CMS requires the Microsoft Sentinel module. If you only have the XDR module deployed, you’ll need to upgrade before using CMS. See Module Overview for details.
Before You Begin
Prerequisites
Ensure you have the following before starting:1
Microsoft Sentinel Module
Your workspace must have the Microsoft Sentinel module deployed with Microsoft Sentinel connected
2
Required Permissions
You need Data Source Admin, Content Admin, or Organization Admin role in ContraForce
3
Sentinel Access
Your ContraForce service principal must have appropriate permissions in the target Sentinel workspace
4
Active Data Connectors
Data connectors should be configured for the data sources you want detection rules for
Required Roles
| ContraForce Role | Can Deploy Rules | Can Enable Auto-Update | Can Remove Rules |
|---|---|---|---|
| Organization Admin | ✓ | ✓ | ✓ |
| Content Admin | ✓ | ✓ | ✓ |
| Data Source Admin | ✓ | ✓ | ✓ |
| Incident Responder | — | — | — |
| Incident Analyst | — | — | — |
User Roles Reference
View complete permissions for all roles
Step 1: Access the Content Management System
1
Navigate to CMS
From the ContraForce navigation menu, click Content Management or CMS
2
Select Workspace
If you manage multiple workspaces, select the workspace you want to configure from the dropdown
3
View Dashboard
The CMS dashboard displays available data sources and deployment status
Step 2: Understand the CMS Interface
Dashboard Overview
The CMS interface is organized by data source, with each section showing:| Element | Description |
|---|---|
| Data Source Name | The telemetry source (e.g., Azure AD, Microsoft 365) |
| Available Rules | Total number of detection rules available for this source |
| Deployed Rules | How many rules are currently active in your workspace |
| Updates Available | Rules with newer versions ready to deploy |
Rule List View
Clicking into a data source shows all available rules:
| Column | Description |
|---|---|
| Toggle | Enable/disable switch for the rule |
| Rule Name | Detection rule display name |
| Severity | Low, Medium, or High |
| MITRE Tactics | ATT&CK framework mapping |
| Version | Current rule version (CalVer format) |
| Status | Deployed, Not Deployed, or Update Available |
| Auto-Update | Whether automatic updates are enabled |
Rule Details
Click any rule to view complete details:- Full description of what the rule detects
- MITRE ATT&CK tactics and techniques
- Query frequency and time period
- The actual KQL query (for transparency)
- Version history and changelog
Step 3: Review Your Data Connectors
Before deploying rules, verify which data sources are active in your Sentinel workspace.Check Data Connector Status
1
Navigate to Data Connectors
Go to the Data Connectors page in ContraForce
2
Review Connected Sources
Note which connectors show “Connected” status
3
Match to CMS Categories
Map your connected sources to CMS data source categories
Common Data Source Mappings
| Connector | CMS Data Source Category |
|---|---|
| Azure Active Directory | Azure AD / Entra ID |
| Microsoft 365 | Microsoft 365 |
| Microsoft Defender for Endpoint | Windows Security Events |
| Azure Activity | Azure Activity |
| Azure Security Center | Azure Security Center |
| Syslog | Linux Syslog |
Step 4: Deploy Your First Detection Rules
Start with a focused deployment to familiarize yourself with the process.Recommended Starting Point
We recommend starting with Azure AD / Entra ID rules if you have that connector active. These rules detect:- Suspicious sign-in activity
- Privilege escalation attempts
- Conditional access policy changes
- Service principal abuse
- And more identity-based threats
Deploying Rules
1
Select Data Source
Click on Azure AD (or your chosen data source) in the CMS dashboard
2
Review Available Rules
Browse the list of available detection rules
3
Check Rule Details
Click on a few rules to understand what they detect and their severity
4
Enable Rules
Toggle the switch to Enabled for rules you want to deploy
5
Monitor Deployment
Watch the status indicator—it will show “Deploying” then “Deployed”
Deployment Status Indicators
| Status | Meaning |
|---|---|
| Not Deployed | Rule is available but not active |
| Deploying | Rule deployment in progress |
| Deployed | Rule is active in your Sentinel workspace |
| Failed | Deployment encountered an error (click for details) |
| Update Available | Newer version exists for a deployed rule |
Step 5: Bulk Deployment (Optional)
Once comfortable with individual deployments, you can enable multiple rules at once.Enable All Rules for a Data Source
1
Select Data Source
Navigate to the data source category
2
Use Bulk Actions
Click Enable All or use the bulk selection checkboxes
3
Confirm Deployment
Review the rules to be deployed and confirm
4
Monitor Progress
The dashboard shows deployment progress for all rules
Bulk Deployment Considerations
Start with high-confidence rules
Start with high-confidence rules
Consider enabling only High and Medium severity rules initially to minimize noise while you tune your environment.
