Lumen Defender Threat Feed Data Connector V2 (using Azure Functions Flex Consumption Plan with Private Networking)

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Connectors Index

---

Attribute	Value
Connector ID	LumenThreatFeedConnectorV2PrivateNetworking
Publisher	Lumen Technologies, Inc.
Used in Solutions	Lumen Defender Threat Feed
Collection Method	Azure Function
Connector Definition Files	LumenThreatFeedConnectorV2_PrivateNetworking_ConnectorUI.json

The Lumen Defender Threat Feed connector provides the capability to ingest STIX-formatted threat intelligence indicators from Lumen's Black Lotus Labs research team into Microsoft Sentinel. The connector automatically downloads and uploads threat intelligence indicators including IPv4 addresses and domains to the ThreatIntelIndicators table via the STIX Objects Upload API.

NOTE: This data connector uses the Azure Functions Flex Consumption Plan with VNet integration for secure, private network access to storage resources. More pricing details are here.

Tables Ingested

This connector ingests data into the following tables:

Table	Transformations	Ingestion API	Lake-Only
ThreatIntelIndicators	✓	✓	?

💡 Tip: Tables with Ingestion API support allow data ingestion via the Azure Monitor Data Collector API, which also enables custom transformations during ingestion.

Permissions

Resource Provider Permissions: - Log Analytics Workspace (Workspace): Read and write permissions on the Log Analytics workspace are required.

Custom Permissions: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. See the documentation to learn more about Azure Functions. - Azure Entra App Registration: An Azure Entra application registration with the Microsoft Sentinel Contributor role assigned is required for STIX Objects API access. See the documentation to learn more about Azure Entra applications. - Microsoft Sentinel Contributor Role: Microsoft Sentinel Contributor role is required for the Azure Entra application to upload threat intelligence indicators. - Lumen Defender Threat Feed API Key: A Lumen Defender Threat Feed API Key is required for accessing threat intelligence data. Contact Lumen for API access. - Virtual Network permissions (for private access): For private storage account access, Network Contributor permissions are required on the Virtual Network and subnets. The Function App subnet must be delegated to Microsoft.App/environments for Flex Consumption VNet integration.

Setup Instructions

⚠️ Note: These instructions were automatically generated from the connector's user interface definition file using AI and may not be fully accurate. Please verify all configuration steps in the Microsoft Sentinel portal.

NOTE: This connector uses Azure Functions with the Flex Consumption Plan to connect to the Lumen Defender Threat Feed API and upload threat intelligence indicators to Microsoft Sentinel via the STIX Objects API. The Flex Consumption Plan enables VNet integration for secure, private network access to storage resources. This might result in additional data ingestion and compute costs. Check the Azure Functions pricing page for details.

(Optional Step) Securely store API keys and secrets in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. Follow these instructions to use Azure Key Vault with an Azure Functions App.

1. Configuration

STEP 1 - Network Prerequisites for Private Access

IMPORTANT: When deploying with private storage account access, you need a Virtual Network with two properly configured subnets. You can either use an existing VNet or deploy one using the template below.

Option A: Deploy a New Virtual Network (Recommended for new deployments)

Use this template to create a properly configured VNet with two subnets: - Function App Subnet: Delegated to Microsoft.App/environments for Flex Consumption VNet integration - Private Endpoint Subnet: For storage account private endpoints

After deployment, note the following output values for use in STEP 5: - VNet Name (default: lumen-threatfeed-vnet) - VNet Resource Group - Function App Subnet Name (default: functionapp-subnet) - Private Endpoint Subnet Name (default: privateendpoint-subnet)

Option B: Use an Existing Virtual Network

If using an existing VNet, ensure the following requirements are met:

• Virtual Network: Must be in the same region where you plan to deploy the Function App
• Function App Subnet: Must be delegated to Microsoft.App/environments (required for Flex Consumption Plan)
• Private Endpoint Subnet: Must NOT be delegated to any service
• Subnet Size: Minimum /24 recommended for each subnet
• Subnet Delegation: Configure using one of the following methods:
• Azure Portal: Virtual networks → Select VNet → Subnets → Select subnet → Delegate to Microsoft.App/environments
• Azure CLI: az network vnet subnet update --resource-group <rg-name> --vnet-name <vnet-name> --name <subnet-name> --delegations Microsoft.App/environments

Note: The connector deployment will automatically create private endpoints for storage services (blob, queue, table, file) and configure Private DNS zones.

