Think of Gamebooks as your incident response playbook—automated. No API mapping, no coding, no scripting. Select the response actions you need, click run, and ContraForce handles the execution across your integrated security tools. AI agents can autonomously choose the correct response actions based on entity types and the classification of the incident.
Why Gamebooks?
Traditional incident response requires analysts to:- Identify affected entities (users, devices)
- Log into each security tool separately
- Manually execute containment actions
- Document what was done
One Click
Execute multiple actions across tools instantly
Consistent
The right response every time
Auditable
Complete history of every action taken
Available Gamebook Actions
Gamebook actions are organized by entity type. ContraForce automatically shows relevant actions based on the entities involved in each incident.User Actions
| Action | Description | Use Case |
|---|---|---|
| Invalidate Existing Sessions | Terminates all active sessions | Compromised account, suspicious activity |
| Lockout User | Prevents user from signing in | Confirmed account compromise |
| Reset User Password | Forces password reset on next login | Credential theft suspected |
| Unlock User | Re-enables a locked account | After remediation is complete |
Endpoint Actions
| Action | Description | Use Case |
|---|---|---|
| Isolate Endpoint | Disconnects device from network (except Defender) | Active malware, lateral movement |
| Scan Endpoint | Triggers antivirus/EDR scan | Suspicious file activity |
| Release from Isolation | Restores network connectivity | After threat is contained |
| Quarantine File | Moves malicious file to quarantine | Known malware detected |
Network Actions
| Action | Description | Use Case |
|---|---|---|
| Block IP | Adds IP to blocklist | C2 communication, malicious source |
Email Actions
| Action | Description | Use Case |
|---|---|---|
| Delete Email | Removes malicious email from mailbox | Phishing, malware delivery |
How to Access Gamebooks
Building a Gamebook
Creating a Gamebook is intuitive—select entities, choose response actions, and execute.Step 1: Select an Entity
Left-click an entity in the Entity Context Graph (user, device, IP, etc.). The response action menu appears showing available response actions.
Step 2: Add Actions
- With the left-click menu open, select available response actions
- Click a response action to load it into the Gamebook
- Click the red - icon to remove an action
Step 3: Repeat for Other Entities
Select additional entities and add their actions. You can build comprehensive response workflows targeting multiple entity types.Step 4: Review & Execute
Your selected actions appear in the Gamebook Card:
| Column | Description |
|---|---|
| Action | The response action to be performed |
| Entity | Target of the action |
| Status | ”Pending” before execution |
Gamebook Execution Status
After clicking Run Gamebook, monitor the execution:| Status | Meaning |
|---|---|
| Pending | Action queued, not yet started |
| Running | Action currently executing |
| Finished | Action completed successfully |
| Failed | Action encountered an error |
Gamebook Approval Workflow
Manage the team members responsible for approving Gamebooks that require manual authorization. Only users with the **Workspace Owner **role can be assigned as Gamebook approvers.Gamebook Approval Configuration
Within each workspace settings page, under **General, **scroll to the bottom and configure the Gamebook Configuration settings based on your SOP for that specific workspace.
Approving Gamebooks
Users with approval permissions can approve from:Incident Summary
Open the incident and approve directly from the Gamebook status
Gamebooks Page
Review all pending approvals in one centralized queue
Gamebook History
Track all Gamebook activity across your environment from the dedicated Gamebooks Page.Accessing Gamebook History
Click the Gamebooks icon (triangle) in the navigation bar—it’s the 2nd icon from the top.
What You Can See
The Gamebooks page shows:| Filter | Description |
|---|---|
| Completed | Successfully executed Gamebooks |
| Waiting Approval | Pending approval requests |
| Failed | Gamebooks with errors |
Viewing Details
Click the dropdown arrow on any row to expand and see:- Individual action results
- Execution timestamps
- Error messages (if failed)
- Entity details
Unsupported Entities
Not all entity types support Gamebook actions due to technical limitations with module integrations. Common reasons:- Integration doesn’t expose response APIs
- Entity type not yet supported
- Permissions not configured for response actions
If you need specific response capabilities, contact [email protected] to discuss your requirements.
Best Practices
Start with containment
Start with containment
Prioritize actions that stop the threat from spreading—isolate devices, disable compromised accounts, block malicious IPs.
Use approval workflows for high-impact actions
Use approval workflows for high-impact actions
Configure approval requirements for actions like device isolation that could impact business operations.
Review before running
Review before running
Always verify the Gamebook Card shows the correct entities and actions before clicking Run.
Monitor the Gamebooks page
Monitor the Gamebooks page
Check the Gamebooks page regularly for failed actions that may need manual intervention.
Document with comments
Document with comments
After running a Gamebook, add comments to the incident explaining what actions were taken and why.
Gamebook Actions Quick Reference
| Entity | Actions Available |
|---|---|
| User | Invalidate Sessions, Lockout, Reset Password, Unlock |
| Endpoint | Isolate, Scan, Release from Isolation, Quarantine File |
| Network | Block IP |
| Delete Email |
Related Guides
Workbench Overview
Your toolset for security delivery
Incident Management
Complete incident workflow guide
Incident Classifications
Classify incidents after response
User Management
Configure approval permissions
Questions about Gamebooks? Contact us at [email protected].