Integrate ContrastContrast Security ADR with Microsoft Sentinel® (NorthstarNorthstar)

The ContrastContrast Security ADR integration with Microsoft Sentinel enables ADR to send incident details to your Security Information and Event Management (SIEM), Security for Orchestration, Automation and Response (SOAR), and Extended Detection and Response (XDR) environments, which contextualizes incidents with other threat detection and response solutions.

How it works

When configured, the ContrastContrastSecurity ADR for Microsoft Sentinel app sends detected attack events from the ContrastContrast Security platform to Microsoft Azure Sentinel.

The ContrastContrastSecurity ADR for Microsoft Sentinel application enables Microsoft Sentinel to:

Parse and normalize the data received over the ContrastContrast ADR Connector
Run analytics using the template rules provided within the integration
Provide runbooks to assist SOC Analysts in resolving application security-related incidents

Before you begin

Before you start, you must have:

Microsoft Sentinel and an active Azure subscription. See the quick start documentation for information.
Applications instrumented with a ContrastContrast agent

Install the ContrastContrast Security ADR for Microsoft Sentinel application

In Azure Marketplace, search for ContrastContrast ADR for Azure Sentinel or access it here.
Select Get it now.
Select your Subscription, Resource Group and Workspace.
Follow the on-screen instructions and select Next to review, then Create.
Once the deployment is complete, continue to Configure the Data Collector.

Configure the Data Collector

Go to Microsoft Sentinel > Settings > Overview.
In the Overview tab, select JSON View and copy the Resource ID using the Copy to clipboard button, like this example. The ID will be needed later on.
In Microsoft Sentinel, select Content Management/Content Hub.
Search for and select ContrastADR and select Manage.
Select the ContrastADR connector and select the Open connector page.
Copy the Workspace ID and Primary Key shown on screen, as you will need them in the next screen, and select Deploy to Azure.
Enter the following information on the Customer deployment screen:
- Azure Sentinel Subscription and Resource group.
- Region: Your region for deployment
- Function Name: Leave ContrastADR as the default or rename it as preferred
- SHARED_KEY: the Primary Key copied in step 6
- WORKSPACE_ID: the Workspace ID copied in step 6
- App Insights Workspace Resource ID: the Resource ID copied in step 2
Select Review + Create and deploy the Azure function.
Once the deployment is complete, open the Azure Function App, locate the function with the name starting with contrastadr.
Under Functions, open the function named AzureFunctionContrastADR, select Get function URL and copy the default (Function key) URL. This will be used to configure the integration in Contrast.
Continue to Configure Contrast Security ADR to send data to Microsoft Sentinel

Configure ContrastContrast Security ADR to send data to Microsoft Sentinel

Configure the integration in Northstar to send attack events, observations, and incidents to the Microsoft Sentinel application.

For NorthstarNorthstar, in the left navigation, select Administration > Integrations.
Select the Microsoft Sentinel option under the Integrations section.
Under the Manage Credentials tab:
1. Enter the URL
2. Select the Integration Enabled toggle to enable the integration. This setting allows you to temporarily disable the integration without losing your configuration.
Use the Filters tab to define specific criteria for the events sent to the integration. This ensures that only relevant events matching your criteria are forwarded, significantly reducing the overall number of attack events sent to the app. Learn more about attack events.
1. Environment: allows you to select a specific environment (such as Production, Development, or QA). By applying this filter, you ensure that only events associated with the selected environments are sent to the app, improving focus and relevance.
2. Result: allows you to select specific outcomes for the event, such as Exploited, Blocked, Probed, or Suspicious. By configuring this filter, you ensure that only events where a specific result was achieved are forwarded, enabling you to quickly pinpoint the most relevant events for which a threshold has been met in the app.
3. Application: allows you to specify which applications should have their attack events sent to the integration. By using this filter, you can ensure that only events related to your selected applications are forwarded to the app, enabling targeted monitoring.
4. Filter by Application Metadata: allows you to filter which events are sent based on the application metadata defined for those applications. For example, you can choose only to include events associated with a particular business unit or other custom metadata tags. Learn more about custom metadata.
Under the Advanced tab, select from the modes of data to send to the app:
1. Select All Observations and incidents to send all attack event observations detected by agents, as well as incidents and issues associated with the incident. This is recommended for SOC practices seeking deep visibility into application runtime and are building their custom use cases.
2. Select Incidents and only incident-related observations to send incidents, associated observations, and issues to Microsoft Sentinel. This is recommended for SOC practices that want to minimize the volume of data sent to their SIEM and only receive alerts for security incidents and related observations.
Select Save.
Continue to View Contrast ADR data in the Microsoft Sentinel dashboard.

View ContrastContrast ADR data in the Microsoft Sentinel dashboard

The events sent by ContrastContrast ADR will be forwarded to the ContrastADR_CL table.

The ContrastContrast ADR runbooks can be seen under Microsoft Sentinel > Threat Management > Workbooks.