This article will provide an overview of the "Deploy Your Sentinel" ContraForce deployment method.
The "Deploy Your Sentinel" model is best for organizations that do not have an existing Azure Sentinel environment. In this scenario, ContraForce will deploy and manage a Sentinel environment on behalf of the customer. Billing for the environment will also be managed by ContraForce.
1. Sign In
The first step in onboarding is to sign-in to your Microsoft account that will be used for onboarding. This account must be a global admin and able to consent enterprise applications.
Upon sign in, you will be shown application permission consent windows.
2. Choose Your Deployment Method
3. Authorize ContraForce as a Partner
The next step is to sign the Microsoft Customer Agreement that authorizes ContraForce as a partner. This step is required so that ContraForce can manage all aspects of the Azure Sentinel environment that will be deployed during onboarding. Clicking View Partner Agreement will open the Microsoft Customer Agreement. More information about the Microsoft Customer Agreement can be found here.
After the agreement has been accepted, click the Continue button within the ContraForce tab in your browser.
4. Add Additional Users
While ContraForce is deploying resources, additional user accounts can be added to your ContraForce environment. The "Email" text box is searchable. As users are added, pick the required role for the user as well. The users added will receive an email notification that they have been added to ContraForce.
If there are no additional users to add, this step can be skipped.
Step 4. Add Data Sources
At this point in onboarding, base infrastructure for ContraForce is finishing the deployment stage. If you are ready to connect data connectors click Add Your Connectors. If you would like to manage other preferences within ContraForce settings while deployment is wrapping up, click Skip This Step for Now.
The screenshot above shows the ContraForce deployment stages.
On the Data Sources page, click Select Connectors to integrate data sources into ContraForce.
Additionally, the Integrations page can be accessed by clicking "Add Connectors" show in the top-bar of the ContraForce command page during onboarding. When viewing the Integrations page, various data sources that support API connections can be added to your ContraForce environment. The list of sources is below:
- Microsoft Office 365
- Azure Active Directory
- Azure Active Directory Identity Protection
- Microsoft Defender for Identity
- Microsoft Defender for Endpoint
- Microsoft Defender for Cloud Apps
- Microsoft Defender for Cloud
After you have selected the required data sources, click Add Data Sources at the bottom of the page. On the page after, click Configure to complete the integration process. For some data sources, additional steps are required and a configuration guide will be shown.
If you do not see a required data source, contact the ContraForce team. Over 150 data sources are supported and the ContraForce team will help guide you on the integration steps needed for your data source requirements.
Step 5: Consent Gamebooks Entities
After data sources have been configured, Gamebook entities can be consented for your ContraForce environment. If these entities are not consented, Gamebooks cannot be run within your ContraForce environment. The Gamebook Consent page within Settings can be accessed by clicking the button shown in the top bar of the ContraForce portal or clicking the gear icon on the left-hand side.
Click "Enable" to consent the required entities. Note that if no Endpoint (EDR) solution is connected to ContraForce, the "Enable" button will be hidden.
After consenting Gamebook entities, onboarding is completed. A "Onboarding Completed" message will be shown in the top bar.
Step 6. Manage Notification Preferences
At this point in the onboarding process, all infrastructure and permissions have been completed. The last step is to manage your notification preferences for your user. Email preferences are organized by incident severity. By un-toggling a severity, you will not receive email notifications for that severity of incident.
ContraForce onboarding has now been completed. The ContraForce Customer Success team will schedule a follow up technical session with you to review additional details of your ContraForce environment.
If you have any questions, feel free to contact us at firstname.lastname@example.org.