Skip to main content
Security Delivery Agents (SDAs) automate incident investigation and response within ContraForce. This guide walks you through configuring agents using a phased approach, allowing you to gradually increase automation as you become comfortable with agent capabilities.
Security Delivery Agents follow a three-phase adoption model: manual execution, automatic execution based on severity, and automatic gamebook execution. This progressive approach helps you build confidence in agent behavior before enabling full automation.

What Can You Do Here?

Run Manual Investigations

Trigger agent analysis on individual incidents

Automate by Severity

Configure agents to run automatically based on incident status

Enable Gamebook Execution

Allow agents to execute response playbooks automatically

Set Confidence Thresholds

Control when automated actions are permitted

Apply a True-Positive Policy

Use Advanced mode to act differently per classification

Prerequisites

Before configuring Security Delivery Agents, ensure you meet the following requirements.
RequirementDescription
Agent Center DeployedAzure AI Foundry infrastructure must be provisioned
ContraForce RolesOrganizational Admin and Workspace Owner roles required
Prerequisites to Configure Security Delivery Agents:
  • Agent Center must be fully deployed in your environment
  • ContraForce Role: Organizational Admin
  • ContraForce Workspace Role: Owner

Phase 1: Manual Agent Execution

In this initial phase, you manually select individual incidents and trigger the agent to run investigations. This allows you to evaluate agent performance before enabling automation.

Running Agent Investigation

1

Open an Incident

Navigate to the incident you want to investigate
2

Access Actions Menu

Select Actions from the incident toolbar
3

Choose Investigation Type

Select one of the following options:
  • Run Agent Investigation — Agent analyzes the incident and provides findings without taking remediation actions
  • Run Agent Investigation and Response — Agent analyzes the incident and executes recommended response actions
4

Review Results

Examine the agent’s findings and recommendations

Investigation Options

OptionDescriptionWhen to Use
Run Agent InvestigationAnalysis only, no response actionsWhen you want to review findings before taking action
Run Agent Investigation and ResponseAnalysis plus automated responseWhen you trust the agent to execute appropriate responses
Start with investigation-only runs to understand how the agent analyzes your specific incident types before enabling response actions.

Phase 2: Automatic Execution Based on Severity

Once you’re comfortable with agent behavior, configure automatic execution based on incident severity and status.
The status filters below are the standard configuration. To scope automatic execution to specific severities, or to switch the trigger to Manual, enable Advanced mode and use the True-Positive Policy settings. With Advanced disabled, behavior is exactly as described in this section.

Configuring Automatic Execution

1

Navigate to Agent Center

Open ContraForce Agent Center from the main navigation
2

Set Mode to On Queue

Change the Mode setting to On Queue to enable automatic processing
3

Configure Status Filters

Select which incident statuses trigger automatic agent execution:
  • New — Agent runs on newly created incidents
  • Active — Agent runs on incidents currently being worked
  • Closed — Agent runs on closed incidents for retrospective analysis
4

Save Configuration

Apply your settings to activate automatic execution

Status Filter Options

Process new incidents automatically:
  • Agent triggers immediately when incidents are created
  • Provides rapid initial triage and analysis
  • Recommended for high-volume environments

Phase 3: Automatic Gamebook Execution

In this advanced phase, you enable the agent to automatically execute gamebooks based on confidence thresholds.

Enabling Automatic Gamebook Execution

1

Navigate to Agent Center

Open ContraForce Agent Center from the main navigation
2

Enable Gamebook Execution

Toggle Allow Agent to run gamebooks to enabled
3

Set Confidence Level

Configure the confidence threshold that determines when the agent automatically executes gamebook actions
4

Save Configuration

Apply your settings to activate automatic gamebook execution

Understanding Confidence Levels

Confidence LevelBehaviorRecommended For
HighAgent requires strong evidence before taking actionProduction environments, sensitive systems
MediumBalanced approach between automation and cautionMost standard deployments
LowAgent takes action with less certaintyTest environments, high-volume low-risk scenarios
Lower confidence thresholds result in more aggressive automation. Start with higher thresholds and adjust based on observed accuracy and your risk tolerance.

Advanced Configuration: True-Positive Policy

By default, every agent investigation ends in one post-investigation flow regardless of the agent’s verdict. Advanced mode replaces that single flow with a policy that acts on the agent’s classification, so a True Positive can be escalated for analyst action while a False Positive is closed out.
Advanced mode is opt-in and reversible. While it is disabled, agent behavior is exactly as described in Phases 1 to 3, with no change. Enabling it only adds the trigger and per-classification settings below.

Enabling Advanced Mode

1

Open Agent Configuration

Open ContraForce Agent Center and select the agent you want to configure.
2

Turn on Advanced

Enable the Advanced toggle. The trigger and classification settings appear.
3

Configure the trigger

Choose the severities the agent runs on, and a trigger mode:
  • On-Queue — the agent runs automatically when a matching incident arrives.
  • Manual — the agent runs only when you trigger it from the incident Actions menu.
4

Configure the policy per classification

For each classification, set what happens when the agent reaches that verdict (see below).
5

Save

Apply your settings. Save is blocked until the webhook list has loaded, so a policy is never saved against an unverified webhook.

Per-Classification Policy

When Advanced mode is on, each of the four classifications has its own policy. For an explanation of the classifications themselves, see Incident Classifications.
SettingDescription
GamebooksGamebooks queued for the incident when the agent reaches this classification.
AssigneeThe owner the incident is assigned to.
StatusThe status the incident moves to (for example, keep a True Positive open for analyst action instead of closing it).
Custom actionAn optional webhook fired when the agent reaches this classification. Use this to escalate into your own SIEM, ticketing, or on-call tooling.
The common True-Positive Policy pattern: for True Positive, keep the incident open, assign it to your response queue, and set a webhook custom action so your team is paged. For False Positive and Benign Positive, close the incident with no webhook.

The Custom Action Webhook

The custom action sends the Agent investigation completed event (agent.investigation.completed.v1) the moment the investigation finishes. The payload carries the agent’s verdict and the incident context, signed so your endpoint can verify it. This event is selected here, on the classification card. It is not a broadcast subscription: only the webhook a classification card points to receives it. For the payload schema, headers, and signature verification, see Agent Investigation Completed Webhook.
If the webhook a card points to is later deleted, paused, disabled, or unsubscribed from the event, the card shows a warning with a link to fix it in Developers, and the skipped delivery is recorded as Failed rather than dropped silently. Check the card if escalations stop arriving.

Configuration Summary

Manual Execution:
  • User selects individual incidents
  • User triggers agent via Actions menu
  • User reviews results before any response
  • Best for: Initial evaluation and building trust

Best Practices

Start with Phase 1 to understand agent behavior before enabling automation. Each phase builds on the previous one.
Use Phase 1 to validate that agent analysis aligns with your expectations and incident handling procedures.
Begin with higher confidence thresholds and lower them gradually based on observed accuracy.
Even with full automation enabled, periodically review agent actions to ensure expected behavior.
Keep records of which phases are enabled and your confidence threshold settings for troubleshooting and auditing.

Troubleshooting

Common Issues

IssuePossible CauseSolution
Agent not processing incidentsMode not set to On QueueVerify Mode is set to On Queue in Agent Center
Gamebooks not executingFeature not enabledConfirm “Allow Agent to run gamebooks” is toggled on
Too many automated actionsConfidence threshold too lowIncrease confidence level setting
Agent missing incidentsStatus filters misconfiguredReview and adjust status filter selections
Investigation not startingMissing permissionsVerify Organizational Admin and Workspace Owner roles
Escalation webhook not arrivingCard’s webhook deleted, paused, disabled, or unsubscribedCheck the classification card for a binding warning; fix the webhook in Developers. Skipped deliveries appear as Failed in the delivery log
Advanced settings have no effectAdvanced toggle disabledEnable the Advanced toggle and save; without it the standard Phase 1 to 3 behavior applies
If you encounter persistent issues with Security Delivery Agent configuration, contact support@contraforce.com with your configuration details and observed behavior.

Deploying Agent Center

Deploy Microsoft Foundry infrastructure to manage your AI agents

Understanding Gamebooks

Learn about automated SOP-driven response actions

Incident Management

Overview of incident handling in ContraForce

User Roles and Permissions

Understanding ContraForce role requirements

Agent Investigation Completed Webhook

Payload, headers, and signature verification for the custom action event
Questions about Security Delivery Agent configuration? Contact us at support@contraforce.com.