> ## Documentation Index
> Fetch the complete documentation index at: https://docs.contraforce.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configuring Security Delivery Agents

> Configure and use Security Delivery Agents to automate incident investigation and response through a phased adoption approach.

Security Delivery Agents (SDAs) automate incident investigation and response within ContraForce. This guide walks you through configuring agents using a phased approach, allowing you to gradually increase automation as you become comfortable with agent capabilities.

<Info>
  Security Delivery Agents follow a three-phase adoption model: manual execution, automatic execution based on severity, and automatic gamebook execution. This progressive approach helps you build confidence in agent behavior before enabling full automation.
</Info>

## What Can You Do Here?

<CardGroup cols={2}>
  <Card title="Run Manual Investigations" icon="magnifying-glass">
    Trigger agent analysis on individual incidents
  </Card>

  <Card title="Automate by Severity" icon="gauge-high">
    Configure agents to run automatically based on incident status
  </Card>

  <Card title="Enable Gamebook Execution" icon="play">
    Allow agents to execute response playbooks automatically
  </Card>

  <Card title="Set Confidence Thresholds" icon="sliders">
    Control when automated actions are permitted
  </Card>

  <Card title="Apply a True-Positive Policy" icon="route">
    Use Advanced mode to act differently per classification
  </Card>
</CardGroup>

***

## Prerequisites

Before configuring Security Delivery Agents, ensure you meet the following requirements.

| Requirement               | Description                                             |
| ------------------------- | ------------------------------------------------------- |
| **Agent Center Deployed** | Azure AI Foundry infrastructure must be provisioned     |
| **ContraForce Roles**     | Organizational Admin and Workspace Owner roles required |

<Warning>
  Prerequisites to Configure Security Delivery Agents:

  * Agent Center must be fully deployed in your environment
  * ContraForce Role: Organizational Admin
  * ContraForce Workspace Role: Owner
</Warning>

***

## Phase 1: Manual Agent Execution

In this initial phase, you manually select individual incidents and trigger the agent to run investigations. This allows you to evaluate agent performance before enabling automation.

### Running Agent Investigation

<Steps>
  <Step title="Open an Incident">
    Navigate to the incident you want to investigate
  </Step>

  <Step title="Access Actions Menu">
    Select **Actions** from the incident toolbar
  </Step>

  <Step title="Choose Investigation Type">
    Select one of the following options:

    * **Run Agent Investigation** — Agent analyzes the incident and provides findings without taking remediation actions
    * **Run Agent Investigation and Response** — Agent analyzes the incident and executes recommended response actions
  </Step>

  <Step title="Review Results">
    Examine the agent's findings and recommendations
  </Step>
</Steps>

### Investigation Options

| Option                                   | Description                        | When to Use                                               |
| ---------------------------------------- | ---------------------------------- | --------------------------------------------------------- |
| **Run Agent Investigation**              | Analysis only, no response actions | When you want to review findings before taking action     |
| **Run Agent Investigation and Response** | Analysis plus automated response   | When you trust the agent to execute appropriate responses |

<Tip>
  Start with investigation-only runs to understand how the agent analyzes your specific incident types before enabling response actions.
</Tip>

***

## Phase 2: Automatic Execution Based on Severity

Once you're comfortable with agent behavior, configure automatic execution based on incident severity and status.

<Note>
  The status filters below are the standard configuration. To scope automatic execution to specific **severities**, or to switch the trigger to **Manual**, enable **Advanced** mode and use the [True-Positive Policy](#advanced-configuration-true-positive-policy) settings. With Advanced disabled, behavior is exactly as described in this section.
</Note>

### Configuring Automatic Execution

<Steps>
  <Step title="Navigate to Agent Center">
    Open **ContraForce Agent Center** from the main navigation
  </Step>

  <Step title="Set Mode to On Queue">
    Change the **Mode** setting to **On Queue** to enable automatic processing
  </Step>

  <Step title="Configure Status Filters">
    Select which incident statuses trigger automatic agent execution:

    * **New** — Agent runs on newly created incidents
    * **Active** — Agent runs on incidents currently being worked
    * **Closed** — Agent runs on closed incidents for retrospective analysis
  </Step>

  <Step title="Save Configuration">
    Apply your settings to activate automatic execution
  </Step>
</Steps>

### Status Filter Options

<Tabs>
  <Tab title="New">
    **Process new incidents automatically:**

    * Agent triggers immediately when incidents are created
    * Provides rapid initial triage and analysis
    * Recommended for high-volume environments
  </Tab>

  <Tab title="Active">
    **Process incidents under investigation:**

    * Agent assists with ongoing investigations
    * Provides additional context and recommendations
    * Useful for augmenting analyst workflows
  </Tab>

  <Tab title="Closed">
    **Process closed incidents:**

    * Agent performs retrospective analysis
    * Identifies missed indicators or patterns
    * Supports continuous improvement efforts
  </Tab>
</Tabs>

***

## Phase 3: Automatic Gamebook Execution

In this advanced phase, you enable the agent to automatically execute gamebooks based on confidence thresholds.

### Enabling Automatic Gamebook Execution

<Steps>
  <Step title="Navigate to Agent Center">
    Open **ContraForce Agent Center** from the main navigation
  </Step>

  <Step title="Enable Gamebook Execution">
    Toggle **Allow Agent to run gamebooks** to enabled
  </Step>

  <Step title="Set Confidence Level">
    Configure the confidence threshold that determines when the agent automatically executes gamebook actions
  </Step>

  <Step title="Save Configuration">
    Apply your settings to activate automatic gamebook execution
  </Step>
</Steps>

### Understanding Confidence Levels

| Confidence Level | Behavior                                            | Recommended For                                   |
| ---------------- | --------------------------------------------------- | ------------------------------------------------- |
| **High**         | Agent requires strong evidence before taking action | Production environments, sensitive systems        |
| **Medium**       | Balanced approach between automation and caution    | Most standard deployments                         |
| **Low**          | Agent takes action with less certainty              | Test environments, high-volume low-risk scenarios |

<Warning>
  Lower confidence thresholds result in more aggressive automation. Start with higher thresholds and adjust based on observed accuracy and your risk tolerance.
</Warning>

***

## Advanced Configuration: True-Positive Policy

By default, every agent investigation ends in one post-investigation flow regardless of the agent's verdict. **Advanced** mode replaces that single flow with a policy that acts on the agent's classification, so a True Positive can be escalated for analyst action while a False Positive is closed out.

<Info>
  Advanced mode is opt-in and reversible. While it is **disabled**, agent behavior is exactly as described in Phases 1 to 3, with no change. Enabling it only adds the trigger and per-classification settings below.
</Info>

### Enabling Advanced Mode

<Steps>
  <Step title="Open Agent Configuration">
    Open **ContraForce Agent Center** and select the agent you want to configure.
  </Step>

  <Step title="Turn on Advanced">
    Enable the **Advanced** toggle. The trigger and classification settings appear.
  </Step>

  <Step title="Configure the trigger">
    Choose the **severities** the agent runs on, and a **trigger mode**:

    * **On-Queue** — the agent runs automatically when a matching incident arrives.
    * **Manual** — the agent runs only when you trigger it from the incident **Actions** menu.
  </Step>

  <Step title="Configure the policy per classification">
    For each classification, set what happens when the agent reaches that verdict (see below).
  </Step>

  <Step title="Save">
    Apply your settings. Save is blocked until the webhook list has loaded, so a policy is never saved against an unverified webhook.
  </Step>
</Steps>

### Per-Classification Policy

When Advanced mode is on, each of the four classifications has its own policy. For an explanation of the classifications themselves, see [Incident Classifications](/guides/getting-started/incident-classifications).

| Setting           | Description                                                                                                                                   |
| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
| **Gamebooks**     | Gamebooks queued for the incident when the agent reaches this classification.                                                                 |
| **Assignee**      | The owner the incident is assigned to.                                                                                                        |
| **Status**        | The status the incident moves to (for example, keep a True Positive open for analyst action instead of closing it).                           |
| **Custom action** | An optional webhook fired when the agent reaches this classification. Use this to escalate into your own SIEM, ticketing, or on-call tooling. |

<Tip>
  The common True-Positive Policy pattern: for **True Positive**, keep the incident open, assign it to your response queue, and set a webhook custom action so your team is paged. For **False Positive** and **Benign Positive**, close the incident with no webhook.
</Tip>

### The Custom Action Webhook

The custom action sends the **Agent investigation completed** event (`agent.investigation.completed.v1`) the moment the investigation finishes. The payload carries the agent's verdict and the incident context, signed so your endpoint can verify it.

This event is **selected here, on the classification card**. It is not a broadcast subscription: only the webhook a classification card points to receives it. For the payload schema, headers, and signature verification, see [Agent Investigation Completed Webhook](/guides/agent-center/agent-investigation-webhook).

<Warning>
  If the webhook a card points to is later deleted, paused, disabled, or unsubscribed from the event, the card shows a warning with a link to fix it in **Developers**, and the skipped delivery is recorded as **Failed** rather than dropped silently. Check the card if escalations stop arriving.
</Warning>

***

## Configuration Summary

<Tabs>
  <Tab title="Phase 1">
    **Manual Execution:**

    * User selects individual incidents
    * User triggers agent via Actions menu
    * User reviews results before any response
    * Best for: Initial evaluation and building trust
  </Tab>

  <Tab title="Phase 2">
    **Automatic by Status:**

    * Agent runs automatically on matching incidents
    * Mode set to On Queue
    * Status filters control which incidents are processed
    * Best for: Scaling investigation capacity
  </Tab>

  <Tab title="Phase 3">
    **Automatic Gamebooks:**

    * Agent executes response playbooks automatically
    * Confidence level controls action threshold
    * Full automation of investigation and response
    * Best for: Mature environments with validated agent accuracy
  </Tab>
</Tabs>

***

## Best Practices

<AccordionGroup>
  <Accordion title="Progress through phases sequentially">
    Start with Phase 1 to understand agent behavior before enabling automation. Each phase builds on the previous one.
  </Accordion>

  <Accordion title="Review agent outputs during manual execution">
    Use Phase 1 to validate that agent analysis aligns with your expectations and incident handling procedures.
  </Accordion>

  <Accordion title="Set conservative confidence levels initially">
    Begin with higher confidence thresholds and lower them gradually based on observed accuracy.
  </Accordion>

  <Accordion title="Monitor automated actions regularly">
    Even with full automation enabled, periodically review agent actions to ensure expected behavior.
  </Accordion>

  <Accordion title="Document your configuration choices">
    Keep records of which phases are enabled and your confidence threshold settings for troubleshooting and auditing.
  </Accordion>
</AccordionGroup>

***

## Troubleshooting

### Common Issues

| Issue                            | Possible Cause                                            | Solution                                                                                                                                    |
| -------------------------------- | --------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- |
| Agent not processing incidents   | Mode not set to On Queue                                  | Verify Mode is set to On Queue in Agent Center                                                                                              |
| Gamebooks not executing          | Feature not enabled                                       | Confirm "Allow Agent to run gamebooks" is toggled on                                                                                        |
| Too many automated actions       | Confidence threshold too low                              | Increase confidence level setting                                                                                                           |
| Agent missing incidents          | Status filters misconfigured                              | Review and adjust status filter selections                                                                                                  |
| Investigation not starting       | Missing permissions                                       | Verify Organizational Admin and Workspace Owner roles                                                                                       |
| Escalation webhook not arriving  | Card's webhook deleted, paused, disabled, or unsubscribed | Check the classification card for a binding warning; fix the webhook in Developers. Skipped deliveries appear as Failed in the delivery log |
| Advanced settings have no effect | Advanced toggle disabled                                  | Enable the Advanced toggle and save; without it the standard Phase 1 to 3 behavior applies                                                  |

<Note>
  If you encounter persistent issues with Security Delivery Agent configuration, contact [support@contraforce.com](mailto:support@contraforce.com) with your configuration details and observed behavior.
</Note>

***

## Related Guides

<CardGroup cols={2}>
  <Card title="Deploying Agent Center" icon="server" href="/guides/onboarding/agent-center-deployment">
    Deploy Microsoft Foundry infrastructure to manage your AI agents
  </Card>

  <Card title="Understanding Gamebooks" icon="gamepad" href="/guides/getting-started/what-are-gamebooks">
    Learn about automated SOP-driven response actions
  </Card>

  <Card title="Incident Management" icon="shield-halved" href="/guides/getting-started/incident-management">
    Overview of incident handling in ContraForce
  </Card>

  <Card title="User Roles and Permissions" icon="users" href="/guides/general-support/roles-and-permissions-reference">
    Understanding ContraForce role requirements
  </Card>

  <Card title="Agent Investigation Completed Webhook" icon="webhook" href="/guides/agent-center/agent-investigation-webhook">
    Payload, headers, and signature verification for the custom action event
  </Card>
</CardGroup>

***

<Note>
  Questions about Security Delivery Agent configuration? Contact us at [support@contraforce.com](mailto:support@contraforce.com).
</Note>
