Lumen Defender Threat Feed
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Lumen Technologies, Inc. |
| Support Tier | Partner |
| Support Link | https://www.lumen.com/en-us/contact-us/support.html |
| Categories | domains |
| Version | 3.2.0 |
| Author | Matthew Collier - matthew.collier@lumen.com |
| First Published | 2025-09-12 |
| Last Updated | 2026-02-04 |
| Solution Folder | Lumen Defender Threat Feed |
The Lumen Defender Threat Feed for Microsoft Sentinel solution delivers high-confidence threat intelligence indicators of compromise directly into your Sentinel workspace.
Contents
Data Connectors
This solution provides 2 data connector(s):
- Lumen Defender Threat Feed Data Connector V2
- Lumen Defender Threat Feed Data Connector V2 (using Azure Functions Flex Consumption Plan with Private Networking)
Tables Used
This solution uses 22 table(s):
| Table | Used By Connectors | Used By Content |
|---|---|---|
AADManagedIdentitySignInLogs |
- | Analytics |
AADNonInteractiveUserSignInLogs |
- | Analytics |
AADServicePrincipalSignInLogs |
- | Analytics |
ADFSSignInLogs |
- | Analytics |
ASimAuthenticationEventLogs |
- | Workbooks |
ASimDnsActivityLogs |
- | Workbooks |
ASimFileEventLogs |
- | Workbooks |
ASimNetworkSessionLogs |
- | Workbooks |
ASimProcessEventLogs |
- | Workbooks |
ASimWebSessionLogs |
- | Workbooks |
AuditLogs |
- | Workbooks |
AzureActivity |
- | Workbooks |
CommonSecurityLog |
- | Analytics, Hunting, Workbooks |
DeviceEvents |
- | Analytics |
DeviceFileEvents |
- | Workbooks |
DeviceNetworkEvents |
- | Workbooks |
DeviceProcessEvents |
- | Workbooks |
DnsEvents |
- | Analytics, Workbooks |
OfficeActivity |
- | Analytics, Workbooks |
SecurityEvent |
- | Analytics |
SigninLogs |
- | Analytics, Workbooks |
WindowsEvent |
- | Analytics |
Internal Tables
The following 3 table(s) are used internally by this solution's content items:
| Table | Used By Connectors | Used By Content |
|---|---|---|
SecurityAlert |
- | Workbooks |
SecurityIncident |
- | Workbooks |
ThreatIntelIndicators |
Lumen Defender Threat Feed Data Connector V2, Lumen Defender Threat Feed Data Connector V2 (using Azure Functions Flex Consumption Plan with Private Networking) | Analytics, Hunting, Workbooks |
Content Items
This solution includes 10 content item(s):
| Content Type | Count |
|---|---|
| Analytic Rules | 8 |
| Hunting Queries | 1 |
| Workbooks | 1 |
Analytic Rules
| Name | Severity | Tactics | Tables Used |
|---|---|---|---|
| Lumen TI IPAddress in CommonSecurityLog | Medium | CommandAndControl | CommonSecurityLogInternal use: ThreatIntelIndicators |
| Lumen TI IPAddress in DeviceEvents | Medium | CommandAndControl | DeviceEventsInternal use: ThreatIntelIndicators |
| Lumen TI IPAddress in IdentityLogonEvents | Medium | CommandAndControl | AADManagedIdentitySignInLogsAADNonInteractiveUserSignInLogsAADServicePrincipalSignInLogsADFSSignInLogsInternal use: ThreatIntelIndicators |
| Lumen TI IPAddress in OfficeActivity | Medium | CommandAndControl | OfficeActivityInternal use: ThreatIntelIndicators |
| Lumen TI IPAddress in SecurityEvents | Medium | CommandAndControl | SecurityEventInternal use: ThreatIntelIndicators |
| Lumen TI IPAddress in SigninLogs | Medium | CommandAndControl | SigninLogsInternal use: ThreatIntelIndicators |
| Lumen TI IPAddress in WindowsEvents | Medium | CommandAndControl | WindowsEventInternal use: ThreatIntelIndicators |
| Lumen TI domain in DnsEvents | Medium | CommandAndControl | DnsEventsInternal use: ThreatIntelIndicators |
Hunting Queries
| Name | Tactics | Tables Used |
|---|---|---|
| Lumen TI IPAddress indicator in CommonSecurityLog | CommandAndControl | CommonSecurityLogInternal use: ThreatIntelIndicators |
Workbooks
Additional Documentation
📄 Source: Lumen Defender Threat Feed/README.md
Lumen Defender Threat Feed for Microsoft Sentinel
Within a SIEM like Microsoft Sentinel, threat indicators (IoCs) help correlate known-bad artifacts—such as IPs, domains, URLs, and file hashes—with activity in your environment. Lumen’s Black Lotus Labs® (BLL) harnesses unmatched network visibility and machine intelligence to produce high-confidence indicators that can be operationalized at scale for detection and investigation.
Learn more:
- Black Lotus Labs overview: https://www.lumen.com/en-us/security/black-lotus-labs.html
- BLL blog archive: https://blog.lumen.com/black-lotus-labs/
- BLL on X/Twitter: https://twitter.com/blacklotuslabs
Key features
Lumen Defender Threat Feed for Microsoft Sentinel offers powerful intelligence capabilities designed for security operations:
Lumen Defender Threat Feed Data Connector
- The Lumen Defender Threat Feed connector (Azure Durable Functions) pulls indicators from Lumen’s Threat Feed API and writes them to the Sentinel Threat Intelligence store via the STIX Objects Upload API.
- Microsoft Sentinel analytic rules correlate Lumen indicators with your logs and create alerts/incidents for matches.
Threat Research Workbook (Visibility)
- The Lumen workbook surfaces ingestion trends, active indicators by type, risk distribution, tags, sightings across curated tables, and correlated alerts/incidents.
Hunting (Proactive)
- Included hunting queries help you pivot on a suspicious indicator across common data sources (e.g., CommonSecurityLog, Device* tables, DNS, SigninLogs, OfficeActivity).
Solution contents
- Data Connector
Data Connectors/LumenThreatFeedv2(ARM templates + Function App implementation)- Analytic Rules (examples)
Lumen_DomainEntity_DNS.yamlLumen_IPEntity_CommonSecurityLog.yamlLumen_IPEntity_DeviceEvents.yamlLumen_IPEntity_IdentityLogonEvents.yamlLumen_IPEntity_OfficeActivity.yamlLumen_IPEntity_SecurityEvent.yamlLumen_IPEntity_SigninLogs.yamlLumen_IPEntity_WindowsEvents.yaml- Hunting Queries
Lumen_IPIndicator_CommonSecurityLog.yaml- Workbook
Workbooks/Lumen-Threat-Feed-Overview.json
Support
- Lumen Defender Threat Feed/API access: DefenderThreatFeedSales@Lumen.com or your Lumen representative
- If you need assistance in setting up the solution: DefenderThreatFeedSupport@lumen.com
- Microsoft Sentinel configuration: Your Azure admin team
- Solution content issues: Contact Lumen for assistance
[Content truncated...]
Release Notes
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.2.0 | 02-03-2026 | Deprecated and removed V1.1 Connector. Update V2 data connector for API v3 compatibility: added QUEUED status handling, improved confidence value type conversion for string/integer support, and reordered response handling for new pagination behavior |
| 3.1.0 | 10-23-2025 | Update data connector to utilize more frequent TI object updates and improvements to Workbook |
| 3.0.0 | 09-12-2025 | Initial Solution Release |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