> ## Documentation Index
> Fetch the complete documentation index at: https://docs.contraforce.com/llms.txt
> Use this file to discover all available pages before exploring further.

# ContraForce Makes Incident Investigation Even Easier for Microsoft Sentinel and Defender for Endpoint

> ContraForce introduces improvements to incident investigation for Microsoft Sentinel and Microsoft Defender for Endpoint incidents.

<Info>
  **Who is this for?** MSP/MSSP Partners, SOC Analysts
</Info>

**June 17, 2025** · ContraForce Team · 3 min read

ContraForce is pleased to announce significant improvements to incident investigation capabilities for Microsoft Sentinel and Microsoft Defender for Endpoint incidents.

## Faster, More Intuitive Investigation

The latest updates to the ContraForce Workbench make it easier than ever to investigate security incidents:

## Unified Incident View

* All related alerts consolidated into a single incident view
* Timeline of events across all data sources
* Entity relationships visualized in the Entity Context Graph

## Enhanced Entity Enrichment

When you investigate an entity, ContraForce now automatically enriches it with:

* **User entities** — Sign-in logs, audit history, group memberships, risk signals
* **Device entities** — Device details, installed software, recent activity
* **IP addresses** — Geolocation, threat intelligence, historical activity
* **Files** — Hash lookups, prevalence data, detection history

## Streamlined Actions

Take response actions directly from the investigation view:

* Isolate devices without leaving the incident
* Disable user accounts with a single click
* Block IPs or URLs across customer tenants
* Quarantine files and soft-delete malicious emails

## Improved Context

The Workbench now provides more context to help analysts make faster, more informed decisions:

| Enhancement             | Benefit                                           |
| ----------------------- | ------------------------------------------------- |
| **Related incidents**   | See other incidents involving the same entities   |
| **Historical patterns** | Understand if this behavior is normal             |
| **Threat intelligence** | Automatic correlation with known threats          |
| **Customer context**    | Relevant information about the affected workspace |

## Quick Summary

* Unified incident view consolidates all related alerts and shows entity relationships in the Entity Context Graph.
* Enhanced entity enrichment automatically adds sign-in logs, device details, threat intelligence, and more.
* Streamlined response actions let you isolate devices, disable accounts, and block threats without leaving the incident.
* Improved context includes related incidents, historical patterns, and threat intelligence correlation.

<CardGroup cols={2}>
  <Card title="Workbench Overview" icon="desktop" href="/guides/getting-started/workbench-overview">
    Learn about the investigation interface
  </Card>

  <Card title="Entity Insights" icon="magnifying-glass" href="/entity-insights">
    Explore entity enrichment
  </Card>
</CardGroup>

<Note>
  Questions? Contact us at [support@contraforce.com](mailto:support@contraforce.com).
</Note>