STEP 2 - Obtain Lumen Defender Threat Feed API Key

1. Contact Lumen to obtain API access to our Threat Feed API service
2. Obtain your API key for authentication.

STEP 3 - Configure Azure Entra ID Application and gather information

1. Create a new Entra app registration from the App registrations tab in the Entra ID section of the Azure portal. See the documentation for a guide to registering an application in Microsoft Entra ID.
2. Create a client secret and note the Application ID, Tenant ID, and Client Secret
3. Assign the Microsoft Sentinel Contributor role to the newly registered application in the Access control (IAM) menu of your Microsoft Sentinel Log Analytics Workspace
4. Make note of your Workspace ID, which can be obtained from the overview page of the Log Analytics Workspace for your Microsoft Sentinel instance. - Tenant ID: TenantId

   Note: The value above is dynamically provided when these instructions are presented within Microsoft Sentinel. - Workspace ID: WorkspaceId Note: The value above is dynamically provided when these instructions are presented within Microsoft Sentinel.

STEP 4 - Enable the Threat Intelligence Upload Indicators API (Preview) data connector in Microsoft Sentinel

1. Deploy the Threat Intelligence (New) Solution, which includes the Threat Intelligence Upload Indicators API (Preview)
2. Browse to the Content Hub, find and select the Threat Intelligence (NEW) solution.
3. Select the Install/Update button.

STEP 5 - Deploy the Azure Function with Private Networking

IMPORTANT: Before deploying the Lumen Defender Threat Feed connector, have the following information readily available: - Tenant ID and Workspace ID - Azure Entra application details (Client ID, Client Secret) - Lumen API key - Virtual Network name and Resource Group - Function App Subnet name (delegated to Microsoft.App/environments) - Private Endpoint Subnet name (non-delegated)

1. Click the Deploy to Azure button.

2. Fill in the appropriate values for each parameter:

Basic Settings: - Subscription: Confirm the correct subscription is selected or use the dropdown to change your selection - Resource Group: Select the resource group to be used by the Function App and related resources - Function Name: Enter a globally unique name for the Function App (11-character limit recommended) - App Insights Workspace Resource ID: The Resource ID of the Log Analytics Workspace for Application Insights (click JSON View on the Log Analytics workspace to copy)

Lumen API Settings: - Lumen API Key: Obtain an API key through Lumen support - Lumen Base URL: Filled in automatically and should generally not be changed - Confidence Threshold (Optional): Minimum confidence score (60-100) for indicators (default: 60) - Enable IPv4 (Optional): Enable IPv4 address indicators (default: true) - Enable Domain (Optional): Enable domain name indicators (default: true)

Azure Entra ID Settings: - Workspace ID: Found in the "Overview" tab for the Log Analytics Workspace of the Microsoft Sentinel instance - Tenant ID: Obtained from the Entra App Registration overview page (listed as Directory ID) - Client ID: Obtained from the Entra App Registration overview page (listed as Application ID) - Client Secret: Obtained when the secret is created during the app registration process

Private Networking Settings: - VNet Resource Group Name: The resource group containing the Virtual Network (if using the VNet template from STEP 1, this is where you deployed it) - VNet Name: The name of the Virtual Network (default from VNet template: lumen-threatfeed-vnet) - Function App Subnet Name: The subnet delegated to Microsoft.App/environments (default from VNet template: functionapp-subnet) - Private Endpoint Subnet Name: The subnet for private endpoints (default from VNet template: privateendpoint-subnet) - Create Private DNS Zones: Set to true to create new Private DNS Zones, or false to use existing ones

Note: Ensure the Function App subnet is delegated to Microsoft.App/environments before deployment. The deployment will create private endpoints for storage account services and configure Private DNS zones automatically.

STEP 6 - Verify Deployment

1. The connector polls for indicator updates every 15 minutes.
2. Verify that the Function App is properly integrated with the Virtual Network by checking the Networking settings in the Azure Portal
3. Confirm that private endpoints were created for the storage account services (blob, file, queue, table)
4. After the app performs its first run, review the indicators ingested by either viewing the "Lumen Defender Threat Feed Overview" workbook or viewing the "Threat Intelligence" section in Microsoft Sentinel. In Microsoft Sentinel "Threat Intelligence", filter for source "Lumen" to display only Lumen generated indicators.

Troubleshooting Private Networking Issues

If the Function App is not receiving data after deployment:

1. Check VNet Integration: Navigate to Function App → Networking → VNet integration and verify the Function App subnet is connected
2. Verify Private Endpoints: Navigate to the storage account → Networking → Private endpoint connections and verify all endpoints are in "Approved" state
3. Check DNS Resolution: Ensure private DNS zones are properly linked to the VNet for storage account resolution
4. Review Function Logs: Check Application Insights or Function App logs for connection errors
5. Subnet Delegation: Confirm the Function App subnet is delegated to Microsoft.App/environments (required for Flex Consumption Plan)

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Connectors Index