What Changed
New Lumen Technologies threat intelligence solution including:
- 10 analytic rules covering IP and domain-based threat detection across multiple data sources
- 2 hunting queries for proactive threat hunting
- Threat feed overview workbook for visibility and metrics
- Azure Durable Function App connector with STIX object upload integration
- ARM templates for automated deployment and connector UI definition
Detection Logic
Primary data sources: DNS, CommonSecurityLog, DeviceEvents, DeviceNetworkEvents, IdentityLogonEvents, OfficeActivity, SecurityEvent, SigninLogs, WindowsEvents Core logic: Correlates Lumen threat intelligence indicators with network and authentication events, detecting malicious IP and domain interactions across the enterprise infrastructure Entity types mapped: IP addresses, domains, accounts, and hosts for comprehensive threat correlation
Security Impact (Visibility & Fidelity)
This solution provides SOC teams with access to Lumen’s enterprise-grade threat intelligence feed, expanding detection coverage for advanced persistent threats and emerging attack infrastructure. The Durable Function architecture ensures reliable, scalable ingestion of threat indicators while the analytic rules provide immediate alerting on indicator matches.
The solution addresses a significant visibility gap by providing real-time correlation between Lumen’s commercial threat feed and organizational telemetry across network, endpoint, and identity data sources.
Affected Files
Analytic rules added (10 files): IP and domain-based detections for multiple data sources
Hunting queries added (2 files): Domain and IP indicator hunting queries
Workbook added: Lumen-Threat-Feed-Overview.json
Data connector: Azure Durable Function with STIX integration
ARM templates: Function deployment and connector UI definition
Solution metadata: Complete solution packaging for Content Hub