This feature is only available for the Lumu Defender subscription and the Windows and Windows Server Agents.

The Lumu Agent is a lightweight endpoint software designed to extend visibility beyond the traditional network perimeter. The Agents operate silently to continuously collect network metadata to measure compromise in real time.

Learn more about Agents in Introduction to Lumu Agents.

Built-in Agent Response is an advanced capability that enables the agent to autonomously execute immediate defensive actions when specific threat types—such as Malware, Command & Control (C&C), or Spam—are detected. Instead of waiting for manual intervention or third-party relay, the agent directly blocks communication with the identified adversarial infrastructure (IPs and Domains).

Optimizing incident response orchestration

While Endpoint Detection and Response (EDR) solutions and Lumu’s Out-of-the-Box integrations with EDR solutions provide a robust baseline for organizational security, there are certain scenarios where sophisticated adversaries can develop methods to bypass these controls.

Built-in Agent Response serves as a complementary defense layer designed to address these gaps. By orchestrating a direct, automated response at the network level of the endpoint itself, Lumu ensures:

• Protection to roaming devices: Devices operating outside the corporate firewall receive immediate protection against contact with malicious infrastructure.
• Lower response latency: The time between detection and blocking is reduced, minimizing the window of opportunity for an adversary to establish persistence or exfiltrate data.
• Complete orchestration: It provides a fail-safe mechanism that operates in conjunction with existing EDRs, ensuring maximum coverage and value even in scenarios where primary defenses may be evaded.

Built-in response configuration

Only administrator users can set up the Built-in Automatic Response for Lumu Agents.

Lumu provides a flexible dual-layer configuration model, allowing administrators to establish a standardized security baseline while retaining the ability to apply granular policies to specific Agent groups. In the Lumu Portal, administrators can configure two types of policies:

• Built-in Global Response: This is the default response policy that will apply to all existing Agent Groups.
• Agent Group custom configuration: For scenarios requiring distinct security profiles, administrators can override the global defaults by configuring the response at the group level by either adding a new set of rules or disabling the automated response entirely.

The following section will go over the instructions to configure each type of response policy.

Find more information about Agent Groups in our documentation.

Built-in Global Response

To configure the global response, login to the Lumu Portal and follow the instructions.

1. Go to Settings > Built-in Response.

2. Turn the Automated Response toggle ON.

By default, the global response is turned off.

3. Select the Threat Types the Agent should respond to. When finished, click Save Changes.

4. Go to Collectors > Agents and you will now see that the Agent Installation Groups have the Automated Response enabled.

Agent Group custom configuration

Applying a custom response policy to a group overrides the Global Built-in configuration. Agents within this group will operate exclusively according to the specific rules defined here and will no longer inherit settings from the Built-in Global Response.

To configure the custom configuration to specific Agent Groups, login to the Lumu Portal and follow the instructions.

1. Go to Collectors > Agents.

2. In the Installation Groups section, select the groups you want to configure and click Edit.

3. In the edition window, you will see the current response configuration applied to the group. Select the Custom option.

4. Select the desired Threat Types and click Save Changes.

5. You will see that the new configurations have been applied to the Agent Group.

This documentation covers the configuration of existing Agent Groups. If you are creating an Agent Group from scratch, we recommend you to follow the Lumu Agent Groups documentation.

Expected results

When the Automated Agent Response is configured and fully operational, you can expect to see the following.

Installation Groups

When viewing the details of an Agent Group, you can see whether the Automated response is enabled and which configuration is the group using.

Agents

You can recognize whether an specific Agent has an automated response with the Automated Response icon next to its name

When viewing its details, it will state which configuration is the Agent using

Incident details

Every incident that has been automatically responded by this feature will look as follows