Think of Gamebooks as your incident response playbook—automated. Select the actions you need, click run, and ContraForce handles the execution across your integrated security tools.
Why Gamebooks?
Traditional incident response requires analysts to:- Identify affected entities (users, devices, IPs)
- Log into each security tool separately
- Manually execute containment actions
- Document what was done
One Click
Execute multiple actions across tools instantly
Consistent
Same response every time—no missed steps
Auditable
Complete history of every action taken
Available Gamebook Actions
Gamebook actions are organized by entity type. ContraForce automatically shows relevant actions based on the entities involved in each incident.User Actions
| Action | Description | Use Case |
|---|---|---|
| Invalidate Existing Sessions | Terminates all active sessions | Compromised account, suspicious activity |
| Lockout User | Prevents user from signing in | Confirmed account compromise |
| Reset User Password | Forces password reset on next login | Credential theft suspected |
| Unlock User | Re-enables a locked account | After remediation is complete |
Endpoint Actions
| Action | Description | Use Case |
|---|---|---|
| Isolate Endpoint | Disconnects device from network (except Defender) | Active malware, lateral movement |
| Scan Endpoint | Triggers antivirus/EDR scan | Suspicious file activity |
| Release from Isolation | Restores network connectivity | After threat is contained |
| Quarantine File | Moves malicious file to quarantine | Known malware detected |
Network Actions
| Action | Description | Use Case |
|---|---|---|
| Block IP | Adds IP to blocklist | C2 communication, malicious source |
Email Actions
| Action | Description | Use Case |
|---|---|---|
| Delete Email | Removes malicious email from mailbox | Phishing, malware delivery |
How to Access Gamebooks
1
Open an Incident
From the Command Page, click any Incident ID to open the Incident Summary
2
Open the Gamebook Workbench
Click the dropdown next to Edit and select Create New Gamebook
3
Start Building
The Gamebook Workbench opens with the Entity Graph and action carousel
Building a Gamebook
Creating a Gamebook is intuitive—select entities, choose actions, and execute.Step 1: Select an Entity
Click an entity in the Entity Graph (user, device, IP, etc.). The action carousel appears showing available response actions.
Step 2: Add Actions
- Use the arrows to browse available actions
- Click the green + icon to add an action to your Gamebook
- Click the red - icon to remove an action
Step 3: Repeat for Other Entities
Select additional entities and add their actions. You can build comprehensive response workflows targeting multiple entity types.Step 4: Review & Execute
Your selected actions appear in the Gamebook Card:
| Column | Description |
|---|---|
| Action | The response action to be performed |
| Entity | Target of the action |
| Status | ”Pending” before execution |
Gamebook Execution Status
After clicking Run Gamebook, monitor the execution:| Status | Meaning |
|---|---|
| Pending | Action queued, not yet started |
| Running | Action currently executing |
| Finished | Action completed successfully |
| Failed | Action encountered an error |
Gamebook Approval Workflow
Some actions are too impactful to execute without oversight. These require approval before running.How to Identify Approval-Required Actions
Actions requiring approval display a red lock icon in the carousel.
Requesting Approval
When your Gamebook includes locked actions:- Build your Gamebook as usual
- The button changes to Request Gamebook Approval
- Click to submit the request
- Status shows Waiting Approval
Approving Gamebooks
Users with approval permissions can approve from:Incident Summary
Open the incident and approve directly from the Gamebook status
Gamebooks Page
Review all pending approvals in one centralized location
Gamebook History
Track all Gamebook activity across your environment from the dedicated Gamebooks Page.Accessing Gamebook History
Click the Gamebooks icon (triangle) in the navigation bar—it’s the 2nd icon from the top.
What You Can See
The Gamebooks page shows:| Filter | Description |
|---|---|
| Completed | Successfully executed Gamebooks |
| Waiting Approval | Pending approval requests |
| Failed | Gamebooks with errors |
Viewing Details
Click the dropdown arrow on any row to expand and see:- Individual action results
- Execution timestamps
- Error messages (if failed)
- Entity details
Unsupported Entities
Not all entity types support Gamebook actions due to technical limitations with source integrations. If an entity doesn’t support actions, you’ll see an error message:
- Integration doesn’t expose response APIs
- Entity type not yet supported
- Permissions not configured for response actions
ContraForce continuously adds new integrations and actions. If you need specific response capabilities, contact [email protected] to discuss your requirements.
Best Practices
Start with containment
Start with containment
Prioritize actions that stop the threat from spreading—isolate devices, disable compromised accounts, block malicious IPs.
Use approval workflows for high-impact actions
Use approval workflows for high-impact actions
Configure approval requirements for actions like device isolation that could impact business operations.
Review before running
Review before running
Always verify the Gamebook Card shows the correct entities and actions before clicking Run.
Monitor the Gamebooks page
Monitor the Gamebooks page
Check the Gamebooks page regularly for failed actions that may need manual intervention.
Document with comments
Document with comments
After running a Gamebook, add comments to the incident explaining what actions were taken and why.
Gamebook Actions Quick Reference
| Entity | Actions Available |
|---|---|
| User | Invalidate Sessions, Lockout, Reset Password, Unlock |
| Endpoint | Isolate, Scan, Release from Isolation, Quarantine File |
| Network | Block IP |
| Delete Email |
Related Guides
Security Workbench
Learn about the full investigation interface
Incident Management
Complete incident workflow guide
Incident Classifications
Classify incidents after response
User Roles
Configure approval permissions
Questions about Gamebooks? Contact us at [email protected].