Deploy in phases
Deploy in phases
For large deployments, consider enabling one data source category at a time. This makes it easier to identify which rules generate the most valuable alerts.
Monitor for false positives
Monitor for false positives
After bulk deployment, monitor incident volume for a few days. Disable rules that generate excessive false positives while you investigate.
Step 6: Configure Automatic Updates
Keep your detection rules current by enabling automatic updates.Understanding Auto-Update
When enabled, CMS automatically deploys new rule versions when they’re released:- Security improvements — Updated logic to catch new attack variants
- False positive reduction — Refined queries to reduce noise
- Performance optimization — More efficient queries that run faster
Enabling Auto-Update
- Per-Rule
- Bulk Enable
- Workspace Default
Enable auto-update for individual rules:
1
Open Rule Details
Click on a deployed rule to view its details
2
Toggle Auto-Update
Enable the Auto-Update switch
3
Confirm
The rule will now automatically update when new versions are released
When to disable auto-update: If you have strict change management requirements, disable auto-update and manually review each update before deploying. The “Update Available” indicator will alert you to new versions.
Step 7: Deploy to Additional Workspaces
For MSSPs managing multiple customers, replicate your detection coverage across workspaces.Multi-Workspace Deployment
1
Return to Dashboard
Go back to the main CMS dashboard
2
Select Different Workspace
Use the workspace selector to switch to another customer
3
Repeat Deployment
Enable the same rules for consistency across your customer base
Deployment Templates (Coming Soon)
ContraForce is developing deployment templates that let you define a standard rule set and deploy it across multiple workspaces simultaneously. Contact [email protected] to express interest.
Step 8: Verify Deployment in Sentinel
Confirm your rules are active in Microsoft Sentinel.Verification Steps
1
Open Azure Portal
Navigate to your Microsoft Sentinel workspace in the Azure portal
2
Go to Analytics
Click Analytics in the Sentinel navigation
3
View Active Rules
Click the Active rules tab
4
Find CMS Rules
Search for rules deployed by CMS—they’ll have consistent naming
What to Look For
| Verification Point | Expected Result |
|---|---|
| Rule exists in Analytics | Rule appears in Active rules list |
| Rule is enabled | Status shows “Enabled” |
| Rule is running | ”Last run” shows recent timestamp |
| Rule configuration | Query, frequency, and period match CMS settings |
Post-Deployment Checklist
After completing your initial CMS deployment:1
Document Deployed Rules
Record which rules you’ve enabled for each workspace
2
Set Up Notifications
Configure incident notifications for new Sentinel incidents
3
Monitor Incident Volume
Watch the Command Page for new incidents generated by your rules
4
Review After 7 Days
Assess which rules are generating value vs. noise
5
Tune as Needed
Disable noisy rules or work with ContraForce to improve detections
6
Expand Coverage
Enable additional data sources and rules as you gain confidence
Troubleshooting
Common Issues
| Issue | Possible Cause | Solution |
|---|---|---|
| Deployment fails | Permission issue | Verify Sentinel API permissions are granted |
| Deployment fails | Azure API unavailable | Wait and retry—temporary outages happen |
| Rule never fires | No matching data | Verify data connector is active and sending logs |
| Rule never fires | Query period too short | Check if relevant events occurred in the query window |
| Too many incidents | Rule too broad | Consider disabling or requesting rule tuning |
| Can’t see CMS option | Wrong module | Verify XDR + SIEM module is deployed |
| Can’t deploy rules | Insufficient role | Request Data Source Admin or higher role |
Getting Help
If you encounter issues:- Check the error message — CMS provides detailed error information
- Verify permissions — Ensure your role allows rule deployment
- Check Sentinel access — Confirm the ContraForce service principal has API access
- Contact support — Email [email protected] with workspace details
Recommended Deployment Strategy
Phase 1: Foundation (Week 1)
Focus on identity and access:- ✅ Azure AD / Entra ID rules (all severities)
- ✅ Enable auto-update for these rules
- ✅ Monitor for 5-7 days
Phase 2: Expand (Week 2)
Add Microsoft 365 and Azure infrastructure:- ✅ Microsoft 365 rules
- ✅ Azure Activity rules
- ✅ Azure Security Center rules
Phase 3: Complete (Week 3+)
Enable remaining data sources:- ✅ Windows Security Events
- ✅ Linux Syslog
- ✅ Network Security Groups
- ✅ DNS Analytics
- ✅ Any additional connected sources
Phase 4: Optimize (Ongoing)
Continuous improvement:- Review incident quality weekly
- Disable low-value rules
- Enable new rules as they’re released
- Ensure auto-update is enabled for standard rules
Next Steps
CMS Overview
Deep dive into CMS capabilities
Incident Management
Handle incidents generated by CMS rules
Notifications
Configure alerts for new incidents
Sentinel Threat Hunting
Proactive threat hunting in Sentinel
Questions about CMS onboarding? Contact us at [email protected].