Skip to main content

Integrate Contrast Security ADR with Universal Forwarder

The Universal Forwarder provides a flexible solution for integrating Contrast Security with any Security Information and Event Management (SIEM) system, Log Analytics, security data lake, or other security operations platforms, especially when a dedicated integration is not available. It empowers users to connect with solutions not officially supported by enabling them to create their own parsers.

How it works

The Universal Forwarder operates by providing a URL for sending events and HTTP headers for authentication and metadata. Currently, Contrast supports only attack events through this forwarder. In contrast, Northstar supports both attack events and incidents, with the added convenience of using a single configuration for both.

Before you begin

  • To ensure a successful integration of your SIEM, Log Analytics, security data lake, or other security operations platform, it is important to understand the specific requirements and technical specifications of your chosen solution.

  • Contrast/Northstar facilitates secure event collection primarily over HTTPS. Your platform must be configured to receive and process events transmitted via HTTPS.

  • Be aware of and configure any necessary authentications required by your platform for inputting external data. This may include API keys, tokens, certificates, or other credentials. Look at your platform's documentation for details on its secure event ingestion and authentication protocols.

Connect for attack events

Configure the integration in Contrast to send attack events to the application.

  1. Get the URL from which you want Contrast to receive notifications.

  2. For Contrast, go to the user menu, select Organization settings > Integrations.

  3. Select the Universal Forwarder option under the ADR Integrations section.

  4. Enter the URL under the attack events configuration field, and enter the key and value information for the custom HTTP request headers. Add additional fields as needed.

    ADR_UF-1_EN.png

    The URL is the endpoint of the destination solution. It must support HTTPS, and a port can be included using the following format, for example: https://<mycompany.siem.com>/services/collector:12345.

  5. Select Save.

  6. Go to your app and verify that the events are received.

In this section: