> ## Documentation Index
> Fetch the complete documentation index at: https://docs.contraforce.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Incident Management

> A complete workflow for triaging, investigating, and resolving security incidents in ContraForce.

This guide walks you through the recommended workflow for managing security incidents in ContraForce—from initial triage to resolution.

<Info>
  ContraForce empowers analysts to efficiently manage incidents across multiple tenants and data sources. This workflow is designed to help you resolve incidents faster and deliver better service to your customers.
</Info>

## Workflow Overview

<Steps>
  <Step title="Filter Workspaces">
    Focus on specific tenants or view all incidents across your environment
  </Step>

  <Step title="Assign Incidents">
    Route incidents to the appropriate analyst
  </Step>

  <Step title="Investigate">
    Review the incident summary, entities, timeline, and evidence
  </Step>

  <Step title="Respond with Gamebooks">
    Execute automated response actions with one click
  </Step>

  <Step title="Close the Incident">
    Document findings and close with proper classification
  </Step>
</Steps>

## 1. Workspace Filtering

The Command Page allows you to customize which incidents are displayed by filtering on Workspace, Severity, and Status. These filters persist as you navigate between pages in ContraForce.

### Setting Your Workspace Filter

<Steps>
  <Step title="Open the Filter">
    Click the workspace dropdown menu in the top bar of the Command dashboard
  </Step>

  <Step title="Select Workspaces">
    Choose one or more workspaces to display
  </Step>

  <Step title="View Filtered Results">
    The Incidents table updates to show only data from selected workspaces

    <Frame>
      <img src="https://mintcdn.com/contraforce/EJSv-50EV_kHzCm1/images/Workspace-filter-command-page.png?fit=max&auto=format&n=EJSv-50EV_kHzCm1&q=85&s=efd22f5d65f41b4da51afaa1a785e59e" alt="Workspace Filter Command Page" style={{ width:"100%" }} width="236" height="297" data-path="images/Workspace-filter-command-page.png" />
    </Frame>
  </Step>
</Steps>

## 2. Setting Your Incident Assignees Filter

<Step title="Open the Assignee Filter">
  Click the assignee dropdown menu in the top bar of the Command Page
</Step>

<Step title="Select Assignees">
  Choose one or more workspaces to display
</Step>

<Step title="View Filtered Results">
  The Incidents table updates to show only incidents from selected assignees
</Step>

<Frame>
  <img src="https://mintcdn.com/contraforce/EJSv-50EV_kHzCm1/FilterIncidentsbyOwner.png?fit=max&auto=format&n=EJSv-50EV_kHzCm1&q=85&s=c45773f34351285fe0cc0599236a7b05" alt="Workspace filter dropdown" style={{ width:"100%" }} width="2934" height="1190" data-path="FilterIncidentsbyOwner.png" />
</Frame>

### Additional Filters

Beyond workspace filtering, you can further refine your view:

| Filter       | Options                          | Use Case                             |
| ------------ | -------------------------------- | ------------------------------------ |
| **Severity** | High, Medium, Low, Informational | Focus on critical incidents first    |
| **Status**   | New, Active, Closed              | View only incidents requiring action |
| **Module**   | Sentinel, Defender for Endpoint  | Filter by security product           |

<Tip>
  When filtering by status, you'll see statuses organized by module (Sentinel, Defender for Endpoint, etc.). This helps you quickly identify incidents by source.
</Tip>

***

## 2. Incident Assignment

Proper incident assignment ensures the right analyst handles each incident and provides clear ownership for tracking.

### Individual Assignment

To assign a single incident:

1. Locate the incident in the Incidents table
2. Click the dropdown in the **Owner** column
3. Select an analyst from the list of portal users

### Handling Incidents at Scale

There's no manual bulk-update action. **Security Delivery Agents** running **on queue** automatically triage and act on incidents in bulk as they arrive, so you don't have to process them batch by batch. See [Configuring Security Delivery Agents](/guides/getting-started/configuring-security-delivery-agents).

***

## 3. Incident Summary

The Incident Summary provides a complete view of an incident with all the context you need for investigation.

### Accessing the Summary

Click any **Incident ID** in the Incidents table to open its Summary view.

<Frame>
  <img src="https://mintcdn.com/contraforce/n2V4XUDWFOitCP6z/expanded-incident-workbench.jpeg?fit=max&auto=format&n=n2V4XUDWFOitCP6z&q=85&s=a9c26847a652444b38f03ca3ba446292" alt="Incident Summary overview" width="1712" height="939" data-path="expanded-incident-workbench.jpeg" />
</Frame>

### Incident Tabs

<Tabs>
  <Tab title="Summary">
    **Summary** – Overview of the incident including severity, status, affected assets, and key details at a glance.
  </Tab>

  <Tab title="Rule">
    **Rule** – Shows the detection rule that triggered the incident, including rule logic, conditions, and configuration.
  </Tab>

  <Tab title="Entities">
    **Entities** – Lists all related entities (users, devices, IPs, domains, files) involved in or affected by the incident.
  </Tab>

  <Tab title="Timeline">
    **Timeline** – Chronological view of all events and actions related to the incident from detection through resolution.
  </Tab>

  <Tab title="Logs">
    **Logs** – Raw log data and events associated with the incident for deeper investigation.
  </Tab>

  <Tab title="Comments">
    **Comments** – Collaboration space for analysts and AI agents to add notes, findings, and communicate about the investigation.
  </Tab>

  <Tab title="Audit">
    **Audit** – Track record of all changes made to the incident (status updates, assignments, modifications) with timestamps and user attribution.
  </Tab>
</Tabs>

## 4. Gamebook Responses

Gamebooks SOP driven AI-generated and human created response actions that let you quickly respond to incidents.

<Info>
  Available Gamebook actions are determined by the entity types present in the incident. Agents automatically suggests relevant actions based on the output of the investigation and incident classification.
</Info>

### Using Suggested Gamebooks

If a Gamebook has been previously executed for similar incidents, agents suggest it automatically:

<Frame>
  <img src="https://mintcdn.com/contraforce/EJSv-50EV_kHzCm1/gamebook-suggestion.png?fit=max&auto=format&n=EJSv-50EV_kHzCm1&q=85&s=47645a4ea5eda0fa2d0af846c234e90a" alt="Gamebook response panel with completed actions" width="740" height="1104" data-path="gamebook-suggestion.png" />
</Frame>

### Creating a Custom Gamebook

<Steps>
  <Step title="Open the Workbench">
    Click the dropdown next to "Edit" and select **Create New Gamebook**
  </Step>

  <Step title="Explore Available Actions">
    Click entity icons in the Entity Graph to see available response actions
  </Step>

  <Step title="Build Your Response">
    * Use the arrows to navigate through action options
    * Click the green **+** icon to add an action
    * Click the red **-** icon to remove an action
  </Step>

  <Step title="Execute">
    Click **Approve Gamebook** to execute all selected actions
  </Step>
</Steps>

### Gamebook Approval Workflow

Some Gamebook actions require approval before execution:

<Warning>
  Actions with a **red lock icon** require approval from a user with appropriate permissions in the tenant.
</Warning>

**To request approval:**

1. Build your Gamebook as usual
2. Click **Request Gamebook Approval** (instead of Run Gamebook)
3. The request is sent to authorized approvers

**To approve a Gamebook:**

* Approvers can approve directly from the incident, or
* Use the **Gamebook Activity** tab to review and approve pending requests

***

## 5. Incident Closure

After completing your investigation and response, close the incident with proper documentation.

<Frame>
  <img src="https://mintcdn.com/contraforce/EJSv-50EV_kHzCm1/images/close-incident-modal-2.png?fit=max&auto=format&n=EJSv-50EV_kHzCm1&q=85&s=886f7b1b14a8998c19e1b5b222dcab8c" alt="Close Incident modal" width="690" height="710" data-path="images/close-incident-modal-2.png" />
</Frame>

### Quick Close from Gamebook

After a Gamebook completes, a green **Close Incident** button appears at the bottom of the Gamebook context group.

### Closure Fields

| Field              | Options                                                      | Purpose                                             |
| ------------------ | ------------------------------------------------------------ | --------------------------------------------------- |
| **Classification** | True Positive, False Positive, Benign Positive, Undetermined | Required. Categorizes the incident outcome          |
| **Comment**        | Free text                                                    | Optional note about why you're closing the incident |

<Tip>
  Need help understanding classifications? See [Understanding Incident Classifications](/guides/getting-started/understanding-incident-classifications) for detailed guidance.
</Tip>

***

## Putting It Together

The ContraForce incident management workflow is designed to help you:

<CardGroup cols={3}>
  <Card title="Triage Faster" icon="gauge-high">
    Filter and prioritize incidents across all your tenants from one dashboard
  </Card>

  <Card title="Respond Automatically" icon="bolt">
    Execute proven response actions with Gamebooks instead of manual remediation
  </Card>

  <Card title="Document Everything" icon="file-lines">
    Maintain complete audit trails with comments, classifications, and history
  </Card>
</CardGroup>

***

## Related Guides

<CardGroup cols={2}>
  <Card title="Command Dashboard" icon="chart-pie-simple" href="/guides/getting-started/command-dashboard">
    Learn more about the central incident dashboard.
  </Card>

  <Card title="What are Gamebooks?" icon="gamepad" href="/guides/getting-started/what-are-gamebooks">
    Deep dive into SOP driven automated response actions.
  </Card>

  <Card title="Workbench Overview" icon="screwdriver-wrench" href="/guides/getting-started/workbench-overview">
    Learn how to manage incidents in your workbench.
  </Card>

  <Card title="Incident Classifications" icon="tag" href="/guides/getting-started/incident-classifications">
    Understand True Positive, False Positive, and more.
  </Card>
</CardGroup>

***

<Note>
  Questions about this workflow? Contact us at [support@contraforce.com](mailto:support@contraforce.com). We're happy to help optimize your incident management process.
</Note>
