> ## Documentation Index
> Fetch the complete documentation index at: https://docs.contraforce.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Incident Management

> A complete workflow for triaging, investigating, and resolving security incidents in ContraForce.

This guide walks you through the recommended workflow for managing security incidents in ContraForce—from initial triage to resolution.

<Info>
  ContraForce empowers analysts to efficiently manage incidents across multiple tenants and data sources. This workflow is designed to help you resolve incidents faster and deliver better service to your customers.
</Info>

## Workflow Overview

<Steps>
  <Step title="Filter Workspaces">
    Focus on specific tenants or view all incidents across your environment
  </Step>

  <Step title="Assign Incidents">
    Route incidents to the appropriate analyst
  </Step>

  <Step title="Investigate">
    Review the incident summary, entities, timeline, and evidence
  </Step>

  <Step title="Respond with Gamebooks">
    Execute automated response actions with one click
  </Step>

  <Step title="Close the Incident">
    Document findings and close with proper classification
  </Step>
</Steps>

## 1. Workspace Filtering

The Command Page allows you to customize which incidents are displayed by filtering on Workspace, Severity, and Status. These filters persist as you navigate between pages in ContraForce.

### Setting Your Workspace Filter

<Steps>
  <Step title="Open the Filter">
    Click the workspace dropdown menu in the top bar of the Command dashboard
  </Step>

  <Step title="Select Workspaces">
    Choose one or more workspaces to display
  </Step>

  <Step title="View Filtered Results">
    The Incidents table updates to show only data from selected workspaces

    <Frame>
      <img src="https://mintcdn.com/contraforce/UFg2SFhNmstKGqyT/images/Workspace-filter-command-page.png?fit=max&auto=format&n=UFg2SFhNmstKGqyT&q=85&s=d52e246293bc1f007b75332eb19d5c04" alt="Workspace Filter Command Page" style={{ width:"100%" }} width="3444" height="422" data-path="images/Workspace-filter-command-page.png" />
    </Frame>
  </Step>
</Steps>

## 2. Setting Your Incident Assignees Filter

<Step title="Open the Assignee Filter">
  Click the assignee dropdown menu in the top bar of the Command Page
</Step>

<Step title="Select Assignees">
  Choose one or more workspaces to display
</Step>

<Step title="View Filtered Results">
  The Incidents table updates to show only incidents from selected assignees
</Step>

<Frame>
  <img src="https://mintcdn.com/contraforce/UFg2SFhNmstKGqyT/FilterIncidentsbyOwner.png?fit=max&auto=format&n=UFg2SFhNmstKGqyT&q=85&s=24a15312b2f03f735705a99004720fd3" alt="Workspace filter dropdown" style={{ width:"100%" }} width="1717" height="501" data-path="FilterIncidentsbyOwner.png" />
</Frame>

### Additional Filters

Beyond workspace filtering, you can further refine your view:

| Filter       | Options                          | Use Case                             |
| ------------ | -------------------------------- | ------------------------------------ |
| **Severity** | High, Medium, Low, Informational | Focus on critical incidents first    |
| **Status**   | New, Active, Closed              | View only incidents requiring action |
| **Module**   | Sentinel, Defender for Endpoint  | Filter by security product           |

<Tip>
  When filtering by status, you'll see statuses organized by module (Sentinel, Defender for Endpoint, etc.). This helps you quickly identify incidents by source.
</Tip>

***

## 2. Incident Assignment

Proper incident assignment ensures the right analyst handles each incident and provides clear ownership for tracking.

### Individual Assignment

To assign a single incident:

1. Locate the incident in the Incidents table
2. Click the dropdown in the **Owner** column
3. Select an analyst from the list of portal users

### Bulk Assignment

To assign multiple incidents at once:

<Steps>
  <Step title="Select Incidents">
    Check the boxes next to incidents you want to update
  </Step>

  <Step title="Click Update Incidents">
    Click the "Update Incidents" button in the table header
  </Step>

  <Step title="Set Owner and Status">
    Choose the assignee and optionally update the status
  </Step>

  <Step title="Apply Changes">
    Confirm to apply changes to all selected incidents
  </Step>
</Steps>

<Frame>
  <img src="https://mintcdn.com/contraforce/EtNLwlvcRLTt6KSx/bulk-incident-update.png?fit=max&auto=format&n=EtNLwlvcRLTt6KSx&q=85&s=c619171fb5b5fd39125917d13043689d" alt="Bulk incident assignment" width="1666" height="572" data-path="bulk-incident-update.png" />
</Frame>

***

## 3. Incident Summary

The Incident Summary provides a complete view of an incident with all the context you need for investigation.

### Accessing the Summary

Click any **Incident ID** in the Incidents table to open its Summary view.

