Lumen Threat Feed Solution: Enhanced Delta Sync and Performance Improvements

November 5, 2025 · Microsoft Sentinel Changelog

Rating Medium

Action Update

View PR on GitHub

What Changed

Lumen Threat Feed solution updated from daily full sync to 15-minute delta synchronization with enhanced polling logic and workbook improvements.

API Flow Changes

New delta sync architecture: POST /reputation-query → Poll GET /reputation-query/{cache_id} → Download results
Combined indicator processing: Single endpoint handles both IPv4 and domain indicators simultaneously
Enhanced polling mechanism: 1-second intervals with 5-minute timeout for query completion
Improved statistics tracking: Added poll attempts, query times, and cache query metrics

Security Impact (Visibility & Fidelity)

Enhanced threat intelligence ingestion providing:

15-minute refresh cycle replacing daily full sync for more current threat indicators
Reduced API latency through optimized polling and combined indicator endpoints
Better error handling with retry logic and timeout management for reliable data flow
Enhanced workbook visualization with updated threat intelligence dashboards

Affected Files

Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeed/LumenThreatFeedConnector/main.py
Solutions/Lumen Defender Threat Feed/Data Connectors/LumenThreatFeed/LumenThreatFeedConnector/timer_starter_function/__init__.py
Solutions/Lumen Defender Threat Feed/Workbooks/Lumen-Threat-Feed-Overview.json
(packaging artefacts: mainTemplate.json, 3.1.0.zip, LumenThreatFeedConnector.zip)