One of the following Microsoft plans:
Lumu License
After ensuring the correct configuration of your agents within the organization's Windows-supported versions and completing the onboarding process for devices in the Microsoft Defender portal, it's important to follow these steps:
1. Log in to your Microsoft Defender Portal.
2. Go to the Settings section.
3. Go to Settings/Endpoints option and in Advanced features turn on the option of Custom network indicators.
4. In the Endpoints screen, click the Indicators menu under the Rules section. There, you will see the IOCs populated by Lumu under its own category: File hashes and URLs/Domains.
To use this feature, devices must be running Windows 10 version 1709 or later, or Windows 11. They should also have network protection in block mode and version 4.18.1906.3 or later of the antimalware platform. For reference, see the KB 4052623 update documentation. More information on how to configure network protection in block mode can be found in this Turn on network protection article.
1. Log in to your Lumu account through the Lumu Portal and navigate to the available apps screen.
2. Locate the Microsoft Defender integration in the available apps area and click to add, then click to view details.
3. Familiarize yourself with the integration details available in the app description and click the button below to activate the integration.
4. To activate the integration, click on the activate button and read the following instructions. After reading the instructions click again on the Activate button.
5. The Microsoft login will look like the following:
6. To successfully configure your integration with the Microsoft Defender portal, follow these steps:A. Provide a Name: Choose a meaningful identifier for this integration.
B. Select Threat Mappings: Determine the specific threat mappings you want to push to the Microsoft Defender portal.
C. Choose Actions: For each threat indicator, specify the action you want to take. This could include block, warn, and alert.
D. Set Alert Severity: Define the severity level for alerts based on the threat type.
Completing these steps, you'll effectively configure the integration and enhance your threat management capabilities.
Steps A and B:
Step C:Step D:
If you choose the “Audit” action, please note that the “NotAlert” option for alert severity cannot be selected. This is because alert generation is a necessary condition.
Once you've completed all necessary configurations, go ahead and click the “Create” button to finalize the process.
7. The integration is now created and active. Now, the Lumu Portal will display the details of the created integration: