Skip to main content
The Microsoft Sentinel module connects ContraForce to your Microsoft Sentinel workspace, enabling centralized monitoring, real-time incident streaming, and the ability to act on Sentinel security data directly from the ContraForce platform.
What this module adds: Sentinel incident ingestion, Content Management System (CMS) for detection rules, email notifications, log search, and Azure Lighthouse cross-tenant management.
Who is this for? Workspace Admins and Data Source Admins deploying the Sentinel module from the Modules tab of a workspace in the ContraForce portal.

Prerequisites

Before starting, ensure you have the following:

Admin Role

Global Administrator — required to grant admin consent for ContraForce enterprise applications (service principals). Cloud Application Administrator and Application Administrator cannot grant consent for Microsoft Graph application permissions.

Workspace Role

ContraForce Workspace Role: Owner or Admin

Subscription Owner

Microsoft Subscription Permission: Owner — required to deploy the supporting Azure infrastructure

Additional Requirements

RequirementDetails
Microsoft SentinelActive Sentinel workspace in your Azure subscription
Log Analytics WorkspaceThe workspace linked to your Sentinel deployment
Resource Group AccessAbility to create resources in the subscription
No Conflicting PoliciesAzure Policy must allow Lighthouse delegations
If you don’t have Subscription Owner permissions, the Azure deployment will fail. Contact your Azure administrator to obtain the necessary access or have them complete the deployment with you.
Consent model. ContraForce enterprise applications are consented with application (app-only) Microsoft Graph permissions. Admin consent for Microsoft Graph application permissions must be granted by a Global Administrator — Cloud Application Administrator and Application Administrator cannot grant it. Global Administrator is required for the one-time consent only and is not retained; activate it just-in-time with Privileged Identity Management (PIM) and deactivate afterward.Because actions run as the application (no signed-in user required), operator control is enforced through Gamebook approval gates — only Workspace Owners can approve high-impact actions — and a complete audit trail in the Gamebooks History page.

What Gets Deployed

When you deploy the Sentinel module, ContraForce automatically provisions the Azure resources needed for integration. You do not deploy Lighthouse or the streaming infrastructure as separate manual steps — they are created as part of module deployment.
ComponentPurpose
Azure LighthouseCross-tenant delegation for multi-tenant management
Apollo Resource GroupInfrastructure for incident streaming
Logic AppStreams Sentinel incidents to ContraForce in real-time
Automation RuleTriggers the Logic App when incidents are created/updated
Role AssignmentsGrants ContraForce service principals access to Sentinel

Azure Resources Reference

Complete list of all deployed resources with details

Step 1: Open the Modules Tab

1

Open Your Workspace

Sign in at portal.contraforce.com, open the Workspace Center, and select the workspace you want to configure.
2

Go to the Modules Tab

Open the workspace and select the Modules tab. This is where every module is enabled and consented.
3

Locate Microsoft Sentinel

Find the Microsoft Sentinel module in the list of available modules.

Step 2: Verify Prerequisites

Before deploying, confirm you hold the required roles. The deployment will not complete without them.
PrerequisiteRequired Value
Azure Role for Microsoft TenantGlobal Administrator
ContraForce Workspace RoleOwner or Admin
Microsoft Subscription PermissionOwner
If you’re missing any of these, obtain the required permissions before proceeding. The deployment will fail without proper access.
Consent is a single action per module on the Modules tab. Clicking Consent grants everything ContraForce needs for this module in one step.
1

Click Consent

On the Microsoft Sentinel module, click Consent.
2

Sign In as Global Administrator

A Microsoft consent window opens. Sign in with Global Administrator credentials.
3

Accept Permissions

Review the requested permissions and click Accept to consent on behalf of your organization.
4

Deploy the Supporting Azure Infrastructure

Consenting the module automatically deploys the supporting Azure resources — Azure Lighthouse delegation, the Apollo resource group, and the Sentinel-side Logic App and automation rule. You may be prompted to sign in with an account that has Subscription Owner permissions so the resources can be created.
Apollo resources are created in the customer’s Azure subscription. Standard Azure charges may apply for Logic App executions.

