> ## Documentation Index
> Fetch the complete documentation index at: https://docs.contraforce.com/llms.txt
> Use this file to discover all available pages before exploring further.

# How MSSPs Can Implement the New CISA Guidance for SIEM and SOAR

> Understanding the new CISA guidance for SIEM and SOAR and how MSSPs can implement these recommendations with ContraForce.

<Info>
  **Who is this for?** MSP/MSSP Partners, Security Engineers
</Info>

**June 10, 2025** · ContraForce Team · 4 min read

CISA has released new guidance for organizations implementing SIEM and SOAR solutions. For MSSPs managing security operations across multiple customers, this guidance has significant implications for how you deliver services.

## Key CISA Recommendations

The guidance emphasizes several critical areas:

## 1. Centralized Log Collection

CISA recommends organizations centralize security logs from all critical systems. For MSSPs, this means:

* Ensuring comprehensive log coverage across customer environments
* Normalizing data for consistent analysis
* Maintaining appropriate retention periods

## 2. Automated Detection and Response

The guidance strongly advocates for automation to reduce response times:

* Automated triage of common alert types
* Pre-defined response playbooks for known threats
* Reduced mean time to respond (MTTR)

## 3. Threat Intelligence Integration

CISA emphasizes the importance of threat intelligence:

* Integration with threat intel feeds
* Automated correlation with known indicators
* Context-aware alerting

## How ContraForce Helps MSSPs Comply

ContraForce is designed to help MSSPs implement these recommendations across their entire customer base:

## Centralized Operations

* Unified view of all customer Microsoft Sentinel and Defender for Endpoint environments
* Consistent log ingestion and normalization
* Multi-tenant visibility without portal pivoting

## Automated Response

* Gamebooks provide pre-defined response workflows
* Security Delivery Agents automate investigation and response
* Consistent outcomes across all customer environments

## Built-in Intelligence

* Entity enrichment with threat intelligence
* Automated correlation of indicators
* Risk-based prioritization

## Implementation Roadmap

For MSSPs looking to align with CISA guidance:

| Phase | Focus Area             | ContraForce Capability         |
| ----- | ---------------------- | ------------------------------ |
| **1** | Log centralization     | Microsoft Sentinel integration |
| **2** | Detection deployment   | CMS for rule management        |
| **3** | Response automation    | Gamebook workflows             |
| **4** | Continuous improvement | Security Delivery Agents       |

## Quick Summary

* CISA guidance emphasizes centralized log collection, automated detection/response, and threat intelligence integration.
* MSSPs must implement these capabilities across their entire customer base.
* ContraForce provides centralized operations, Gamebook-driven automation, and built-in threat intelligence.
* A phased implementation roadmap helps MSSPs align with CISA recommendations using ContraForce capabilities.

<CardGroup cols={2}>
  <Card title="Microsoft Sentinel Module" icon="database" href="/guides/onboarding/microsoft-sentinel-module">
    Connect Microsoft Sentinel
  </Card>

  <Card title="CMS Module" icon="cog" href="/guides/onboarding/cms-module">
    Deploy detection content
  </Card>
</CardGroup>

<Note>
  Questions? Contact us at [support@contraforce.com](mailto:support@contraforce.com).
</Note>