CMS requires the Microsoft Sentinel module. If you only have the XDR module deployed, you’ll need to upgrade before using CMS. See Module Overview for details.
Before You Begin
Prerequisites
Ensure you have the following before starting:Microsoft Sentinel Module
Your workspace must have the Microsoft Sentinel module deployed with Microsoft Sentinel connected
Required Permissions
You need Data Source Admin, Content Admin, or Organization Admin role in ContraForce
Sentinel Access
Your ContraForce service principal must have appropriate permissions in the target Sentinel workspace
Required Roles
| ContraForce Role | Can Deploy Rules | Can Enable Auto-Update | Can Remove Rules |
|---|---|---|---|
| Organization Admin | ✓ | ✓ | ✓ |
| Content Admin | ✓ | ✓ | ✓ |
| Data Source Admin | ✓ | ✓ | ✓ |
| Incident Responder | — | — | — |
| Incident Analyst | — | — | — |
User Roles Reference
View complete permissions for all roles
Step 1: Access the Content Management System
Select Workspace
If you manage multiple workspaces, select the workspace you want to configure from the dropdown
Step 2: Understand the CMS Interface
Dashboard Overview
The CMS interface is organized by data source, with each section showing:| Element | Description |
|---|---|
| Data Source Name | The telemetry source (e.g., Azure AD, Microsoft 365) |
| Available Rules | Total number of detection rules available for this source |
| Deployed Rules | How many rules are currently active in your workspace |
| Updates Available | Rules with newer versions ready to deploy |
Rule List View
Clicking into a data source shows all available rules:
| Column | Description |
|---|---|
| Toggle | Enable/disable switch for the rule |
| Rule Name | Detection rule display name |
| Severity | Low, Medium, or High |
| MITRE Tactics | ATT&CK framework mapping |
| Version | Current rule version (CalVer format) |
| Status | Deployed, Not Deployed, or Update Available |
| Auto-Update | Whether automatic updates are enabled |
Rule Details
Click any rule to view complete details:- Full description of what the rule detects
- MITRE ATT&CK tactics and techniques
- Query frequency and time period
- The actual KQL query (for transparency)
- Version history and changelog
Step 3: Review Your Data Connectors
Before deploying rules, verify which data sources are active in your Sentinel workspace.Check Data Connector Status
Common Data Source Mappings
| Connector | CMS Data Source Category |
|---|---|
| Azure Active Directory | Azure AD / Entra ID |
| Microsoft 365 | Microsoft 365 |
| Microsoft Defender for Endpoint | Windows Security Events |
| Azure Activity | Azure Activity |
| Azure Security Center | Azure Security Center |
| Syslog | Linux Syslog |
Step 4: Deploy Your First Detection Rules
Start with a focused deployment to familiarize yourself with the process.Recommended Starting Point
We recommend starting with Azure AD / Entra ID rules if you have that connector active. These rules detect:- Suspicious sign-in activity
- Privilege escalation attempts
- Conditional access policy changes
- Service principal abuse
- And more identity-based threats
Deploying Rules
Deployment Status Indicators
| Status | Meaning |
|---|---|
| Not Deployed | Rule is available but not active |
| Deploying | Rule deployment in progress |
| Deployed | Rule is active in your Sentinel workspace |
| Failed | Deployment encountered an error (click for details) |
| Update Available | Newer version exists for a deployed rule |
Step 5: Bulk Deployment (Optional)
Once comfortable with individual deployments, you can enable multiple rules at once.Enable All Rules for a Data Source
Bulk Deployment Considerations
Start with high-confidence rules
Start with high-confidence rules
Consider enabling only High and Medium severity rules initially to minimize noise while you tune your environment.
Deploy in phases
Deploy in phases
For large deployments, consider enabling one data source category at a time. This makes it easier to identify which rules generate the most valuable alerts.
Monitor for false positives
Monitor for false positives
After bulk deployment, monitor incident volume for a few days. Disable rules that generate excessive false positives while you investigate.
Step 6: Configure Automatic Updates
Keep your detection rules current by enabling automatic updates.Understanding Auto-Update
When enabled, CMS automatically deploys new rule versions when they’re released:- Security improvements — Updated logic to catch new attack variants
- False positive reduction — Refined queries to reduce noise
- Performance optimization — More efficient queries that run faster
Enabling Auto-Update
- Per-Rule
- Bulk Enable
- Workspace Default
When to disable auto-update: If you have strict change management requirements, disable auto-update and manually review each update before deploying. The “Update Available” indicator will alert you to new versions.
Step 7: Deploy to Additional Workspaces
For MSSPs managing multiple customers, replicate your detection coverage across workspaces.Multi-Workspace Deployment
Deployment Templates (Coming Soon)
ContraForce is developing deployment templates that let you define a standard rule set and deploy it across multiple workspaces simultaneously. Contact support@contraforce.com to express interest.
Step 8: Verify Deployment in Sentinel
Confirm your rules are active in Microsoft Sentinel.Verification Steps
What to Look For
| Verification Point | Expected Result |
|---|---|
| Rule exists in Analytics | Rule appears in Active rules list |
| Rule is enabled | Status shows “Enabled” |
| Rule is running | ”Last run” shows recent timestamp |
| Rule configuration | Query, frequency, and period match CMS settings |
Post-Deployment Checklist
After completing your initial CMS deployment:Set Up Notifications
Configure incident notifications for new Sentinel incidents
Troubleshooting
Common Issues
| Issue | Possible Cause | Solution |
|---|---|---|
| Deployment fails | Permission issue | Verify Sentinel API permissions are granted |
| Deployment fails | Azure API unavailable | Wait and retry—temporary outages happen |
| Rule never fires | No matching data | Verify data connector is active and sending logs |
| Rule never fires | Query period too short | Check if relevant events occurred in the query window |
| Too many incidents | Rule too broad | Consider disabling or requesting rule tuning |
| Can’t see CMS option | Wrong module | Verify XDR + SIEM module is deployed |
| Can’t deploy rules | Insufficient role | Request Data Source Admin or higher role |
Getting Help
If you encounter issues:- Check the error message — CMS provides detailed error information
- Verify permissions — Ensure your role allows rule deployment
- Check Sentinel access — Confirm the ContraForce service principal has API access
- Contact support — Email support@contraforce.com with workspace details
Recommended Deployment Strategy
Phase 1: Foundation (Week 1)
Focus on identity and access:- ✅ Azure AD / Entra ID rules (all severities)
- ✅ Enable auto-update for these rules
- ✅ Monitor for 5-7 days
Phase 2: Expand (Week 2)
Add Microsoft 365 and Azure infrastructure:- ✅ Microsoft 365 rules
- ✅ Azure Activity rules
- ✅ Azure Security Center rules
Phase 3: Complete (Week 3+)
Enable remaining data sources:- ✅ Windows Security Events
- ✅ Linux Syslog
- ✅ Network Security Groups
- ✅ DNS Analytics
- ✅ Any additional connected sources
Phase 4: Optimize (Ongoing)
Continuous improvement:- Review incident quality weekly
- Disable low-value rules
- Enable new rules as they’re released
- Ensure auto-update is enabled for standard rules
Next Steps
CMS Overview
Deep dive into CMS capabilities
Incident Management
Handle incidents generated by CMS rules
Notifications
Configure alerts for new incidents
Sentinel Threat Hunting
Proactive threat hunting in Sentinel
Questions about CMS onboarding? Contact us at support@contraforce.com.