Microsoft Defender Out-of-the-Box Response Integration

Microsoft Defender Out-of-the-Box Response Integration

To learn more about Out-of-the-box Integrations and their benefits, please refer to this article.

Microsoft Azure is now called Entra ID

Requirements

One of the following Microsoft plans: 

  • Microsoft 365 Business Premium 
  • Microsoft 365 E3/E5 
  • Microsoft Defender for Endpoint P1/P2 
  • Any Microsoft Plan including Defender for Endpoint P1/P2

Lumu License

  • An active Lumu Defender subscription

Configure Microsoft Defender

If you operate a multi-tenant organization in Microsoft Entra ID, you must create an admin user on the tenant you want to integrate into Lumu before proceeding. This will be the user the integration will be configured for. Please, refer to the Multitenant organization capabilities in Microsoft Entra ID from Microsoft for more details.

After ensuring the correct configuration of your agents within the organization's Windows-supported versions and completing the onboarding process for devices in the Microsoft Defender portal, it's important to follow these steps:

1. Log in to your Microsoft Defender Portal.

2. Go to the Settings section.

3. Go to Settings/Endpoints option and in Advanced features turn on the option of Custom network indicators.


4. In the Endpoints screen, click the Indicators menu under the Rules section. There, you will see the IOCs populated by Lumu under its own category: File hashes and URLs/Domains.


To use this feature, devices must be running Windows 10 version 1709 or later, or Windows 11. They should also have network protection in block mode and version 4.18.1906.3 or later of the antimalware platform. For reference, see the KB 4052623 update documentation. More information on how to configure network protection in block mode can be found in this Turn on network protection article.

Add Integration

Please be aware that it is crucial to retain the Entra ID Active Directory application created by Lumu for your Out of the Box integration. This application serves a vital role in maintaining the functionality and security. Deletion of the application should only be considered when you have determined that it is no longer needed. If you have any questions or concerns about the appropriate time to delete the application, please consult our technical support team for guidance.

1. Log in to your Lumu account through the Lumu Portal and navigate to the available apps screen.

2. Locate the Microsoft Defender integration in the available apps area and click to add, then click to view details.

3. Familiarize yourself with the integration details available in the app description and click the button below to activate the integration.

4. To activate the integration, click on the activate button and read the following instructions. After reading the instructions click again on the Activate button.

5. The Microsoft login will look like the following:

Remember to sign in with an administrator account, this is because the administrator is the only one that can grant access to the specified permissions for your whole organization.
6. To successfully configure your integration with the Microsoft Defender portal, follow these steps:

A. Provide a Name: Choose a meaningful identifier for this integration.

B. Select Threat Mappings: Determine the specific threat mappings you want to push to the Microsoft Defender portal.

C. Choose Actions: For each threat indicator, specify the action you want to take. This could include block, warn, and alert.

D. Set Alert Severity: Define the severity level for alerts based on the threat type.

Completing these steps, you'll effectively configure the integration and enhance your threat management capabilities.

Steps A and B:

Step C:

Step D:

If you choose the “Audit” action, please note that the “NotAlert” option for alert severity cannot be selected. This is because alert generation is a necessary condition.

Once you've completed all necessary configurations, go ahead and click the “Create” button to finalize the process.

7. The integration is now created and active. Now, the Lumu Portal will display the details of the created integration:

Keep in mind the info panel when editing the configuration. The changes on threat mappings will only apply to new incidents, past incidents will not be updated to the new settings.

Once the integration is activated, the Microsoft Defender Indicators section will be updated with confirmed compromises found by Lumu within the preceding 3 days.
        • Related Articles

        • Microsoft Teams Out-of-the-Box SecOps Integration

          Requirements Microsoft Teams A Microsoft Teams Essentials subscription or above An Active Lumu Insights or Lumu Defender subscription Incoming Webhooks connectors will be retired by Microsoft. We strongly advice to migrate to the Webhook model. You ...
        • Watchguard Firebox Out-of-the-Box Response Integration

          This article describes the required procedure to integrate Watchguard Firebox with Lumu for automated response procedures. This is one of our featured Out-of-the-Box Response Integrations. Requirements A Watchguard Firebox Firewall operating on ...
        • Infoblox Threat Defense Out-of-the-Box Response Integration

          This article describes the required procedure to integrate Infoblox Threat Defense with Lumu for automated response procedures. This is one of our featured Out-of-the-Box Response Integrations. Requirements Below you will find the technical ...
        • Microsoft 365 Outlook Out-of-the-box Data Collection Integration

          To learn more about Out-of-the-box Integrations and their benefits, please refer to this article. In this article, we will delve into the OOTB data collection integration procedure between Lumu and Office 365 Exchange Online to share metadata from ...
        • Cylance Endpoint Security Out-of-the-Box Response Integration

          This article describes the required procedure to integrate Cylance Endpoint Security with Lumu for automated response procedures. This is one of our featured Out-of-the-Box Response Integrations. Requirements Below you will find the technical ...