What the Sentinel Module Grants

CapabilityDescription
Cross-tenant visibilityView and manage Sentinel from the ContraForce portal
Incident accessRead and update incidents across tenants
Query executionRun Log Analytics queries for threat hunting
Rule deploymentDeploy detection rules via CMS

Resources Created in Your Subscription

ResourceTypePurpose
cf-apollo-[workspace]Resource GroupContainer for streaming resources
cf-incident-streamLogic AppProcesses and forwards incidents
cf-sentinel-connectionAPI ConnectionAuthenticates to Sentinel
cf-incident-triggerAutomation RuleTriggers on incident changes

Threat Hunting Permissions

The Sentinel module grants the ContraForce Sentinel Hunting application read access to your Log Analytics data.
ApplicationPermissionsPurpose
ContraForce Sentinel HuntingLog Analytics ReaderExecute KQL queries for threat hunting

Sentinel Hunting Application

Enterprise application details and permissions

Step 4: Verify Module Status

A workspace module is live when its status indicator turns green on its card. Confirm the Sentinel module is fully deployed:
  • Microsoft Sentinel module status light shows green
  • Sentinel incidents begin streaming into the Command Dashboard

Test Incident Sync

1

Open the Command Dashboard

Navigate to the Command Dashboard in ContraForce.
2

Check for Sentinel Incidents

Look for incidents with the Sentinel source indicator.
3

Verify Incident Details

Click an incident to confirm entity enrichment and details are loading.
Incidents may take 5-15 minutes to appear initially. If you have existing incidents in Sentinel, they should sync automatically.

Post-Deployment Steps

Configure Notifications

With the Sentinel module active, you can now configure email notifications:
1

Go to Notifications Settings

Navigate to workspace Settings → Notifications.
2

Enable Severity Filters

Select which severity levels should trigger notifications.
3

Save Settings

Click Save to apply your notification preferences.

Notifications Configuration

Complete guide to notification setup

Deploy Detection Rules

Use the Content Management System to deploy detection rules to your Sentinel workspace:
1

Navigate to CMS

Go to Content Management System in the left navigation.
2

Select Your Workspace

Choose the workspace you just deployed.
3

Browse and Deploy Rules

Review available detection rules and enable those matching your data sources.

CMS Onboarding

Deploy detection rules to your Sentinel workspace

Troubleshooting

Common Issues

IssueCauseSolution
Subscription not visibleInsufficient permissionsSign in with a Subscription Owner account
Deployment failsAzure Policy restrictionsCheck for policies blocking Lighthouse or resource creation
Lighthouse delegation failsExisting delegationRemove the existing Lighthouse delegation and retry
Consent failsInsufficient roleGrant consent with Global Administrator credentials
No incidents appearingNo incidents in SentinelVerify incidents exist in the Sentinel portal
Apollo Logic App disabledDeployment issueManually enable the Logic App in the Azure portal
Consent popup blockedBrowser settingsAllow popups from portal.contraforce.com

Verifying Azure Resources

To verify resources deployed correctly:
1

Open Azure Portal

Navigate to portal.azure.com.
2

Check Resource Group

Search for the Apollo resource group (cf-apollo-[workspace]).
3

Verify Logic App

Confirm the Logic App exists and is Enabled.
4

Check Automation Rule

In Sentinel, go to Automation → Automation Rules and verify the ContraForce rule exists.

Lighthouse Troubleshooting

If Lighthouse delegation fails:
  1. Check Azure Policy — Some organizations restrict Lighthouse delegations
  2. Remove existing delegations — Conflicting delegations can cause failures
  3. Verify permissions — Subscription Owner is required
  4. Check tenant settings — Ensure cross-tenant access isn’t blocked
  1. Go to Azure Portal → Service providers
  2. Find any existing ContraForce delegations
  3. Click on the delegation and select Delete
  4. Wait for deletion to complete
  5. Retry the deployment in ContraForce
  1. Go to Azure Portal → Resource Groups
  2. Open the cf-apollo-[workspace] resource group
  3. Click on the Logic App resource
  4. Click Enable if the Logic App is disabled
  5. Verify the Logic App shows “Enabled” status

Module Capabilities Unlocked

With the Sentinel module deployed, you now have access to:

Sentinel Incidents

Real-time incident ingestion from Microsoft Sentinel

Email Notifications

Instant alerts when new incidents are created

Content Management System

Deploy and manage detection rules at scale

Log Search

Query Log Analytics for threat hunting

Cross-Tenant Management

Manage multiple Sentinel workspaces from one portal

Advanced Threat Hunting

Execute KQL queries across customer environments

Next Steps

Configure Notifications

Set up email alerts for incidents

Deploy Detection Rules

Use CMS to deploy Sentinel rules

Add Users

Grant team access in Settings → User Management

Incident Management

Start triaging Sentinel incidents

Defender Module

Defender for Endpoint integration

Azure Resources

Complete resource reference

CMS Overview

Detection rule management
Need help with Sentinel module deployment? Contact us at support@contraforce.com.