What is the Security Workbench?
The Security Workbench combines investigation and response into one powerful workspace:AI-Mapped Playbooks
Automatically recommended response actions based on affected entity types
Entity Visualization
See all related entities in an interactive graph
No-Code Queries
Investigate entities further without writing queries
Custom Workflows
Chain multiple actions into comprehensive Gamebooks
The Security Workbench is where investigation meets action. Instead of switching between tools, you can analyze the threat and respond to it in the same place.
Accessing the Security Workbench
1
Open an Incident
From the Command Page, click any Incident ID in the Incidents table
2
View the Summary
The Incident Summary opens with overview information
3
Open the Workbench
Click the dropdown next to Edit and select Create New Gamebook
Workbench Layout
The Security Workbench is organized into several key areas:Incident Header
At the top of the Workbench, you’ll find:| Element | Description |
|---|---|
| Incident Title | Name and ID of the incident |
| Status | Current state (New, Active, Closed)—editable inline |
| Owner | Assigned analyst—editable inline |
| Severity | Incident severity level |
Entity Graph
The central visualization showing all entities involved in the incident:- Users — Accounts that were affected or involved
- Devices — Endpoints implicated in the incident
- IPs — Network addresses related to the activity
- Files — Suspicious files or hashes detected
- URLs/Domains — Web resources involved
- View entity details
- See other incidents involving this entity
- Access available response actions
Tabs
- Summary
- Entities
- Comments
- History
Overview of the incident including description, timeline summary, and key indicators.
Building a Gamebook
Gamebooks are custom response workflows you build by selecting actions for each affected entity.Step 1: Select an Entity
Click an entity icon in the Entity Graph. The Incident Response Carousel appears with available actions for that entity type.
Step 2: Browse Available Actions
Use the arrows on either side of the carousel to rotate through available actions:| Entity Type | Example Actions |
|---|---|
| User | Disable account, Reset password, Revoke sessions, Block sign-in |
| Device | Isolate device, Run AV scan, Collect investigation package |
| IP | Block IP, Add to watchlist |
| File | Quarantine file, Block hash |
Available actions depend on the entity type and your connected integrations. ContraForce automatically shows only actions that are relevant and executable.
Step 3: Add Actions to Gamebook
- Click the green + icon to add an action to your Gamebook
- Click the red - icon to remove an action
- Repeat for each entity you want to take action on
Step 4: Review Your Gamebook
As you add actions, they appear in the Gamebook Card below the carousel:| Column | Description |
|---|---|
| Action | What will be performed |
| Entity | Target of the action |
| Status | Shows “Pending” before execution |
Step 5: Execute the Gamebook
1
Review Actions
Verify all actions in the Gamebook Card are correct
2
Click Run Gamebook
Execute all actions in the Gamebook
3
Monitor Progress
Status updates from “Pending” to “Running” to “Finished”
Gamebook Approval Workflow
Some actions require approval before execution, indicated by a red lock icon in the carousel.Requesting Approval
- Build your Gamebook as usual (including locked actions)
- Click Request Gamebook Approval instead of Run Gamebook
- The request is sent to users with approval permissions
Approving Gamebooks
Approvers can approve requests from:- The incident itself — Open the incident and approve directly
- Gamebook Activity tab — Review all pending approvals in one place
Loading Previous Gamebooks
Don’t rebuild from scratch—reuse successful response patterns.From the History Tab
1
Open History Tab
Click the History tab in the Security Workbench
2
Find Previous Gamebook
Browse previously executed Gamebooks for this incident
3
Load Gamebook
Click to load the actions into a new Gamebook
4
Modify if Needed
Add or remove actions before executing
Gamebook Activity Page
Track all Gamebook executions across your entire environment from the dedicated Gamebooks Page.
What You Can See
| Column | Description |
|---|---|
| Status | Success, Failed, Pending Approval |
| Incident | Linked incident ID |
| Actions | What actions were performed |
| Time to Run | Execution duration |
| Workspace | Which tenant the actions ran against |
Expanding Details
Click any row to expand and see:- Individual action results
- Error messages (if any failed)
- Timestamps for each step
- Entity details
Best Practices
Start with high-impact entities
Start with high-impact entities
Focus your initial response on the most critical entities—compromised users, infected devices, or malicious IPs that pose immediate risk.
Use comments to document findings
Use comments to document findings
Add comments as you investigate. This creates a record for your team and helps with post-incident review.
Review before executing
Review before executing
Always review the complete Gamebook Card before clicking Run. Verify you’re taking action on the correct entities.
Check History for patterns
Check History for patterns
Before building a new Gamebook, check the History tab. A previous response may already exist that you can reuse or adapt.
Monitor the Gamebook Activity page
Monitor the Gamebook Activity page
Regularly check the Gamebook Activity page to ensure actions completed successfully and catch any failures early.
Related Guides
What are Gamebooks?
Deep dive into Gamebook capabilities
Incident Management Guide
Complete incident workflow
Entity Insights
Available entity enrichment data
Incident Classifications
Classify incidents after resolution
Need help with the Security Workbench? Contact us at [email protected].