> ## Documentation Index
> Fetch the complete documentation index at: https://docs.contraforce.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Microsoft Sentinel Integration

> Deploy the Microsoft Sentinel module to enable SIEM integration, real-time incident streaming, detection rules via CMS, and advanced threat hunting capabilities.

The Microsoft Sentinel module connects ContraForce to your Microsoft Sentinel workspace, enabling centralized monitoring, real-time incident streaming, and the ability to act on Sentinel security data directly from the ContraForce platform.

<Info>
  **What this module adds:** Sentinel incident ingestion, Content Management System (CMS) for detection rules, email notifications, log search, and Azure Lighthouse cross-tenant management.
</Info>

<Info>
  **Who is this for?** Workspace Admins and Data Source Admins deploying the Sentinel module from the **Modules** tab of a workspace in the ContraForce portal.
</Info>

***

## Prerequisites

Before starting, ensure you have the following:

<CardGroup cols={3}>
  <Card icon="user-shield" title="Admin Role">
    **Global Administrator** — required to grant admin consent for ContraForce enterprise applications (service principals). Cloud Application Administrator and Application Administrator cannot grant consent for Microsoft Graph application permissions.
  </Card>

  <Card icon="building" title="Workspace Role">
    ContraForce Workspace Role: **Owner** or **Admin**
  </Card>

  <Card icon="cloud" title="Subscription Owner">
    Microsoft Subscription Permission: **Owner** — required to deploy the supporting Azure infrastructure
  </Card>
</CardGroup>

### Additional Requirements

| Requirement                 | Details                                              |
| --------------------------- | ---------------------------------------------------- |
| **Microsoft Sentinel**      | Active Sentinel workspace in your Azure subscription |
| **Log Analytics Workspace** | The workspace linked to your Sentinel deployment     |
| **Resource Group Access**   | Ability to create resources in the subscription      |
| **No Conflicting Policies** | Azure Policy must allow Lighthouse delegations       |

<Warning>
  If you don't have Subscription Owner permissions, the Azure deployment will fail. Contact your Azure administrator to obtain the necessary access or have them complete the deployment with you.
</Warning>

<Warning>
  **Consent model.** ContraForce enterprise applications are consented with **application (app-only)** Microsoft Graph permissions. Admin consent for Microsoft Graph application permissions must be granted by a **Global Administrator** — Cloud Application Administrator and Application Administrator cannot grant it. Global Administrator is required for the one-time consent only and is not retained; activate it just-in-time with Privileged Identity Management (PIM) and deactivate afterward.

  Because actions run as the application (no signed-in user required), operator control is enforced through **Gamebook approval gates** — only Workspace Owners can approve high-impact actions — and a complete **audit trail** in the Gamebooks History page.
</Warning>

***

## What Gets Deployed

When you deploy the Sentinel module, ContraForce **automatically** provisions the Azure resources needed for integration. You do not deploy Lighthouse or the streaming infrastructure as separate manual steps — they are created as part of module deployment.

| Component                 | Purpose                                                   |
| ------------------------- | --------------------------------------------------------- |
| **Azure Lighthouse**      | Cross-tenant delegation for multi-tenant management       |
| **Apollo Resource Group** | Infrastructure for incident streaming                     |
| **Logic App**             | Streams Sentinel incidents to ContraForce in real-time    |
| **Automation Rule**       | Triggers the Logic App when incidents are created/updated |
| **Role Assignments**      | Grants ContraForce service principals access to Sentinel  |

<Card icon="server" href="/guides/technical/azure-resources-deployed" title="Azure Resources Reference">
  Complete list of all deployed resources with details
</Card>

***

## Step 1: Open the Modules Tab

<Steps>
  <Step title="Open Your Workspace">
    Sign in at [portal.contraforce.com](https://portal.contraforce.com), open the **Workspace Center**, and select the workspace you want to configure.
  </Step>

  <Step title="Go to the Modules Tab">
    Open the workspace and select the **Modules** tab. This is where every module is enabled and consented.
  </Step>

  <Step title="Locate Microsoft Sentinel">
    Find the **Microsoft Sentinel** module in the list of available modules.
  </Step>
</Steps>

***

## Step 2: Verify Prerequisites

Before deploying, confirm you hold the required roles. The deployment will not complete without them.

| Prerequisite                      | Required Value       |
| --------------------------------- | -------------------- |
| Azure Role for Microsoft Tenant   | Global Administrator |
| ContraForce Workspace Role        | Owner or Admin       |
| Microsoft Subscription Permission | Owner                |

<Note>
  If you're missing any of these, obtain the required permissions before proceeding. The deployment will fail without proper access.
</Note>

***

## Step 3: Consent the Microsoft Sentinel Module

Consent is a **single action per module** on the **Modules** tab. Clicking **Consent** grants everything ContraForce needs for this module in one step.

<Steps>
  <Step title="Click Consent">
    On the **Microsoft Sentinel** module, click **Consent**.
  </Step>

  <Step title="Sign In as Global Administrator">
    A Microsoft consent window opens. Sign in with **Global Administrator** credentials.
  </Step>

  <Step title="Accept Permissions">
    Review the requested permissions and click **Accept** to consent on behalf of your organization.
  </Step>

  <Step title="Deploy the Supporting Azure Infrastructure">
    Consenting the module **automatically deploys** the supporting Azure resources — Azure Lighthouse delegation, the Apollo resource group, and the Sentinel-side Logic App and automation rule. You may be prompted to sign in with an account that has **Subscription Owner** permissions so the resources can be created.
  </Step>
</Steps>

<Note>
  Apollo resources are created in the customer's Azure subscription. Standard Azure charges may apply for Logic App executions.
</Note>

### What the Sentinel Module Grants

| Capability                  | Description                                          |
| --------------------------- | ---------------------------------------------------- |
| **Cross-tenant visibility** | View and manage Sentinel from the ContraForce portal |
| **Incident access**         | Read and update incidents across tenants             |
| **Query execution**         | Run Log Analytics queries for threat hunting         |
| **Rule deployment**         | Deploy detection rules via CMS                       |

### Resources Created in Your Subscription

| Resource                   | Type            | Purpose                           |
| -------------------------- | --------------- | --------------------------------- |
| **cf-apollo-\[workspace]** | Resource Group  | Container for streaming resources |
| **cf-incident-stream**     | Logic App       | Processes and forwards incidents  |
| **cf-sentinel-connection** | API Connection  | Authenticates to Sentinel         |
| **cf-incident-trigger**    | Automation Rule | Triggers on incident changes      |

### Threat Hunting Permissions

The Sentinel module grants the **ContraForce Sentinel Hunting** application read access to your Log Analytics data.

| Application                      | Permissions          | Purpose                                |
| -------------------------------- | -------------------- | -------------------------------------- |
| **ContraForce Sentinel Hunting** | Log Analytics Reader | Execute KQL queries for threat hunting |

<Card icon="magnifying-glass" href="/guides/technical/contraforce-sentinel-hunting-enterprise-application" title="Sentinel Hunting Application">
  Enterprise application details and permissions
</Card>

***

## Step 4: Verify Module Status

A workspace module is live when its status indicator turns **green** on its card. Confirm the Sentinel module is fully deployed:

* Microsoft Sentinel module status light shows **green**
* Sentinel incidents begin streaming into the Command Dashboard

### Test Incident Sync

<Steps>
  <Step title="Open the Command Dashboard">
    Navigate to the **Command Dashboard** in ContraForce.
  </Step>

  <Step title="Check for Sentinel Incidents">
    Look for incidents with the Sentinel source indicator.
  </Step>

  <Step title="Verify Incident Details">
    Click an incident to confirm entity enrichment and details are loading.
  </Step>
</Steps>

<Tip>
  Incidents may take 5-15 minutes to appear initially. If you have existing incidents in Sentinel, they should sync automatically.
</Tip>

***

## Post-Deployment Steps

### Configure Notifications

With the Sentinel module active, you can now configure email notifications:

<Steps>
  <Step title="Go to Notifications Settings">
    Navigate to workspace **Settings → Notifications**.
  </Step>

  <Step title="Enable Severity Filters">
    Select which severity levels should trigger notifications.
  </Step>

  <Step title="Save Settings">
    Click **Save** to apply your notification preferences.
  </Step>
</Steps>

<Card icon="bell" href="/guides/technical/notifications-configuration" title="Notifications Configuration">
  Complete guide to notification setup
</Card>

### Deploy Detection Rules

Use the Content Management System to deploy detection rules to your Sentinel workspace:

<Steps>
  <Step title="Navigate to CMS">
    Go to **Content Management System** in the left navigation.
  </Step>

  <Step title="Select Your Workspace">
    Choose the workspace you just deployed.
  </Step>

  <Step title="Browse and Deploy Rules">
    Review available detection rules and enable those matching your data sources.
  </Step>
</Steps>

<Card icon="file-code" href="/guides/onboarding/cms-module" title="CMS Onboarding">
  Deploy detection rules to your Sentinel workspace
</Card>

***

## Troubleshooting

### Common Issues

| Issue                       | Cause                     | Solution                                                    |
| --------------------------- | ------------------------- | ----------------------------------------------------------- |
| Subscription not visible    | Insufficient permissions  | Sign in with a Subscription Owner account                   |
| Deployment fails            | Azure Policy restrictions | Check for policies blocking Lighthouse or resource creation |
| Lighthouse delegation fails | Existing delegation       | Remove the existing Lighthouse delegation and retry         |
| Consent fails               | Insufficient role         | Grant consent with Global Administrator credentials         |
| No incidents appearing      | No incidents in Sentinel  | Verify incidents exist in the Sentinel portal               |
| Apollo Logic App disabled   | Deployment issue          | Manually enable the Logic App in the Azure portal           |
| Consent popup blocked       | Browser settings          | Allow popups from portal.contraforce.com                    |

### Verifying Azure Resources

To verify resources deployed correctly:

<Steps>
  <Step title="Open Azure Portal">
    Navigate to [portal.azure.com](https://portal.azure.com).
  </Step>

  <Step title="Check Resource Group">
    Search for the Apollo resource group (cf-apollo-\[workspace]).
  </Step>

  <Step title="Verify Logic App">
    Confirm the Logic App exists and is **Enabled**.
  </Step>

  <Step title="Check Automation Rule">
    In Sentinel, go to **Automation → Automation Rules** and verify the ContraForce rule exists.
  </Step>
</Steps>

### Lighthouse Troubleshooting

If Lighthouse delegation fails:

1. **Check Azure Policy** — Some organizations restrict Lighthouse delegations
2. **Remove existing delegations** — Conflicting delegations can cause failures
3. **Verify permissions** — Subscription Owner is required
4. **Check tenant settings** — Ensure cross-tenant access isn't blocked

<AccordionGroup>
  <Accordion title="How to remove existing Lighthouse delegation">
    1) Go to Azure Portal → Service providers
    2) Find any existing ContraForce delegations
    3) Click on the delegation and select **Delete**
    4) Wait for deletion to complete
    5) Retry the deployment in ContraForce
  </Accordion>

  <Accordion title="How to enable Logic App manually">
    1. Go to Azure Portal → Resource Groups
    2. Open the cf-apollo-\[workspace] resource group
    3. Click on the Logic App resource
    4. Click **Enable** if the Logic App is disabled
    5. Verify the Logic App shows "Enabled" status
  </Accordion>
</AccordionGroup>

***

## Module Capabilities Unlocked

With the Sentinel module deployed, you now have access to:

<CardGroup cols={2}>
  <Card icon="shield-halved" title="Sentinel Incidents">
    Real-time incident ingestion from Microsoft Sentinel
  </Card>

  <Card icon="bell" title="Email Notifications">
    Instant alerts when new incidents are created
  </Card>

  <Card icon="file-code" title="Content Management System">
    Deploy and manage detection rules at scale
  </Card>

  <Card icon="magnifying-glass" title="Log Search">
    Query Log Analytics for threat hunting
  </Card>

  <Card icon="buildings" title="Cross-Tenant Management">
    Manage multiple Sentinel workspaces from one portal
  </Card>

  <Card icon="crosshairs" title="Advanced Threat Hunting">
    Execute KQL queries across customer environments
  </Card>
</CardGroup>

***

## Next Steps

<CardGroup cols={2}>
  <Card icon="bell" href="/guides/technical/notifications-configuration" title="Configure Notifications">
    Set up email alerts for incidents
  </Card>

  <Card icon="file-code" href="/guides/onboarding/cms-module" title="Deploy Detection Rules">
    Use CMS to deploy Sentinel rules
  </Card>

  <Card icon="users" href="/guides/onboarding/user-group-management-for-providers" title="Add Users">
    Grant team access in Settings → User Management
  </Card>

  <Card icon="shield-halved" href="/guides/getting-started/incident-management" title="Incident Management">
    Start triaging Sentinel incidents
  </Card>
</CardGroup>

***

## Related Guides

<CardGroup cols={3}>
  <Card icon="shield" href="/guides/onboarding/defender-for-endpoint-module-deployment" title="Defender Module">
    Defender for Endpoint integration
  </Card>

  <Card icon="cloud" href="/guides/technical/azure-resources-deployed" title="Azure Resources">
    Complete resource reference
  </Card>

  <Card icon="database" href="/guides/getting-started/content-management-system" title="CMS Overview">
    Detection rule management
  </Card>
</CardGroup>

***

<Note>
  Need help with Sentinel module deployment? Contact us at [support@contraforce.com](mailto:support@contraforce.com).
</Note>
