Skip to main content

Integrate Contrast Security ADR with Universal Forwarder (Northstar)

The Universal Forwarder provides a flexible solution for integrating Contrast with any Security Information and Event Management (SIEM) system, Log Analytics, security data lake, or other security operations platforms, especially when a dedicated integration is not available. It empowers users to connect with solutions not officially supported by enabling them to create their own parsers.

How it works

The Universal Forwarder operates by providing a URL for sending events and HTTP headers for authentication and metadata. Currently, Contrast supports only attack events through this forwarder.

Northstar, in contrast, supports both attack events and incidents, with the added convenience of using a single configuration for both.

Before you begin

  • To ensure a successful integration of your SIEM, Log Analytics, security data lake, or other security operations platform, it is important to understand the specific requirements and technical specifications of your chosen solution

  • Northstar facilitates secure event collection primarily over HTTPs. Your platform must be configured to receive and process events transmitted via HTTPs.

  • Be aware of and configure any necessary authentications required by your platform for inputting external data. This may include API keys, tokens, certificates, or other credentials. Look at your platform's documentation for details on its secure event ingestion and authentication protocols.

Configure Contrast Security ADR to send events

Configure the integration in Northstar to send attack events, observations, and incidents to your application.

  1. Select the URL for which you want to receive events.

  2. For Northstar, in the left navigation, select Administration > Integrations.

  3. Select the Universal Forwarder option under the Integrations section.

  4. Under the Manage Credentials tab:

    1. Enter the URL under the Observations Configuration field, and enter the key and value information for the custom HTTP request headers. Add additional fields as needed.

      You can select the Use observation configuration for issues and incidents toggle to copy the configurations to the issues and incidents fields.

    2. Enter the URL under the Issues Configuration field, and enter the key and value information for the custom HTTP request headers. Add additional fields as needed.

    3. Enter the URL under the Incidents Configuration field, and enter the key and value information for the custom HTTP request headers. Add additional fields as needed.

    4. Select the Integration Enabled toggle to enable the integration. This setting allows you to temporarily disable the integration without losing your configuration

  6. Use the Advanced tab to select from the modes of data to send to the app:

    1. Select All Observations and incidents to send all attack event observations detected by agents, as well as incidents and issues associated with the incident. This is recommended for SOC practices seeking deep visibility into application runtime and are building their custom use cases.

    2. Select Incidents and only incident-related observations to send incidents, associated observations, and issues to Microsoft Sentinel. This is recommended for SOC practices that want to minimize the volume of data sent to their SIEM and only receive alerts for security incidents and related observations.

    Also, select the Map to a third-party schema (optional) option to choose how event data is formatted before it is sent to a destination.

  7. Select Save.

  8. Go to your application and verify that the events are received.

In this section: