Requirements

• An active Lumu Insights and Lumu Defender Subscription.
  
• A Microsoft Entra ID P1 or P2 license.
  
• Configured Azure Event Hub (Event Hub mode only).
  

Integration overview - Operation modes

This integration is designed to operate in either of these modes.

• Simplified mode: recommended for small user deployments. This mode has a lower time window set for pulling events, which can lead to some missed detections.
• Event Hub mode: recommended for medium or large user deployments. This mode offers greater performance by streaming detections in real time. However, it requires additional configurations from the user, and it has an additional subscription cost defined during the Event Hub configuration.

Select the integration mode that best meets your organization's needs. The following sections will guide you through the steps required to deploy either operation mode.

Preliminary Setup - Log Streaming powered by Azure Event Hub

This configuration is only required if you are using the Event Hub integration mode.

Follow these instructions to create and configure an Event Hub in the Azure Portal.

Namespace Creation

1. Log in to the Azure Portal and access Event Hubs. You can use the search box at the top of the Azure portal to find it if it is not already listed.

2. Then, click Create to create the namespace where the Event Hub is going to be configured.

3. Fill in the required information in the Basics tab following these considerations:

• Select your desired Subscription and Resource Group. Keep note of this information, it will be required during the Integration Setup.
• Provide a distinctive name for your Namespace. Keep note of this information, it will be required during the Integration Setup.
• Select the appropriate Region.
• Select the Pricing tier based on your typical streaming. We recommend using the Standard tier, as it provides the essential features needed for enterprise-grade event streaming.
• Set the number of Throughput Units (TUs) to your namespace to 2. It should be set to 4 for larger user deployments.
• Keep the Auto-Inflate feature disabled.

4. Go to the Networking tab and select Public Access as the Connectivity method.

5. When finished, click on Review + create. You will see the following confirmation window.

Event Hub Creation

1. From the left-side panel, go to Entities > Event Hub and click on Event Hub (1).

2. Configure the event hub as follows:

• Provide a distinctive name. Keep note of this information, it will be required during the Integration Setup.
• Set the Partition count number to two partitions. Set it to 4 for larger use deployments.
• Define the retention policy as per your organization's standards.

3. Once you create the event hub, go to Entities > Consumer Groups and click on Consumer group (1) to add the following name: lumu-entra-id-pull-integration

Having configured the event hub, you are ready to continue with the integration.

Integration Setup - Lumu Portal

Do not delete the Microsoft Entra ID Enterprise Application created by Lumu from the Azure Portal. This application serves a vital role in maintaining the functionality of the integration. Deletion of the application will cause the integration to stop working.

This section describes the steps that must be completed on the Lumu Portal to properly set up the Microsoft Entra ID integration. To start, log into your Lumu account through the Lumu Portal.

Integrations are also available for Lumu MSP accounts. To access them, log into the Lumu MSP Portal.

1. In the Lumu Portal, head to the left panel and select Integrations > Apps. Then, click on the Data Collection tab.

2. Locate the Microsoft Entra ID integration and click Add.

3. Familiarize yourself with the integration details available in the app description and click Activate to start the integration setup process.

4. Carefully read the instructions provided and click Activate.

5. You will be redirected to the Microsoft sign-in page. Use an administrator account, only an administrator has the required permission to complete the integration.

6. Once you are logged in, you will need to approve the required permissions. Click Accept to continue.

Now that you have successfully authenticated and accepted the required permission, you will be redirected back to the Activate Integration modal. Select your preferred integration mode based on the information provided in the Integration Overview.

Event Hub Mode

1. Select Event Hub as your integration mode and give a distinctive name for the integration. Then, click Next.

2. You will be required to accept new permissions. Click on Consent on behalf of your organization and then click on Accept.

3. Select the subscription used to configure the namespace in the Namespace Creation step. Then, click Next.

4. Select the Namespace name and Resource Group selected during the Namespace Creation step. Then, click Next.

5. Now select the event hub you created during the Event Hub Creation step and click Activate.

6. Wait for Lumu to set up the collection mechanism.

7. Once the process is complete, click Close.

8. Once you activate the integration, the Lumu Portal will display the details of the newly created integration.

Simplified Mode

1. Select Simplified as your integration mode and give a distinctive name for the integration. Then, click Activate.

2. Once you activate the integration, the Lumu Portal will display the details of the newly created integration.