Skip to main content

Integrate Contrast Security ADR with Microsoft Sentinel

The Contrast Security ADR integration with Microsoft Sentinel enables ADR to send incident details to your SIEM (Security Information and Event Management), SOAR (Security orchestration, automation and response), and XDR (Extended Detection and Response) environments, contextualizing incidents with other threat detection and response solutions.

How it works

When configured, the Contrast Security ADR for Microsoft Sentinel app sends detected attack events from the Contrast Security platform to an Event Collector.

The Contrast Security ADR for Microsoft Sentinel app enables Microsoft Sentinel to:

  • Parse and normalize the data received over the HTTP Event Collector

  • Display Contrast Security ADR dashboards, reports, and searches in Microsoft Sentinel

  • (On request) Call the Contrast Security ADR REST APIs for contextual data to help investigate incidents

  • Provide runbooks to assist SOC Analysts in resolving AppSec-related security incidents

Before you begin

Before you start, you must have:

  • Microsoft Sentinel and an active Azure subscription. See the icon-external-link.svgquick start for information.

  • Applications instrumented with a Contrast agent

Step 1: Install the Contrast Security ADR for Microsoft Sentinel app

  1. In icon-external-link.svgAzure Marketplace, search for Contrast Security ADR for Microsoft Sentinel.

  2. Check the requirements.

  3. Select Get it now.

Step 2: Set up the data connector

  1. In Microsoft Sentinel, select Data connectors.

  2. Select the Azure Activity data connector.

  3. Select the Open connector page.

  4. Select the New Token button at the top of the page.

  5. Enter the fields and select Next.

  6. Choose Select source type and specify contrast:adr for the source type.

  7. Select the preferred index to store the data, such as contrast.

  8. Select the Review button.

  9. Select the Submit button.

  10. Copy the token value on the success page. This will be needed for the integration.

Step 3: Configure Contrast Security ADR to send attack events to Microsoft Sentinel

Configure the integration in Contrast to send attack events to the Microsoft Sentinel app.

  1. In Contrast, go to the user menu and select Organization settings > Integrations.

  2. Select the Microsoft Sentinel option under the ADR Integrations section.

    Sentinel1.png

  3. Under the Microsoft Sentinel fields, enter the URL and token information.

    Sentinel2.png

  4. Select Save.

Step 4: View Contrast ADR data in the Microsoft Sentinel dashboard

Microsoft Sentinel provides areas where you can see Contrast data.

  1. In Microsoft Sentinel, select Data connectors.

  2. Search for and select the Azure Activity data connector.

  3. In the details section for the connector, select Open connector page.

  4. Review the Status of the data connector. It should be Connected.

  5. In the left-hand side section above the chart, select Go to log analytics.

  6. In the top area, next to the New query 1 tab, select the + option to add a new query tab.

  7. In the search box, run a search to view the activity date loaded into the workspace.

    • To visualize data, go to the Overview page. Data for each section of the dashboard is precalculated, and the last refresh time is shown at the top of each section. Select Refresh at the top of the page to refresh the entire page.

    • View incident data with the number of new, active, and closed incidents over the last 24 hours

    • In the Data section of the Overview dashboard, track information on data records, data collectors, and threat intelligence

See also

In this section: