The XDR module is designed for environments using Microsoft Defender XDR (Defender for Endpoint, Defender for Identity, Defender for Office 365, and Defender for Cloud Apps). If you also use Microsoft Sentinel, consider the XDR + SIEM module instead.
Before You Begin
Prerequisites
Ensure you have the following before starting the onboarding process:1
Microsoft Defender XDR
An active Microsoft Defender XDR deployment in the target tenant
2
Admin Credentials
Global Administrator access to the Microsoft tenant being onboarded
3
Onboarding Link
The ContraForce Onboarding Wizard URL (provided by the ContraForce team)
4
User List
Email addresses of users who need access to ContraForce (optional, can be added later)
Supported Licenses
The XDR module works with the following Microsoft 365 licenses:| License | Supported | Notes |
|---|---|---|
| Microsoft 365 Business Premium | ✓ | Full XDR capabilities |
| Microsoft 365 E3 | ✓ | