Announcing the preview of Lumen Defender℠ threat feed for Microsoft Sentinel

We’re excited to unveil a new collaboration between Lumen and Microsoft — introducing the Lumen Defender Threat Feed, now available in the Microsoft Security Store as a limited preview. This marks a powerful step forward in delivering advanced threat intelligence to help organizations strengthen their security posture.

For the first time, security teams will be able to seamlessly access curated, high-fidelity network-based threat intelligence from Black Lotus Labs^®, directly within Microsoft Sentinel. This integration enables security teams to enrich alerts, pinpoint critical threats and enhance incident response by connecting internal signals to external adversary infrastructure.

Enhancing security with Lumen Defender threat feed

As adversaries grow more sophisticated and increase their reach across sprawling global infrastructure, security teams need visibility into the networks those adversaries use—so they can correlate incidents observed on internal networks and endpoints with the broader infrastructure behind the threat.

Lumen’s approach is to leverage the unparalleled threat research and operational strength of Black Lotus Labs through a new product offer, Lumen Defender Threat Feed for Microsoft Sentinel, to deliver fast, actionable insights directly to Sentinel, Microsoft’s industry-leading SIEM and AI-first platform. We enable Security Operations Center (SOC) analysts and security teams to correlate internal enterprise alerts with external adversary infrastructure, prioritize high-fidelity threats and respond faster with enriched context. Joint customers of Lumen Defender Threat Feed and Microsoft Sentinel can now experience:

• Experience in data collection: Harnessing the Lumen global internet backbone—the #1 peered network¹—and direct observation of global network activity.
• High-fidelity intelligence: Delivering curated, validated Indicators of Compromise (IOCs) with enriched context like threat category, risk, and mapped to campaigns.
• Seamless operationalization: Enabling rapid deployment in Microsoft Sentinel, with pre-built workbooks, analytics rules and dashboards to make threat intelligence impactful and visible.

The power of collaboration: Lumen and Microsoft

Security teams today are overwhelmed. SOCs are inundated with thousands of alerts daily—many of them low-fidelity, repetitive or lacking actionable context. Analysts can spend hours chasing down signals from endpoints, firewalls and cloud workloads, often without the visibility needed to connect the dots. The result? Alert fatigue, missed threats and reactive defense.

Take a common scenario: an endpoint alert flags a suspicious executable making a callback to an unfamiliar IP address. End-point threat intelligence, powered by deep visibility across millions of endpoints, helps identify the malware behavior, flag the callback and alert the SOC to a potential compromise. This is invaluable—it gives the team a starting point and confirms that something malicious is happening on the device.

But the investigation stalls. The IP has no known reputation, and there’s no clear link to a broader campaign. What the endpoint couldn’t see was that the IP was part of a newly activated command-and-control network spanning multiple geographies—used by an advanced persistent threat (APT) group to coordinate attacks. Without visibility into the infrastructure behind the alert, the SOC is left with fragments, unable to assess risk or respond effectively.

That’s where Lumen comes in.

Black Lotus Labs, the Lumen threat research arm, sees the internet from the outside in. Take the analogy of endpoint intelligence as watching your house from the inside—you’ll know when someone breaks a window or tampers with a lock. Lumen network-derived intelligence, powered by Black Lotus Labs, is like having surveillance on the entire neighborhood. It sees the suspicious vehicles circling the block, the coordinated movement patterns and the infrastructure attackers use before they ever reach your door.

Tying this to the scenario above, Black Lotus Labs can trace that IP to a broader malicious infrastructure, uncover related domains, identify other victims and attribute the activity to a known APT group. Endpoint intelligence sees the threat on the device; Lumen sees the infrastructure behind it. Together, these give security teams the complete picture—connecting internal alerts to external adversary operations, enriching detection and enabling faster, more confident response.

“The most critical threats aren’t always the ones screaming the loudest. By eliminating noise and surfacing hidden adversary infrastructure and infrastructure-level context, we enable SOC teams to respond fast, with greater confidence—and stay ahead of attackers,” said Martin Nystrom, VP Engineering, Black Lotus Labs.

By integrating Lumen Defender Threat Feed directly into Microsoft Sentinel, we’re giving security teams the outside-in visibility they’ve been missing. This partnership allows SOCs to correlate internal alerts with external adversary infrastructure—enriching detection, reducing false positives, and accelerating response.

It’s a meaningful step forward for our shared customers, expanding the operational reach of Black Lotus Labs’ research and making it accessible within the Microsoft Security ecosystem for the first time.

This is what sets the collaboration apart. It’s not just the quality of the data, but the seamless integration and operational value it delivers. Microsoft Sentinel users can now leverage the Lumen Defender Threat Feed to:

• Accelerate threat detection: Enrich alerts and incidents with context gained through visibility into 340,000 global route miles
• Automate response: Reduce alert fatigue and accelerate triage with precision-driven threat insights
• Enhance visibility: Gain insight into global threat campaigns, infrastructure and attack patterns—often before they reach your network

Who is Black Lotus Labs?

Black Lotus Labs is the Lumen Threat Research and Operations division—a multidisciplinary team of data scientists, reverse engineers, security engineers and threat analysts who specialize in detecting, tracking and disrupting digital threats worldwide. What sets Black Lotus Labs apart is their unmatched network visibility:

• Direct access to the Lumen internet backbone. Lumen operates one of the most connected networks in the world. This provides Black Lotus Labs with unmatched visibility into threats moving across the internet—before they ever reach your endpoint
• Tracking of 2.3 million unique threats and 46,000 command-and-control (C2) servers
• Visibility into 99% of all public IPv4 addresses via transit traffic
• Execute over ~150 C2 disruptions per month through takedowns and notifications

This massive scale allows Black Lotus Labs to map and monitor malicious infrastructure with extraordinary confidence and speed. By seeing more of the world’s internet activity—across botnets, malware, C2 networks, criminal proxies and even nation-state operations—the team can rapidly identify patterns of malicious behavior. Their research is the foundation for advanced detection and machine learning algorithms, which validate IOCs with high fidelity before they can reach Lumen customers.

Explore blogs from Black Lotus Labs, including our latest research on botnet groups.

Get started: Preview now available

A preview of Lumen Defender Threat Feed for Microsoft Sentinel is available now by invitation only via the Microsoft Store.

Contact the Lumen Sales Team to request access to the trial and get started today.

¹_{The Center for Applied Internet Data Analysis (CAIDA), AS Rank, January 2025.}

_{This content is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. Lumen does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user. All third-party company and product or service names referenced in this article are for identification purposes only and do not imply endorsement or affiliation with Lumen. This document represents Lumen products and offerings as of the date of issue. Services not available everywhere. Lumen may change or cancel products and services or substitute similar products and services at its sole discretion without notice. ©2025 Lumen Technologies. All Rights Reserved.}

Related resources