<Frame>
  <img src="https://mintcdn.com/contraforce/rkZaI7-Q99NGKNGI/expanded-incident-workbench.png?fit=max&auto=format&n=rkZaI7-Q99NGKNGI&q=85&s=7f7060d27a627b6e50b68bf2d24a743c" alt="Incident Summary overview" width="1658" height="908" data-path="expanded-incident-workbench.png" />
</Frame>

### Incident Tabs

<Tabs>
  <Tab title="Summary">
    **Summary** – Overview of the incident including severity, status, affected assets, and key details at a glance.
  </Tab>

  <Tab title="Rule">
    **Rule** – Shows the detection rule that triggered the incident, including rule logic, conditions, and configuration.
  </Tab>

  <Tab title="Entities">
    **Entities** – Lists all related entities (users, devices, IPs, domains, files) involved in or affected by the incident.
  </Tab>

  <Tab title="Timeline">
    **Timeline** – Chronological view of all events and actions related to the incident from detection through resolution.
  </Tab>

  <Tab title="Logs">
    **Logs** – Raw log data and events associated with the incident for deeper investigation.
  </Tab>

  <Tab title="Comments">
    **Comments** – Collaboration space for analysts and AI agents to add notes, findings, and communicate about the investigation.
  </Tab>

  <Tab title="Audit">
    **Audit** – Track record of all changes made to the incident (status updates, assignments, modifications) with timestamps and user attribution.
  </Tab>
</Tabs>

## 4. Gamebook Responses

Gamebooks SOP driven AI-generated and human created response actions that let you quickly respond to incidents.

<Info>
  Available Gamebook actions are determined by the entity types present in the incident. Agents automatically suggests relevant actions based on the output of the investigation and incident classification.
</Info>

### Using Suggested Gamebooks

If a Gamebook has been previously executed for similar incidents, agents suggest it automatically:

<Frame>
  <img src="https://mintcdn.com/contraforce/VmSgQ8LUWaUVaOxE/gamebook-suggestion.png?fit=max&auto=format&n=VmSgQ8LUWaUVaOxE&q=85&s=d083d5e20a90df300dfc79c060d54f03" alt="Suggested Gamebook" width="526" height="698" data-path="gamebook-suggestion.png" />
</Frame>

### Creating a Custom Gamebook

<Steps>
  <Step title="Open the Workbench">
    Click the dropdown next to "Edit" and select **Create New Gamebook**
  </Step>

  <Step title="Explore Available Actions">
    Click entity icons in the Entity Graph to see available response actions
  </Step>

  <Step title="Build Your Response">
    * Use the arrows to navigate through action options
    * Click the green **+** icon to add an action
    * Click the red **-** icon to remove an action
  </Step>

  <Step title="Execute">
    Click **Approve Gamebook** to execute all selected actions
  </Step>
</Steps>

### Gamebook Approval Workflow

Some Gamebook actions require approval before execution:

<Warning>
  Actions with a **red lock icon** require approval from a user with appropriate permissions in the tenant.
</Warning>

**To request approval:**

1. Build your Gamebook as usual
2. Click **Request Gamebook Approval** (instead of Run Gamebook)
3. The request is sent to authorized approvers

**To approve a Gamebook:**

* Approvers can approve directly from the incident, or
* Use the **Gamebook Activity** tab to review and approve pending requests

***

## 5. Incident Closure

After completing your investigation and response, close the incident with proper documentation.

<Frame>
  <img src="https://mintcdn.com/contraforce/G4WFXpxKJ1dXhJ-j/images/close-incident-modal-2.png?fit=max&auto=format&n=G4WFXpxKJ1dXhJ-j&q=85&s=6212bb50f98834a380a99c9e83c72975" alt="Close Incident Modal 2" width="537" height="337" data-path="images/close-incident-modal-2.png" />
</Frame>

### Quick Close from Gamebook

After a Gamebook completes, a green **Close Incident** button appears at the bottom of the Gamebook context group.

### Closure Fields

| Field                     | Options                                                      | Purpose                                      |
| ------------------------- | ------------------------------------------------------------ | -------------------------------------------- |
| **Status**                | Closed                                                       | Marks the incident as resolved               |
| **Classification**        | True Positive, False Positive, Benign Positive, Undetermined | Categorizes the incident outcome             |
| **Classification Reason** | Free text                                                    | Documents why this classification was chosen |
| **Comments**              | Free text                                                    | Final notes on resolution                    |

<Tip>
  Need help understanding classifications? See [Understanding Incident Classifications](/guides/getting-started/understanding-incident-classifications) for detailed guidance.
</Tip>

### Bulk Closure

You can also close incidents in bulk from the Command Page:

1. Select multiple incidents using checkboxes
2. Click **Update Incidents**
3. Set status to **Closed** and add classification details
4. Apply changes

***

## Putting It Together

The ContraForce incident management workflow is designed to help you:

<CardGroup cols={3}>
  <Card title="Triage Faster" icon="gauge-high">
    Filter and prioritize incidents across all your tenants from one dashboard
  </Card>

  <Card title="Respond Automatically" icon="bolt">
    Execute proven response actions with Gamebooks instead of manual remediation
  </Card>

  <Card title="Document Everything" icon="file-lines">
    Maintain complete audit trails with comments, classifications, and history
  </Card>
</CardGroup>

***

## Related Guides

<CardGroup cols={2}>
  <Card title="Command Dashboard" icon="chart-pie-simple" href="/guides/getting-started/command-dashboard">
    Learn more about the central incident dashboard.
  </Card>

  <Card title="What are Gamebooks?" icon="gamepad" href="/guides/getting-started/what-are-gamebooks">
    Deep dive into SOP driven automated response actions.
  </Card>

  <Card title="Workbench Overview" icon="screwdriver-wrench" href="/guides/getting-started/workbench-overview">
    Learn how to manage incidents in your workbench.
  </Card>

  <Card title="Incident Classifications" icon="tag" href="/guides/getting-started/incident-classifications">
    Understand True Positive, False Positive, and more.
  </Card>
</CardGroup>

***

<Note>
  Questions about this workflow? Contact us at [support@contraforce.com](mailto:support@contraforce.com). We're happy to help optimize your incident management process.
</Note>