Skip to main content
The Content Management System (CMS) transforms security detection engineering from a specialized discipline into an accessible, scalable process. Deploy expert-authored detection rules to your Sentinel workspaces with simple toggles—no complex configuration, no KQL expertise required.
CMS is available for workspaces with the Microsoft Sentinel module deployed. Within CMS, a library of expert-developed detection rules are available under the Sentinel Marketplace tab. Your existing rules can be viewed under the Analytic Rules tab.

Why CMS?

Expert-Authored Rules

Detection content written by security engineers covering MITRE ATT&CK

One-Click Deployment

Enable rules with a toggle—no complex configuration, no multi-step installations

Multi-Tenant Scale

Deploy the same rules across one customer or hundreds

Automatic Updates

Keep detection rules current as threats evolve, with optional auto-update

The Problem CMS Solves

Security teams face what we call “the content storm”—the overwhelming challenge of creating, deploying, and maintaining detection rules at scale.

Traditional Challenges

Writing effective detection rules requires deep knowledge of KQL (Kusto Query Language), understanding of attack techniques, and familiarity with Microsoft Sentinel’s rule configuration options. This expertise is expensive and hard to find.
Threats evolve constantly. Detection rules that worked yesterday may miss today’s attack variants. Keeping rules current across multiple customer environments is a never-ending task.
What works for one Sentinel workspace becomes exponentially harder when managing dozens or hundreds of customer environments. Microsoft’s native interface requires navigating through each tenant individually.
Deploying a single rule in Sentinel’s native interface involves multiple steps—finding the template, configuring parameters, setting schedules, mapping entities. Multiply this across hundreds of rules and many tenants, and the burden becomes unsustainable.

How CMS Works

Detection Rule Library

CMS provides access to a continuously updated library of detection rules organized by data source. Each rule includes:
AttributeDescription
Display NameClear, descriptive name for the detection
DescriptionWhat the rule detects and why it matters
SeverityRisk level (Low, Medium, High) to prioritize response
MITRE ATT&CK MappingTactics and techniques the detection covers
QueryThe underlying KQL logic (visible for transparency)
VersionCalVer format (e.g., 2024.01.15) for tracking updates
Query FrequencyHow often the rule runs
Query PeriodThe time window the rule analyzes

Simple Deployment

Deploying a detection rule is as simple as toggling a switch:
1

Toggle Enable

Click the toggle switch next to any rule
2

Rule Retrieved

CMS retrieves the rule definition from the secure repository
3

Transformation

The rule is transformed into Microsoft Sentinel’s API format
4

Deployment

An authenticated API call deploys the rule to your workspace
5

Confirmation

Deployment status updates in real-time

Automated Updates

When our security engineering team improves a detection rule—whether to catch new attack variants, reduce false positives, or optimize performance—CMS can automatically update the rule in your environment.
You control whether updates happen automatically or require manual approval based on your change management requirements.

Version Management

Every rule is versioned using Calendar Versioning (CalVer). You can see:
  • Which version is currently deployed
  • Whether a newer version is available
  • The history of changes to any rule
This transparency lets you make informed decisions about when and whether to update.

Key Capabilities

For MSSPs and organizations with multiple Sentinel workspaces, CMS enables deployment across all environments from a single interface.
  • Deploy to one customer or one hundred—the process is identical
  • Consistent detection coverage across your entire customer base
  • No need to log into each Azure tenant separately

Analytic Rules Per Data Source Type

CMS provides detection rules for threats across your Microsoft Sentinel data sources, which include some of the following coverage:

Identity

  • Active Directory
  • Entra ID
  • Sign-in analytics

Microsoft 365

  • Exchange Online
  • SharePoint
  • Teams

Azure Infrastructure

  • Azure Activity
  • Security Center
  • NSG

Endpoints

  • Windows Security Events
  • Defender for Endpoint

Network

  • DNS Analytics
  • Firewall logs via Syslog
  • Network flow data

And More

The CMS library continuously expands with new detections mapped to MITRE ATT&CK and D3FEND
Each data source has its own collection of rules tailored to the specific threats and attack patterns relevant to that telemetry.

Technical Architecture

Direct Integration with Microsoft Sentinel

CMS communicates directly with Microsoft Sentinel through the Azure Resource Manager (ARM) API:
AdvantageDescription
ReliabilityNo intermediate systems that could fail or introduce delays
SpeedRule deployments complete in seconds, not minutes
TransparencyEvery deployment operation is logged with full details

Background Processing

Rule deployments run as background jobs:
  • Your browser doesn’t need to stay open during deployment
  • Multiple deployments can run simultaneously
  • Failed deployments automatically retry
  • Notifications alert you when operations complete

Secure Rule Storage

Detection rules are stored in a dedicated Azure Cosmos DB database with:
  • Encryption at rest
  • Version history preservation
  • Geographic redundancy
  • High availability

Benefits by Role

For Security Analysts

  • Faster onboarding — Start detecting threats immediately with pre-built rules
  • Less context switching — Manage detection content alongside incident response in one platform
  • Confidence — Know that detection rules are authored by security experts and continuously updated

Getting Started

Prerequisites

1

ContraForce Account

A ContraForce account with appropriate permissions
2

Sentinel Workspace

A Microsoft Sentinel workspace connected to ContraForce
3

Required Role

Data Source Admin, Content Admin, or Organization Admin role

Deploying Your First Rule

1

Navigate to CMS

Go to the Content Management section in ContraForce
2

Select a Data Source Tile

Choose the data source you want to deploy content for
3

Browse Rules

Review available rules and their descriptions, MITRE mappings, and severities
4

Enable Rules

Toggle the rules you want to deploy to Enabled
5

Monitor Deployment

Watch the real-time status as rules deploy to your workspace
CMS rule deployment interface
CMS Library

Configuring Automatic Updates

1

Select Rule

Click on a deployed rule to open its details
2

Enable Auto-Update

Toggle the Auto-Update option to enabled
3

Automatic Deployment

When new versions are released, they deploy automatically
You can enable auto-update for individual rules or set a workspace-wide default. Rules with auto-update disabled will show an “Update Available” indicator when new versions are released.

Frequently Asked Questions

No. CMS-deployed rules are tracked separately and won’t interfere with rules you’ve created manually in Sentinel. They coexist peacefully with your custom detections.
CMS rules are deployed as-is to ensure consistency and supportability. If you need custom modifications, you can use the rule as a template and create your own version in Sentinel directly.
You’ll see an error message with details about what went wrong. Common causes include permission issues or temporary Azure API unavailability. Failed deployments can be retried with a single click.
Our security engineering team continuously develops new detections based on emerging threats, customer feedback, and industry research. New rules are added regularly.
Yes. Each rule version includes information about what was modified—whether it’s an improvement to detection logic, a reduction in false positives, or a performance optimization.
You need the Data Source Admin, Content Admin, or Organization Admin role in ContraForce. You also need appropriate permissions in the target Azure tenant for Sentinel API access.
Yes. CMS supports bulk deployment across multiple Sentinel workspaces. Select the workspaces you want to target and enable the rules—they deploy to all selected workspaces simultaneously.

Best Practices

Begin by enabling rules with low false positive rates and high detection value. As you gain confidence in the system, expand to broader coverage.
For general-purpose detection rules, enable auto-update to stay current with threat landscape changes. Reserve manual approval for rules where you need tight change control.
Use the MITRE ATT&CK mappings to ensure you have detection coverage across the kill chain. Identify gaps and enable rules that address them.
Only enable rules for data sources you actually have connected. Enabling rules without the corresponding telemetry will result in rules that never fire.
Periodically review which rules are generating incidents. Rules that never trigger may indicate missing data sources or detections that aren’t relevant to your environment.

Learn More

Product Release Blog

A Better Way to Manage Detection Content

CISA Guidance for SIEM/SOAR

How MSSPs Can Implement CISA Guidance

Multi-Tenant Automation

10 Ways ContraForce Automates Multi-Tenant Management

User Roles Reference

Permissions for Users managing CMS across tenants

Module Overview

XDR vs XDR + SIEM modules

Sentinel Hunting

Advanced threat hunting in Sentinel

Notifications

Configure incident notifications

Capabilities Matrix

Full feature comparison by integration
Questions about the Content Management System? Contact us at [email protected].