Skip to main content

Integrate ContrastContrast Security ADR with Microsoft Sentinel®

The ContrastContrast Security ADR integration with Microsoft Sentinel® enables ADR to send incident details to your SIEM (Security Information and Event Management), SOAR (Security for Orchestration, Automation and Response), and XDR (Extended Detection and Response) environments, contextualizing incidents with other threat detection and response solutions.

How it works

When configured, the ContrastContrastSecurity ADR for Microsoft Sentinel app sends detected attack events from the ContrastContrast Security platform to Microsoft Azure Sentinel.

The ContrastContrastSecurity ADR for Microsoft Sentinel app enables Microsoft Sentinel to:

  • Parse and normalize the data received over the ContrastContrast ADR Connector

  • Run analytics using the template rules provided within the integration

  • Provide runbooks to assist SOC Analysts in resolving AppSec-related security incidents

Before you begin

Before you start, you must have:

  • Microsoft Sentinel and an active Azure subscription. See the icon-external-link.svgquick start for information.

  • Applications instrumented with a ContrastContrast agent

Install the ContrastContrast Security ADR for Microsoft Sentinel app

  1. In Azure Marketplace, search for ContrastContrast ADR for Azure Sentinel or access it icon-external-link.svghere.

  2. Select Get it now.

  3. Select your Subscription, Resource Group and Workspace.

  4. Follow the on-screen instructions and select Next to review, then Create.

  5. Once the deployment is complete, configure the Data Collector.

Configure the Data Collector

  1. Go to Microsoft Sentinel > Settings > Overview.

  2. In the Overview tab, select JSON View and copy the Resource ID using the Copy to clipboard button, like this example. The ID will be needed later on.

    azuresentinel.png

  3. In Microsoft Sentinel, select Content Management/Content Hub.

  4. Search for and select ContrastADR and select Manage.

  5. Select the ContrastADR connector and select the Open connector page.

  6. Copy the Workspace ID and Primary Key shown on screen, as you will need them in the next screen, and select Deploy to Azure.

  7. Enter the following information on the Customer deployment screen:

    • Azure Sentinel Subscription and Resource group

    • Region: Your region for deployment

    • Function Name: Leave ContrastADR as the default or rename it as preferred

    • SHARED_KEY: the Primary Key copied in step 6

    • WORKSPACE_ID: the Workspace ID copied in step 6

    • App Insights Workspace Resource ID: the Resource ID copied in step 2

  8. Select Review + Create and deploy the Azure function.

  9. Once the deployment is complete, open the Azure Function App, locate the function with the name starting with contrastadr.

  10. Under Functions, open the function named AzureFunctionContrastADR, select Get function URL and copy the default (Function key) URL. This will be used to configure the integration in Contrast.

  11. Continue to configure sending data to Microsoft Sentinel.

Configure ContrastContrast Security ADR to send data to Microsoft Sentinel

Configure the integration in ContrastContrast to send attack events to the Microsoft Sentinel app.

  1. In ContrastContrast, go to the user menu and select Organization settings > Integrations.

  2. Select the Microsoft Sentinel option under the ADR Integrations section.

  3. Under the Microsoft Sentinel field, enter the URL.

  4. Select Save.

  5. Continue to view the Microsoft Sentinel dashboard.

View ContrastContrast ADR data in the Microsoft Sentinel dashboard

The events sent by ContrastContrast ADR will be sent to the ContrastADR_CL table.

The ContrastContrast ADR runbooks can be seen under Microsoft Sentinel > Threat Management > Workbooks.

See also

このセクションの内容: