Skip to main content

Integrate Contrast Security ADR with Microsoft Sentinel® (Northstar)

The Contrast Security ADR integration with Microsoft Sentinel® enables ADR to send incident details to your SIEM (Security Information and Event Management), SOAR (Security for Orchestration, Automation and Response), and XDR (Extended Detection and Response) environments, contextualizing incidents with other threat detection and response solutions.

How it works

When configured, the ContrastSecurity ADR for Microsoft Sentinel app sends detected attack events from the Contrast Security platform to Microsoft Azure Sentinel.

The ContrastSecurity ADR for Microsoft Sentinel app enables Microsoft Sentinel to:

  • Parse and normalize the data received over the Contrast ADR Connector

  • Run analytics using the template rules provided within the integration

  • Provide runbooks to assist SOC Analysts in resolving AppSec-related security incidents

Before you begin

Before you start, you must have:

  • Microsoft Sentinel and an active Azure subscription. See the icon-external-link.svgquick start for information.

  • Applications instrumented with a Contrast agent

Install the Contrast Security ADR for Microsoft Sentinel app

  1. In Azure Marketplace, search for Contrast ADR for Azure Sentinel or access it icon-external-link.svghere.

  2. Select Get it now.

  3. Select your Subscription, Resource Group and Workspace.

  4. Follow the on-screen instructions and select Next to review, then Create.

  5. Once the deployment is complete, configure the Data Collector.

Configure the Data Collector

  1. Go to Microsoft Sentinel > Settings > Overview.

  2. In the Overview tab, select JSON View and copy the Resource ID using the Copy to clipboard button, like this example. The ID will be needed later on.

    azuresentinel.png

  3. In Microsoft Sentinel, select Content Management/Content Hub.

  4. Search for and select ContrastADR and select Manage.

  5. Select the ContrastADR connector and select the Open connector page.

  6. Copy the Workspace ID and Primary Key shown on screen, as you will need them in the next screen, and select Deploy to Azure.

  7. Enter the following information on the Customer deployment screen:

    • Azure Sentinel Subscription and Resource group

    • Region: Your region for deployment

    • Function Name: Leave ContrastADR as the default or rename it as preferred

    • SHARED_KEY: the Primary Key copied in step 6

    • WORKSPACE_ID: the Workspace ID copied in step 6

    • App Insights Workspace Resource ID: the Resource ID copied in step 2

  8. Select Review + Create and deploy the Azure function.

  9. Once the deployment is complete, open the Azure Function App, locate the function with the name starting with contrastadr.

  10. Under Functions, open the function named AzureFunctionContrastADR, select Get function URL and copy the default (Function key) URL. This will be used to configure the integration in Contrast.

  11. Continue to configure sending data to Microsoft Sentinel.

Configure Contrast Security ADR to send data to Microsoft Sentinel

Configure the integration in Contrast to send attack events to the Microsoft Sentinel app.

  1. In Contrast, go to the user menu and select Organization settings > Integrations.

  2. Select the Microsoft Sentinel option under the ADR Integrations section.

  3. Under the Microsoft Sentinel field, enter the URL.

  4. Select Save.

  5. Continue to configure the modes of data to send to Microsoft Sentinel.

Configure the modes of data to send to Microsoft Sentinel

  1. For Northstar, in the left navigation, select Administration > Integrations.

  2. Select from the modes of data to send to Microsoft Sentinel:

    • Select All Observations and incidents to send all attack event observations detected by agents, as well as incidents and issues associated with the incident. This is recommended for SOC practices that seek deep visibility into application runtime and are building their custom use cases.

    • Select Incidents and only incident-related observations to send incidents, associated observations, and issues to Splunk. This is recommended for SOC practices that want to minimize the volume of data sent to their SIEM and only receive alerts for security incidents and related observations.

  3. Select the Integration Enabled toggle to enable the integration. This setting allows you to temporarily disable the integration without losing your configuration.

  4. Select Save.

  5. Continue to view the Microsoft Sentinel dashboard.

View Contrast ADR data in the Microsoft Sentinel dashboard

The events sent by Contrast ADR will be sent to the ContrastADR_CL table.

The Contrast ADR runbooks can be seen under Microsoft Sentinel > Threat Management > Workbooks.

See also

In this section: