Integrate Contrast Security ADR with Google Security Operations (Northstar)

The Contrast Security ADR integration with Google Security Operations (SecOps) enables ADR to send incident details to your Security Information and Event Management (SIEM), Security Observation, Orchestration, Automation, and Response (SOAR), and Extended Detection and Response (XDR) environments, which contextualizes incidents with other threat detection and response solutions.

How it works

When configured, the Contrast Security ADR sends incidents and attack events pre-normalized to Google Unified Data Model (UDM) from the Contrast Security platform to Google Security Operations via the Ingestion API.

The Contrast Security ADR for Google Security Operations application enables Google Security Operations to:

Ingest Contrast Security ADR Attack Events and Incidents pre-normalized to UDM via the Ingestion API
Display Contrast Security ADR attack events in Google Security Operations, for consumption in the provided Contrast Security ADR dashboard in Google Security Operations, or search and correlation in Google Security Operations Cloud SIEM

Before you begin

To ensure a successful integration of your SIEM, Log Analytics, security data lake, or other security operations platform, it is important to understand the specific requirements and technical specifications of your chosen solution
Be aware of and configure any necessary authentications required by your platform for inputting external data. This may include API keys, tokens, certificates, or other credentials. Look at your platform's documentation for details on its secure event ingestion and authentication protocols.

Set up Google Security Operations

Get the Google SecOps Customer ID and the GCP Project ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.
Copy and save the GCP Project ID from the Organization Details section.

Get the Google SecOps ingestion authentication file

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File.

Set up the Contrast Security ADR

Configure the integration in Northstar to send attack events, observations, and incidents to Google Security Operations.

In Contrast, go to the user menu and select Organization settings > Integrations.
Select the Google Security Operations option under the ADR Integrations section.
Under the Manage Credentials tab, using the IDs and files you saved under Set up Google Security Operations:
1. Enter Google SecOps Customer ID.
2. Enter GCP Project ID.
3. Select your GCP region in the dropdown list.
4. For the destination, upload your authentication token as configured under Set up Google Security Operations.
Use the Filters tab to define specific criteria for the events sent to the integration. This ensures that only relevant events matching your criteria are forwarded, significantly reducing the overall number of attack events sent to the app. Learn more about attack events.
1. Environment: allows you to select a specific environment (such as Production, Development, or QA). By applying this filter, you ensure that only events associated with the selected environments are sent to the app, improving focus and relevance.
2. Result: allows you to select specific outcomes for the event, such as Exploited, Blocked, Probed, or Suspicious. By configuring this filter, you ensure that only events where a specific result was achieved are forwarded, enabling you to quickly pinpoint the most relevant events for which a threshold has been met in the app.
3. Application: allows you to specify which applications should have their attack events sent to the integration. By using this filter, you can ensure that only events related to your selected applications are forwarded to the app, enabling targeted monitoring.
4. Filter by Application Metadata: allows you to filter which events are sent based on the application metadata defined for those applications. For example, you can choose only to include events associated with a particular business unit or other custom metadata tags. Learn more about custom metadata.
Under the Advanced tab, select from the modes of data to send to the app:
1. Select All Observations and incidents to send all attack event observations detected by agents, as well as incidents and issues associated with the incident. This is recommended for SOC practices seeking deep visibility into application runtime and are building their custom use cases.
2. Select Incidents and only incident-related observations to send incidents, associated observations, and issues to Microsoft Sentinel. This is recommended for SOC practices that want to minimize the volume of data sent to their SIEM and only receive alerts for security incidents and related observations.
Select Save.

View Contrast ADR data in Google Security Operations

To confirm the integration is working, go to Google Security Operations > Investigation > SIEM Search and search for: metadata.vendor_name="Contrast Security"

In this section: