> ## Documentation Index
> Fetch the complete documentation index at: https://docs.contraforce.com/llms.txt
> Use this file to discover all available pages before exploring further.

# What are Gamebooks?

> Automate incident response with AI-generated response actions. Gamebooks let you isolate devices, disable users, block IPs, and more—without manual intervention.

Gamebooks are SOP-driven incident response workflows powered by ContraForce's response engine, IRIS. Instead of manually logging into multiple consoles to contain a threat, you can execute proven response actions with a single-click across any workspace.

<Note>
  Think of Gamebooks as your incident response playbook—automated. No API mapping, no coding, no scripting. Select the response actions you need, click run, and ContraForce handles the execution across your integrated security tools. AI agents can autonomously choose the correct response actions based on entity types and the classification of the incident.
</Note>

## Why Gamebooks?

Traditional incident response requires analysts to:

1. Identify affected entities (users, devices)
2. Log into each security tool separately
3. Manually execute containment actions
4. Document what was done

**Gamebooks compress this into seconds:**

<CardGroup cols={3}>
  <Card title="One Click" icon="mouse-pointer">
    Execute multiple actions across tools instantly
  </Card>

  <Card title="Consistent" icon="check-double">
    The right response every time
  </Card>

  <Card title="Auditable" icon="clipboard-list">
    Complete history of every action taken
  </Card>
</CardGroup>

***

## Available Gamebook Actions

Gamebook actions are organized by entity type. ContraForce automatically shows relevant actions based on the entities involved in each incident.

### User Actions

| Action                           | Description                         | Use Case                                 |
| -------------------------------- | ----------------------------------- | ---------------------------------------- |
| **Invalidate Existing Sessions** | Terminates all active sessions      | Compromised account, suspicious activity |
| **Lockout User**                 | Prevents user from signing in       | Confirmed account compromise             |
| **Reset User Password**          | Forces password reset on next login | Credential theft suspected               |
| **Unlock User**                  | Re-enables a locked account         | After remediation is complete            |

### Endpoint Actions

| Action                     | Description                                       | Use Case                         |
| -------------------------- | ------------------------------------------------- | -------------------------------- |
| **Isolate Endpoint**       | Disconnects device from network (except Defender) | Active malware, lateral movement |
| **Scan Endpoint**          | Triggers antivirus/EDR scan                       | Suspicious file activity         |
| **Release from Isolation** | Restores network connectivity                     | After threat is contained        |
| **Quarantine File**        | Moves malicious file to quarantine                | Known malware detected           |

### Network Actions

| Action             | Description                                             | Use Case                           |
| ------------------ | ------------------------------------------------------- | ---------------------------------- |
| **Block Cloud IP** | Adds IP to Azure Network Security Group (NSG) blocklist | C2 communication, malicious source |

### Email Actions

| Action           | Description                          | Use Case                   |
| ---------------- | ------------------------------------ | -------------------------- |
| **Delete Email** | Removes malicious email from mailbox | Phishing, malware delivery |

<Tip>
  Available actions depend on your connected modules. For example, endpoint actions require Microsoft Defender for Endpoint module to be configured.
</Tip>

***

## How to Access Gamebooks

<Steps>
  <Step title="Open an Incident">
    From the Command Page, click any **Incident ID** to open the Incident Summary
  </Step>

  <Step title="Open the Gamebook Workbench">
    Click the dropdown next to **Edit** and select **Create New Gamebook**
  </Step>

  <Step title="Start Building">
    The Gamebook Workbench opens with the Entity Context Graph
  </Step>
</Steps>

<Frame>
  <img src="https://mintcdn.com/contraforce/MxNW2e6CB6wbPHkq/gamebook-workbench-blank.png?fit=max&auto=format&n=MxNW2e6CB6wbPHkq&q=85&s=3c403fe7fc67995dedb191a8c069c0c1" alt="Accessing Gamebook Workbench" width="3410" height="2002" data-path="gamebook-workbench-blank.png" />
</Frame>

## Building a Gamebook

Creating a Gamebook is intuitive—select entities, choose response actions, and execute.

### Step 1: Select an Entity

**Left-click** an entity in the Entity Context Graph (user, device, IP, etc.). The response action menu appears showing available response actions.

<Frame>
  <img src="https://mintcdn.com/contraforce/OkqrY35173WN84oD/gamebook-page-response-menu.png?fit=max&auto=format&n=OkqrY35173WN84oD&q=85&s=7886e59d6c705f8043824fb745c072d9" alt="Entity selection in Gamebook" title="" width="100%" data-path="gamebook-page-response-menu.png" />
</Frame>

### Step 2: Add Actions

* With the **left-click** menu open, select available response actions
* Click a response action to load it into the Gamebook
* Click the **red - icon** to remove an action

### Step 3: Repeat for Other Entities

Select additional entities and add their actions. You can build comprehensive response workflows targeting multiple entity types.

### Step 4: Review & Execute

Your selected actions appear in the **Gamebook Card**:

<Frame>
  <img src="https://mintcdn.com/contraforce/kaLIj2ko4zdXqLyH/gamebook-workbench-page.png?fit=max&auto=format&n=kaLIj2ko4zdXqLyH&q=85&s=6afa27836b6c5551f83d6e2cb754c3fa" alt="Gamebook actions queue" width="3420" height="2006" data-path="gamebook-workbench-page.png" />
</Frame>

| Column     | Description                         |
| ---------- | ----------------------------------- |
| **Action** | The response action to be performed |
| **Entity** | Target of the action                |
| **Status** | "Pending" before execution          |

Click **Run Gamebook** to execute all actions.

## Gamebook Execution Status

After clicking Run Gamebook, monitor the execution:

| Status       | Meaning                        |
| ------------ | ------------------------------ |
| **Pending**  | Action queued, not yet started |
| **Running**  | Action currently executing     |
| **Finished** | Action completed successfully  |
| **Failed**   | Action encountered an error    |

<Warning>
  If an action fails, check the Gamebook Activity page for error details. Common causes include permission issues or connectivity problems with the target system.
</Warning>

## Gamebook Approval Workflow

Manage the team members responsible for approving Gamebooks that require manual authorization. Only users with the **Workspace Owner** role can be assigned as Gamebook approvers.

### Gamebook Approval Configuration

Within each workspace settings page, under **General,** scroll to the bottom and configure the **Gamebook Configuration** settings based on your SOP for that specific workspace.

<Frame>
  <img src="https://mintcdn.com/contraforce/6uxQwTqHkxIZRRCf/service-provider-gamebook-approval-config.png?fit=max&auto=format&n=6uxQwTqHkxIZRRCf&q=85&s=453c9050012e1550c53a8ed96e071d9b" alt="Approval required indicator" width="3194" height="472" data-path="service-provider-gamebook-approval-config.png" />
</Frame>

<Warning>
  Some response actions (Reset user password) requires the end user of the workspace to have Cloud App Admin, Application Admin, or Global Admin role. As a Service Provider, you can approve this action on your end without the end user consent.
</Warning>

### Approving Gamebooks

Users with approval permissions can approve from:

<CardGroup cols={2}>
  <Card title="Incident Summary" icon="file-lines">
    Open the incident and approve directly from the Gamebook status
  </Card>

  <Card title="Gamebooks Page" icon="gamepad">
    Review all pending approvals in one centralized queue
  </Card>
</CardGroup>

Once approved, the Gamebook executes automatically.

## Gamebook History

Track all Gamebook activity across your environment from the dedicated **Gamebooks Page**.

### Accessing Gamebook History

Click the **Gamebooks icon** (triangle) in the navigation bar—it's the 2nd icon from the top.

<Frame>
  <img src="https://mintcdn.com/contraforce/isWO6qQKw0VFFfJp/gamebooks-page-overview.png?fit=max&auto=format&n=isWO6qQKw0VFFfJp&q=85&s=ce2d433a7cf32ef52a7e754e5585da01" alt="Gamebooks page navigation" title="" width="100%" data-path="gamebooks-page-overview.png" />
</Frame>

### What You Can See

The Gamebooks page shows:

| Filter               | Description                     |
| -------------------- | ------------------------------- |
| **Completed**        | Successfully executed Gamebooks |
| **Waiting Approval** | Pending approval requests       |
| **Failed**           | Gamebooks with errors           |

### Viewing Details

Click the **dropdown arrow** on any row to expand and see:

* Individual action results
* Execution timestamps
* Error messages (if failed)
* Entity details

<Frame>
  <img src="https://mintcdn.com/contraforce/isWO6qQKw0VFFfJp/gamebook-activity-dropdown-menu.png?fit=max&auto=format&n=isWO6qQKw0VFFfJp&q=85&s=25b2196f0bec632c30eaaee8af1272f5" alt="Gamebook history expanded view" width="3172" height="472" data-path="gamebook-activity-dropdown-menu.png" />
</Frame>

<Tip>
  Use the workspace filter to view Gamebook history for specific tenants. This is useful when reviewing activity for a particular customer.
</Tip>

## Unsupported Entities

Not all entity types support Gamebook actions due to technical limitations with module integrations.

**Common reasons:**

* Integration doesn't expose response APIs
* Entity type not yet supported
* Permissions not configured for response actions

<Info>
  If you need specific response capabilities, contact [support@contraforce.com](mailto:support@contraforce.com) to discuss your requirements.
</Info>

## Best Practices

<AccordionGroup>
  <Accordion title="Start with containment">
    Prioritize actions that stop the threat from spreading—isolate devices, disable compromised accounts, block malicious IPs.
  </Accordion>

  <Accordion title="Use approval workflows for high-impact actions">
    Configure approval requirements for actions like device isolation that could impact business operations.
  </Accordion>

  <Accordion title="Review before running">
    Always verify the Gamebook Card shows the correct entities and actions before clicking Run.
  </Accordion>

  <Accordion title="Monitor the Gamebooks page">
    Check the Gamebooks page regularly for failed actions that may need manual intervention.
  </Accordion>

  <Accordion title="Document with comments">
    After running a Gamebook, add comments to the incident explaining what actions were taken and why.
  </Accordion>
</AccordionGroup>

## Gamebook Actions Quick Reference

| Entity       | Actions Available                                      |
| ------------ | ------------------------------------------------------ |
| **User**     | Invalidate Sessions, Lockout, Reset Password, Unlock   |
| **Endpoint** | Isolate, Scan, Release from Isolation, Quarantine File |
| **Network**  | Block IP                                               |
| **Email**    | Delete Email                                           |

## Related Guides

<CardGroup cols={2}>
  <Card title="Workbench Overview" icon="screwdriver-wrench" href="/guides/getting-started/workbench-overview">
    Your toolset for security delivery
  </Card>

  <Card title="Incident Management" icon="shield-halved" href="/guides/getting-started/incident-management">
    Complete incident workflow guide
  </Card>

  <Card title="Incident Classifications" icon="tag" href="/guides/getting-started/incident-classifications">
    Classify incidents after response
  </Card>

  <Card title="User Management" icon="user-check" href="/guides/general-support/user-group-management">
    Configure approval permissions
  </Card>
</CardGroup>

***

<Note>
  Questions about Gamebooks? Contact us at [support@contraforce.com](mailto:support@contraforce.com).
</Note>