpful for audits or investigations. 

1. To access a document’s revision history, start by running a search in Discovery using relevant filters such as users, keywords, document type, and creation date. 
2. From the search results, select the document you want to review by clicking its title. This action opens the document in admin view, allowing you to inspect it discreetly. 
3. Once in the document, navigate to File > Show revision history to see a complete log of changes and the users responsible for them.

When using this document with admin permissions, collaborators will not see that you are viewing the document. As you can only view documents, this will not affect the document’s revision history.

If you suspect a security incident on your Lucid account, you can take steps to secure access immediately. We recommend using the force logout and password reset feature in the admin panel. This action will end all active sessions for both users and administrators, and require anyone logging in with an email and password to reset their credentials.

Once access is secured, we recommend reviewing the audit logs to identify any suspicious or unwanted activity—especially actions taken by external actors. If you discover documents or folders that may have been improperly accessed or shared, you can revoke that access directly from the Discovery tool. 

1. Run a search in Discovery with the necessary parameters for your search results, including users, keywords, document type, and creation date.
2. From the search results, check the box to the far left of one or more documents. Select the box at the top of the search results page to select all documents.
3. Click Actions at the top right of the search results.
4. Select one of the following options:

   • Remove any type of external access to remove external collaborators and turn off external shareable links on the selected documents or folders.

   • Only remove external collaborators to remove external collaborators from the selected documents or folders.

   • Only restrict external links to turn off external shareable links on selected documents or folders.

5. In the panel that appears, select your external access and notification preferences.
6. Click Remove external access.

For assistance in investigating, reach out to support@lucid.co or security@lucid.co.

Note: These guides are here to help you get the most out of Enterprise Shield, but are not intended to address all scenarios or compliance requirements. You’re in the best position to decide how to configure your settings to ensure they meet your specific security and privacy needs.