Skip to main content

Integrate Contrast Security ADR with Microsoft Sentinel® (Northstar)

The Contrast Security ADR integration with Microsoft Sentinel enables ADR to send incident details to your Security Information and Event Management (SIEM), Security for Orchestration, Automation and Response (SOAR), and Extended Detection and Response (XDR) environments, which contextualizes incidents with other threat detection and response solutions.

How it works

When configured, the Contrast Security ADR for Microsoft Sentinel connector uses the Microsoft Custom Connector Framework (CCF) Push model to send detected attack events and incidents from the Contrast Security platform directly to your Azure Log Analytics workspace via a Data Collection Rule (DCR).

The ContrastSecurity ADR for Microsoft Sentinel application enables Microsoft Sentinel to:

  • Parse and normalize the data received over the Contrast ADR Connector

  • Run analytics using the template rules provided within the integration

  • Provide runbooks to assist SOC Analysts in resolving application security-related incidents

Before you begin

Before you start, you must have:

  • Microsoft Sentinel and an active Azure subscription. See the icon-external-link.svgquick start documentation for information.

  • Applications instrumented with a Contrast agent

  • Workspace for read and write permissions on your Log Analytics workspace

  • Microsoft Entra ID for permission to create an app registration (typically Application Developer role or higher) if using the auto-created Entra application option

  • Microsoft Azure fpr permission to create and configure Azure resources (Data Collection Endpoint, Data Collection Rule, Log Analytics tables) and assign RBAC roles. Typically requires Contributor and User Access Administrator roles.

Install the Contrast Security ADR for Microsoft Sentinel application

  1. In Azure Marketplace, search for Contrast ADR for Azure Sentinel or access it icon-external-link.svghere.

  2. Select Get it now.

  3. Select your Subscription, Resource Group and Workspace.

  4. Follow the on-screen instructions and select Next to review, then Create.

  5. Once the deployment is complete, continue to Configure the Data Collector.

Configure the Data Collector

The Contrast ADR connector uses the Microsoft Custom Connector Framework (CCF) Push model. Deployment creates the Azure resources needed to receive data, and generates the configuration values you will paste into the Contrast platform.

Step 1: Deploy connector resources

  1. In Microsoft Sentinel, go to Content Management > Content Hub, search for ContrastADR, and select Manage.

  2. Select the Contrast ADR Push Connector and open the connector page.

  3. Under Configuration > Deploy Connector Resources, select a deployment option:

    Option A: Auto-create Microsoft Entra application (recommended)

    • Select Deploy Contrast ADR CCF Connector. This automatically creates:

      • A Data Collection Endpoint (DCE)

      • A Data Collection Rule (DCR) with streams for attack events and incidents

      • Log Analytics tables (ContrastADRAttackEvents_CL and ContrastADRIncidents_CL)

      • A Microsoft Entra application with OAuth credentials

      • A Monitoring Metrics Publisher role assignment on the DCR

    After deployment, all configuration values (Tenant ID, Client ID, Client Secret, DCE URI, DCR Immutable ID, and stream names) are auto-populated on the connector page for you to copy into the Contrast platform.

    Option B: Use a pre-existing Microsoft Entra application (BYOA)

    Use this option if you have an existing Entra application you want to reuse for security or compliance reasons.

    • Select Deploy Contrast ADR CCF Connector. This creates the DCE, DCR, Log Analytics tables, and an Entra application (which you can ignore).

    • Then:

      • Manually assign the Monitoring Metrics Publisher role to your pre-existing Entra application's Service Principal on the newly created DCR.

      • When configuring Contrast in the next step, use your own application's Client ID and Client Secret, not the auto-generated ones.

      • Use the DCE URI and DCR Immutable ID from the connector page as normal.

    Step 2: Copy configuration values

    After deployment, the connector page displays the following values. Copy each one, then paste them into the Contrast platform in the next section.

    • Connector page field: Maps to Contrast field

    • Tenant ID: Tenant ID

    • Application (Client) ID: Client ID

    • Client Secret: Client Secret

    • Data Collection Endpoint (DCE) URI: URL

    • Data Collection Rule (DCR) Immutable ID: DCR Immutable ID

    • Attack Events Stream Name: Observation Stream Name

    • Incidents Stream Name: Incident Stream Name

  4. Continue to Configure Contrast Security ADR to send data to Microsoft Sentinel

Configure Contrast Security ADR to send data to Microsoft Sentinel

Configure the integration in the Contrast platform to send attack events and incidents to Microsoft Sentinel.

  1. In Northstar, in the left navigation, select Administration > Integrations.

  2. Select the Microsoft Sentinel option under the Integrations section.

  3. Under the Manage Credentials tab, enter the following values copied from the Sentinel connector page in the previous section:

    • URL: Paste the Data Collection Endpoint (DCE) URI

    • Tenant ID: Paste the Tenant ID

    • Client ID: Paste the Application (Client) ID

    • Client Secret: Paste the Client Secret

    • DCR Immutable ID: Paste the Data Collection Rule (DCR) Immutable ID

    • Observation Stream Name: Paste the Attack Events Stream Name

    • Incident Stream Name: Paste the Incidents Stream Name

  4. Select the Integration Enabled toggle to enable the integration. You can use this toggle to temporarily disable the integration without losing your configuration.

  6. Under the Advanced tab, select from the modes of data to send to the app:

    1. Select All Observations and incidents to send all attack event observations detected by agents, as well as incidents and issues associated with the incident. This is recommended for SOC practices seeking deep visibility into application runtime and are building their custom use cases.

    2. Select Incidents and only incident-related observations to send incidents, associated observations, and issues to Microsoft Sentinel. This is recommended for SOC practices that want to minimize the volume of data sent to their SIEM and only receive alerts for security incidents and related observations.

  7. Select Save.

Verify data ingestion

After saving, verify that data is flowing from Contrast ADR into Microsoft Sentinel.

  1. Trigger a test attack event in Contrast ADR.

  2. Wait 5-10 minutes for data to appear.

  3. In Microsoft Sentinel, run the following KQL queries to confirm data is arriving:

Check attack events:  
    ContrastADRAttackEvents_CL
    | take 10
Check incidents:  
    ContrastADRIncidents_CL  
    | take 10
Check connectivity:  
    ContrastADRAttackEvents_CL  
    | summarize LastLogReceived = max(TimeGenerated)  
    | project IsConnected = LastLogReceived > ago(7d)

If data appears and IsConnected returns true, your connector is configured correctly.

View Contrast ADR data in the Microsoft Sentinel dashboard

The events sent by Contrast ADR will be forwarded to the ContrastADRAttackEvents_CL and ContrastADRIncidents_CL tables.

The Contrast ADR runbooks can be seen under Microsoft Sentinel > Threat Management > Workbooks.

See also

In this section: