Skip to main content

Integrate Contrast Security ADR with Universal Forwarder (Northstar)

The Universal Forwarder provides a flexible solution for integrating Contrast Security with any Security Information and Event Management (SIEM) system, Log Analytics, security data lake, or other security operations platforms, especially when a dedicated integration is not available. It empowers users to connect with solutions not officially supported by enabling them to create their own parsers.

How it works

The Universal Forwarder operates by providing a URL for sending events and HTTP headers for authentication and metadata. Currently, Contrast supports only attack events through this forwarder. In contrast, Northstar supports both attack events and incidents, with the added convenience of using a single configuration for both.

Before you begin

  • To ensure a successful integration of your SIEM, Log Analytics, security data lake, or other security operations platform, it is important to understand the specific requirements and technical specifications of your chosen solution.

  • Contrast/Northstar facilitates secure event collection primarily over HTTPS. Your platform must be configured to receive and process events transmitted via HTTPS.

  • Be aware of and configure any necessary authentications required by your platform for inputting external data. This may include API keys, tokens, certificates, or other credentials. Look at your platform's documentation for details on its secure event ingestion and authentication protocols.

Connect for observations and incidents

Configure the integration in Northstar to send observations and incidents to your app.

  1. Select the URL for which you want to receive events.

  2. For Northstar, in the left navigation, select Administration > Integrations.

  3. Select the Universal Forwarder option under the ADR Integrations section.

  4. Enter the URL under the observations configuration field, and enter the key and value information for the custom HTTP request headers. Add additional fields as needed.

  5. Enter the URL under the incident configuration field, and enter the key and value information for the custom HTTP request headers. Add additional fields as needed.

    ADR_UF-2_EN.png

    You can select the Use identical configuration as Attack Events toggle to copy the configurations above.

  6. Select Save.

  7. Go to your app and verify that the events are received.

In this section: