"Bring Your Sentinel" ContraForce Deployment Overview

This article will provide an overview of the "Bring Your Sentinel" ContraForce deployment method.

Overview

The "Bring Your Sentinel" model is best for organizations with existing Azure Sentinel environments, or organizations that want the maximum amount of control over their ContraForce and Sentinel environment. Existing Sentinel data sources and incidents will appear in ContraForce. Re-configuration of your Sentinel environment will not be required. The following steps will show the entire ContraForce onboarding process. 

1. Sign In

The first step in onboarding is to sign-in to your Microsoft account that will be used for onboarding. This account must be a global admin, an owner of the Azure subscription housing the Sentinel environment, and able to consent enterprise applications. 

Upon sign in, you will be shown application permission consent windows. 

2. Choose Your Deployment Method

After signing in and consenting the permissions for ContraForce, the next step is to choose your deployment method. In this case you will choose "Bring Your Sentinel." In the fields below, select the Azure subscription, resource group, and log analytics workspace for ContraForce. Lastly, accept the Terms of Service and Privacy Policy. Once completed, click Launch ContraForce. ContraForce will now start to deploy the required Azure resources for onboarding.  

Step 3. Add Additional Users 

While ContraForce is deploying resources, additional user accounts can be added to your ContraForce environment. The "Email" text box is searchable. As users are added, pick the required role for the user as well. The users added will receive an email notification that they have been added to ContraForce.

Step 4. Add Data Sources 

The next step integrates data sources into your ContraForce environment. If your Sentinel already has data sources integrated, this step can be skipped. If there are no connected data sources, click "Add Your Connectors."

Additionally, the Integrations page can be accessed by clicking "Add Connectors" show in the top-bar of the ContraForce Command page during onboarding. 

When viewing the Integrations page, various data sources that support API connections can be added to your ContraForce environment. The list of sources is below: 

• Microsoft Office 365
• Azure Active Directory
• Azure Active Directory Identity Protection
• Microsoft Defender for Identity
• Microsoft Defender for Endpoint
• Microsoft Defender for Cloud Apps
• Microsoft Defender for Cloud

After selecting the data sources to connect, click "Configure" under "Manage" to finish the integration process. A "Connect" button will be shown. 

Step 5: Consent Gamebooks Entities

After data sources have been configured, Gamebook entities can be consented for your ContraForce environment. If these entities are not consented, Gamebooks cannot be run within your ContraForce environment. The Gamebook Consent page within Settings can be accessed by clicking the button shown in the top bar of the ContraForce portal. 

Click "Enable" to consent the required entities. Note that if no Endpoint (EDR) solution is connected to ContraForce, the "Enable" button will be hidden.

After consenting Gamebook entities, onboarding is completed. A "Onboarding Completed" message will be shown in the top bar. 

 

Step 6. Manage Notification Preferences

At this point in the onboarding process, all infrastructure and permissions have been completed. The last step is to manage your notification preferences for your user. Email preferences are organized by incident severity. By un-toggling a severity, you will not receive email notifications for that severity of incident.  

Completed

ContraForce onboarding has now been completed. The ContraForce Customer Success team will schedule a follow up technical session with you to review additional details of your ContraForce environment.