Integrate Contrast Security ADR with Google Security Operations

The Contrast Security ADR integration with Google Security Operations (SecOps) enables ADR to send incident details to your Security Information and Event Management (SIEM), Security Observation, Orchestration, Automation, and Response (SOAR), and Extended Detection and Response (XDR) environments, which contextualizes incidents with other threat detection and response solutions.

How it works

When configured, the Contrast Security ADR sends incidents and attack events pre-normalized to Google Unified Data Model (UDM) from the Contrast Security platform to Google Security Operations via the Ingestion API.

The Contrast Security ADR for Google Security Operations application enables Google Security Operations to:

Ingest Contrast Security ADR Attack Events and Incidents pre-normalized to UDM via the Ingestion API
Display Contrast Security ADR attack events in Google Security Operations, for consumption in the provided Contrast Security ADR dashboard in Google Security Operations, or search and correlation in Google Security Operations Cloud SIEM

Before you begin

To ensure a successful integration of your SIEM, Log Analytics, security data lake, or other security operations platform, it is important to understand the specific requirements and technical specifications of your chosen solution
Be aware of and configure any authentication required by your platform to input external data. This may include API keys, tokens, certificates, or other credentials. Look at your platform's documentation for details on its secure event ingestion and authentication protocols.

Set up Google Security Operations

Get the Google SecOps Customer ID and the GCP Project ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.
Copy and save the GCP Project ID from the Organization Details section.

Get the Google SecOps ingestion authentication file

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File.

Set up the Contrast Security ADR

Configure the integration in Contrast to send attack events to Google Security Operations.

In Contrast, go to the user menu and select Organization settings > Integrations.
Select the Google Security Operations option under the ADR Integrations section.
Under the Manage Credentials tab, using the IDs and files you saved under Set up Google Security Operations:
1. Enter the Google SecOps Customer ID.
2. Enter GCP Project ID.
3. Select your GCP region in the dropdown list.
4. Upload your authentication token as configured under Set up Google Security Operations.
Use the Filters tab to define specific criteria for the events sent to the integration. This ensures that only relevant events matching your criteria are forwarded, significantly reducing the overall number of attack events sent to your SIEMs. Learn more about attack events.
1. Environment: allows you to select a specific environment (such as Production, Development, or QA). By applying this filter, you ensure that only events associated with the selected environments are sent to the app, improving focus and relevance.
2. Result: allows you to select specific outcomes for the event, such as Exploited, Blocked, Probed, or Suspicious. By configuring this filter, you ensure that only events where a specific result was achieved are forwarded, enabling you to quickly pinpoint the most relevant events for which a threshold has been met in the app.
3. Application: allows you to specify which applications should have their attack events sent to the integration. By using this filter, you can ensure that only events related to your selected applications are forwarded to the app, enabling targeted monitoring
4. Filter by Application Metadata: allows you to filter which events are sent based on the application metadata defined for those applications. For example, you can choose only to include events associated with a particular business unit or other custom metadata tags. Learn more about custom metadata.
Select Save.

View Contrast Security ADR data in Google Security Operations

To confirm the integration is working, go to Google Security Operations > Investigation > SIEM Search and search for: metadata.vendor_name="Contrast Security"

Install detection rules

Pre-built YARA-L detection rules for Google Security Operations are available in the Contrast Security ADR Google Security Operations GitHub repository. The repository contains rules for standalone ADR detections as well as correlation rules that combine ADR signals with EDR, WAF, and DLP data sources. Download the rules from the detection_rules directory and import them into Google Security Operations through the Rules Editor or the Google SecOps CLI.

In this section: