ContraForce empowers analysts to efficiently manage incidents across multiple tenants and data sources. This workflow is designed to help you resolve incidents faster and deliver better service to your customers.
Workflow Overview
1. Workspace Filtering
The Command Page allows you to customize which incidents are displayed by filtering on Workspace, Severity, and Status. These filters persist as you navigate between pages in ContraForce.Setting Your Workspace Filter
2. Setting Your Incident Assignees Filter
Additional Filters
Beyond workspace filtering, you can further refine your view:| Filter | Options | Use Case |
|---|---|---|
| Severity | High, Medium, Low, Informational | Focus on critical incidents first |
| Status | New, Active, Closed | View only incidents requiring action |
| Module | Sentinel, Defender for Endpoint | Filter by security product |
2. Incident Assignment
Proper incident assignment ensures the right analyst handles each incident and provides clear ownership for tracking.Individual Assignment
To assign a single incident:- Locate the incident in the Incidents table
- Click the dropdown in the Owner column
- Select an analyst from the list of portal users
Handling Incidents at Scale
There’s no manual bulk-update action. Security Delivery Agents running on queue automatically triage and act on incidents in bulk as they arrive, so you don’t have to process them batch by batch. See Configuring Security Delivery Agents.3. Incident Summary
The Incident Summary provides a complete view of an incident with all the context you need for investigation.Accessing the Summary
Click any Incident ID in the Incidents table to open its Summary view.
Incident Tabs
- Summary
- Rule
- Entities
- Timeline
- Logs
- Comments
- Audit
Summary – Overview of the incident including severity, status, affected assets, and key details at a glance.
4. Gamebook Responses
Gamebooks SOP driven AI-generated and human created response actions that let you quickly respond to incidents.Available Gamebook actions are determined by the entity types present in the incident. Agents automatically suggests relevant actions based on the output of the investigation and incident classification.
Using Suggested Gamebooks
If a Gamebook has been previously executed for similar incidents, agents suggest it automatically:
Creating a Custom Gamebook
Build Your Response
- Use the arrows to navigate through action options
- Click the green + icon to add an action
- Click the red - icon to remove an action
Gamebook Approval Workflow
Some Gamebook actions require approval before execution: To request approval:- Build your Gamebook as usual
- Click Request Gamebook Approval (instead of Run Gamebook)
- The request is sent to authorized approvers
- Approvers can approve directly from the incident, or
- Use the Gamebook Activity tab to review and approve pending requests
5. Incident Closure
After completing your investigation and response, close the incident with proper documentation.
Quick Close from Gamebook
After a Gamebook completes, a green Close Incident button appears at the bottom of the Gamebook context group.Closure Fields
| Field | Options | Purpose |
|---|---|---|
| Classification | True Positive, False Positive, Benign Positive, Undetermined | Required. Categorizes the incident outcome |
| Comment | Free text | Optional note about why you’re closing the incident |
Putting It Together
The ContraForce incident management workflow is designed to help you:Triage Faster
Filter and prioritize incidents across all your tenants from one dashboard
Respond Automatically
Execute proven response actions with Gamebooks instead of manual remediation
Document Everything
Maintain complete audit trails with comments, classifications, and history
Related Guides
Command Dashboard
Learn more about the central incident dashboard.
What are Gamebooks?
Deep dive into SOP driven automated response actions.
Workbench Overview
Learn how to manage incidents in your workbench.
Incident Classifications
Understand True Positive, False Positive, and more.
Questions about this workflow? Contact us at support@contraforce.com. We’re happy to help optimize your incident management process.