To learn more about Out-of-the-box Integrations and their benefits, please refer to this article.

Microsoft Azure is now called Entra ID

Requirements​

One of the following Microsoft plans: 

• Microsoft 365 Business Premium 
• Microsoft 365 E3/E5 
• Microsoft Defender for Endpoint P1/P2 
• Any Microsoft Plan including Defender for Endpoint P1/P2

Lumu License

• An active Lumu Defender subscription

Configure Microsoft Defender

After ensuring the correct configuration of your agents within the organization's Windows-supported versions and completing the onboarding process for devices in the Microsoft Defender portal, it's important to follow these steps:

1. Log in to your Microsoft Defender Portal.

2. Go to the Settings section.

3. Go to Settings/Endpoints option and in Advanced features turn on the option of Custom network indicators.

4. In the Endpoints screen, click the Indicators menu under the Rules section. There, you will see the IOCs populated by Lumu under its own category: File hashes and URLs/Domains.

To use this feature, devices must be running Windows 10 version 1709 or later, or Windows 11. They should also have network protection in block mode and version 4.18.1906.3 or later of the antimalware platform. For reference, see the KB 4052623 update documentation. More information on how to configure network protection in block mode can be found in this Turn on network protection article.

Add Integration

Please be aware that it is crucial to retain the Entra ID Active Directory application created by Lumu for your Out of the Box integration. This application serves a vital role in maintaining the functionality and security. Deletion of the application should only be considered when you have determined that it is no longer needed. If you have any questions or concerns about the appropriate time to delete the application, please consult our technical support team for guidance.

1. Log in to your Lumu account through the Lumu Portal and navigate to the available apps screen.

2. Locate the Microsoft Defender integration in the available apps area and click to add, then click to view details.

3. Familiarize yourself with the integration details available in the app description and click the button below to activate the integration.

4. To activate the integration, click on the activate button and read the following instructions. After reading the instructions click again on the Activate button.

5. The Microsoft login will look like the following:

Remember to sign in with an administrator account, this is because the administrator is the only one that can grant access to the specified permissions for your whole organization.

6. To successfully configure your integration with the Microsoft Defender portal, follow these steps:

A. Provide a Name: Choose a meaningful identifier for this integration.

B. Select Threat Mappings: Determine the specific threat mappings you want to push to the Microsoft Defender portal.

C. Choose Actions: For each threat indicator, specify the action you want to take. This could include block, warn, and alert.

D. Set Alert Severity: Define the severity level for alerts based on the threat type.

Completing these steps, you'll effectively configure the integration and enhance your threat management capabilities.

Steps A and B:

Step C:

Step D:

If you choose the “Audit” action, please note that the “NotAlert” option for alert severity cannot be selected. This is because alert generation is a necessary condition.

Once you've completed all necessary configurations, go ahead and click the “Create” button to finalize the process.

7. The integration is now created and active. Now, the Lumu Portal will display the details of the created integration:

Keep in mind the info panel when editing the configuration. The changes on threat mappings will only apply to new incidents, past incidents will not be updated to the new settings.