This article will provide an overview of the "Bring Your Sentinel" ContraForce deployment method.
Overview
The "Bring Your Sentinel" model is used for organizations with existing Azure Sentinel environments. Existing Sentinel data connectors and incidents will appear in ContraForce once onboarding is completed. Re-configuration of your Sentinel environment will not be required. The following steps show the entire ContraForce onboarding process.
1. Sign In
The first step in onboarding is to sign-in to your Microsoft account that will be used for onboarding. This account must be a Global Admin, an Owner of the Azure subscription housing the Sentinel environment, and able to consent enterprise applications It is best to open this window in an incognito/private window.
Upon sign in, you will be shown application permission consent windows.
2. Select the Subscription, Resource Group, and Log Analytics/Sentinel Workspace
After signing in and consenting the permissions for ContraForce, the next step is to choose the Sentinel subscription that ContraForce would deploy to. In the fields, select the Azure subscription, resource group, and log analytics workspace for ContraForce. As you pick the subscription, resource group, and log analytics workspace the permissions of the signed-in user will be validated. If there is an error, a red message will be shown. Lastly, accept the Terms of Service and Privacy Policy. Once completed, click Launch ContraForce. ContraForce will now start to deploy the required Azure resources for onboarding.
Step 3. Add Additional Users
While ContraForce is deploying resources, additional user accounts can be added to your ContraForce environment. The "Email" text box is searchable. As users are added, pick the required role for the user as well. The users added will receive an email notification that they have been added to ContraForce.
Step 4. Add Data Connectors
The next step integrates data connectors into your ContraForce environment. If your Sentinel instance already has data connectors configured, this step can be skipped. If there are no connected data connectors, click "Add Your Connectors."
Additionally, the Integrations page can be accessed by clicking "Add Connectors" shown in the top-bar of the ContraForce Command page during onboarding.
When viewing the Data Connectors page, various data connectors that support API connections can be added to your ContraForce environment. The list of sources is below:
- Microsoft Office 365
- Microsoft Entra ID
- Microsoft Entra ID Identity Protection
- Microsoft Defender for Identity
- Microsoft Defender for Endpoint
- Microsoft Defender for Cloud Apps
- Microsoft Defender for Cloud
If you do not see a required data connector, contact the ContraForce team. Over 150 data sources are supported and the ContraForce team will help guide you on the integration steps needed for your data source requirements.
After selecting the data connector to connect, click "Configure" under "Manage" to finish the integration process. A "Connect" button will be shown.
Step 5: Consent Gamebook Service Principals
After data sources have been configured, Gamebook entities can be consented for your ContraForce environment. This can be done via the Workspaces page. If these service principals are not consented, Gamebooks cannot be run within your ContraForce environment. The Service Principals can be accessed by clicking the "gears" icon shown on the Workspaces page.
Click "Consent" to consent the required service principals. Further documentation about the service principals can be found here.
After consenting Gamebook entities, onboarding is completed. A "Onboarding Completed" message will be shown in the top bar.
Step 6. Manage Notification Preferences
At this point in the onboarding process, all infrastructure and permissions have been completed. The last step is to manage your notification preferences for your user. Email preferences are organized by incident severity. By un-toggling a severity, you will not receive email notifications for that severity of incident.
Completed
ContraForce onboarding has now been completed. The ContraForce Customer Success team will schedule a follow up technical session with you to review additional details of your ContraForce environment.
If you have any questions, feel free to contact us at support@contraforce.com.