> ## Documentation Index
> Fetch the complete documentation index at: https://docs.contraforce.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Workbench Overview

> Create custom incident response workflows with AI-mapped playbooks and one-click actions. Visualize entities, build Gamebooks, and resolve incidents faster.

The Security Workbench is your investigation and response command center. Visualize affected entities, build custom response workflows, and execute remediation actions—all from a single interface.

<Frame>
  <img src="https://mintcdn.com/contraforce/rkZaI7-Q99NGKNGI/expanded-incident-workbench.png?fit=max&auto=format&n=rkZaI7-Q99NGKNGI&q=85&s=7f7060d27a627b6e50b68bf2d24a743c" alt="ContraForce Security Workbench" width="1658" height="908" data-path="expanded-incident-workbench.png" />
</Frame>

## What is the Workbench?

The Workbench combines investigation and response into one powerful experience:

<CardGroup cols={2}>
  <Card title="AI-Mapped Response Actions" icon="brain">
    Automatically recommended response actions based on affected entity types
  </Card>

  <Card title="Entity and Context Graph Visualization" icon="diagram-project">
    See all related entities in an interactive context graph
  </Card>

  <Card title="No-Code Queries" icon="magnifying-glass">
    Click-through investigation for entities  without writing queries
  </Card>

  <Card title="Custom Workflows" icon="arrows-split-up-and-left">
    Chain multiple actions into comprehensive Gamebooks
  </Card>
</CardGroup>

<Info>
  The Workbench is where investigation meets action. Instead of switching between tools, you can analyze the threat and respond to it in the same place.
</Info>

***

## Accessing the Workbench

<Steps>
  <Step title="Open an Incident">
    From the Command Page, click any **Incident ID** in the Incidents table
  </Step>

  <Step title="View the Summary">
    The Incident Summary opens with overview information
  </Step>

  <Step title="Open the Workbench">
    Click the dropdown next to **Edit** and select **Create New Gamebook**
  </Step>
</Steps>

***

## Workbench Layout

The Security Workbench is organized into several key areas:

### Incident Header

At the top of the Workbench, you'll find:

| Element            | Description                                         |
| ------------------ | --------------------------------------------------- |
| **Incident Title** | Name and ID of the incident                         |
| **Status**         | Current state (New, Active, Closed)—editable inline |
| **Owner**          | Assigned analyst—editable inline                    |
| **Severity**       | Incident severity level                             |

<Tip>
  You can update the Status and Owner directly from the Workbench without leaving the page.
</Tip>

### Entity Graph

The central visualization showing all entities involved in the incident:

* **Users** — Accounts that were affected or involved
* **Devices** — Endpoints implicated in the incident
* **IPs** — Network addresses related to the activity
* **Files** — Suspicious files or hashes detected
* **URLs/Domains** — Web resources involved

Click any entity icon to:

* View entity details
* See other incidents involving this entity
* Access available response actions

### Tabs

<Tabs>
  <Tab title="Summary">
    Overview of the incident including description, timeline summary, and key indicators.
  </Tab>

  <Tab title="Entities">
    Detailed list of all affected entities with expandable details and cross-incident correlation.
  </Tab>

  <Tab title="Comments">
    Team collaboration space. Add investigation notes and view comments from other analysts.
  </Tab>

  <Tab title="History">
    Complete audit trail of all actions taken on this incident, including previously run Gamebooks.
  </Tab>
</Tabs>

***

## Building a Gamebook

Gamebooks are response workflows you build or agents can build by selecting response actions for each affected entity.

### Step 1: Select an Entity

Left-click an entity icon in the Entity Context Graph. The response actions appear already mapped to the entity type selected.

<Frame>
  <img src="https://mintcdn.com/contraforce/78hruO4wvDt2PNIK/left-click-entity-graph.png?fit=max&auto=format&n=78hruO4wvDt2PNIK&q=85&s=6f3d3795b8373f6d139720b45c3fdc0d" alt="Entity action carousel" width="411" height="262" data-path="left-click-entity-graph.png" />
</Frame>

### Step 2: Browse Available Actions

By left-clicking entities, you will be able to utilize the following response actions:

| Entity Type | Response Actions                                                        |
| ----------- | ----------------------------------------------------------------------- |
| **User**    | Invalidate sessions, lockout user, reset user password, and unlock user |
| **Device**  | Isolate device, run AV scan, unisolate device                           |
| **IP**      | Block Azure Network Security Group (NSG)                                |
| **File**    | Quarantine file, block hash                                             |

<Info>
  Available actions depend on the entity type and your connected modules. Gamebook response actions automatically map to actions that are relevant and executable.
</Info>

### Step 3: Add Actions to Gamebook

* Click the **+ icon** to add a response action to your Gamebook
* Hover over the action in the Gamebook and the **red - icon** will remove a response action
* Repeat for each entity you want to take action on

<Frame>
  <img src="https://mintcdn.com/contraforce/14zd1Ab1D6_j2MFV/gamebook-add-remove.png?fit=max&auto=format&n=14zd1Ab1D6_j2MFV&q=85&s=c931c1e5cf5658573eeac2c4297440e3" alt="Gamebook with actions added" width="1587" height="735" data-path="gamebook-add-remove.png" />
</Frame>

### Step 4: Review Your Gamebook

As you add actions, they load in the **Gamebook card**.

### Step 5: Execute the Gamebook

<Steps>
  <Step title="Review Response Actions">
    Verify all actions in the Gamebook are correct
  </Step>

  <Step title="Click Run Gamebook">
    Execute all actions in the Gamebook
  </Step>

  <Step title="Monitor Progress">
    Status updates from "Pending" to "Running" to "Finished"
  </Step>
</Steps>

<Frame>
  <img src="https://mintcdn.com/contraforce/2DA3SK5G6Jl_8TQ7/finished-gamebook.png?fit=max&auto=format&n=2DA3SK5G6Jl_8TQ7&q=85&s=05446033524855a996f3ecbd68e90f71" alt="Gamebook execution complete" width="518" height="735" data-path="finished-gamebook.png" />
</Frame>

***

## Gamebook Approval Workflow

Some Gamebooks require approval before execution, indicated by a \*\*Approve \*\*button in the Gamebooks page or in the Gamebook within the Workbench.

<Warning>
  Actions with approval requirements are typically high-impact operations like device isolation or reset user password. This prevents accidental execution.
</Warning>

### Requesting Approval

1. Build your Gamebook as usual (including locked actions)
2. Click **Request Gamebook Approval** instead of Run Gamebook
3. The request is sent to users with approval permissions

### Approving Gamebooks

Approvers can approve requests from:

* **The incident itself** — Open the incident and approve directly
* **Gamebook Activity tab** — Review all pending approvals in one place

  <Frame>
    <img src="https://mintcdn.com/contraforce/lmpkmEiaSXk2p2zP/images/gamebook-activity-approval.png?fit=max&auto=format&n=lmpkmEiaSXk2p2zP&q=85&s=a030647e4ff68a814d2ba9284b586bbc" alt="Gamebook Activity Approval" width="518" height="399" data-path="images/gamebook-activity-approval.png" />
  </Frame>
* **Gamebook Activity page** — Review all pending approvals in one place

  <Frame>
    <img src="https://mintcdn.com/contraforce/lmpkmEiaSXk2p2zP/images/gamebook-page-approvals.png?fit=max&auto=format&n=lmpkmEiaSXk2p2zP&q=85&s=6f71e9eaf8d0abfa42625ab6cfc76dca" alt="Gamebook Page Approvals" width="1709" height="854" data-path="images/gamebook-page-approvals.png" />
  </Frame>

<Tip>
  Loading previous Gamebooks is especially useful for recurring incident types. Build a response once, reuse it across similar incidents.
</Tip>

## Gamebook Activity Page

Track all Gamebooks in one queue across your every workspace from the dedicated **Gamebooks Page**.

<Frame>
  <img src="https://mintcdn.com/contraforce/lmpkmEiaSXk2p2zP/images/gamebook-page-approvals.png?fit=max&auto=format&n=lmpkmEiaSXk2p2zP&q=85&s=6f71e9eaf8d0abfa42625ab6cfc76dca" alt="Gamebook Activity page" width="1709" height="854" data-path="images/gamebook-page-approvals.png" />
</Frame>

### What You Can See

| Column          | Description                          |
| --------------- | ------------------------------------ |
| **Status**      | Success, Failed, Pending Approval    |
| **Incident**    | Linked incident ID                   |
| **Actions**     | What actions were performed          |
| **Time to Run** | Execution duration                   |
| **Workspace**   | Which tenant the actions ran against |

### Expanding Details

Click any row to expand and see:

* Individual action results
* Error messages (if any failed)
* Timestamps for each step
* Entity details

## Best Practices

<AccordionGroup>
  <Accordion title="Start with high-impact entities">
    Focus your initial response on the most critical entities—compromised users, infected devices, or malicious IPs that pose immediate risk.
  </Accordion>

  <Accordion title="Use comments to document findings">
    Add comments as you investigate. This creates a record for your team and helps with post-incident review.
  </Accordion>

  <Accordion title="Review before executing">
    Always review the complete Gamebook Card before clicking Run. Verify you're taking action on the correct entities.
  </Accordion>

  <Accordion title="Check History for patterns">
    Before building a new Gamebook, check the History tab. A previous response may already exist that you can reuse or adapt.
  </Accordion>

  <Accordion title="Monitor the Gamebook Activity page">
    Regularly check the Gamebook Activity page to ensure actions completed successfully and catch any failures early.
  </Accordion>
</AccordionGroup>

***

## Related Guides

<CardGroup cols={2}>
  <Card title="What are Gamebooks?" icon="gamepad" href="/guides/getting-started/what-are-gamebooks">
    Deep dive into Gamebook capabilities.
  </Card>

  <Card title="Incident Management" icon="shield-halved" href="/guides/getting-started/incident-management">
    Complete incident workflows.
  </Card>

  <Card title="Entity Insights" icon="lightbulb" href="/entity-insights">
    Available entity enrichment data.
  </Card>

  <Card title="Incident Classifications" icon="tag" href="/guides/getting-started/incident-classifications">
    Classify incidents after resolution.
  </Card>
</CardGroup>

***

<Note>
  Need help with the Security Workbench? Contact us at [support@contraforce.com](mailto:support@contraforce.com)
</Note>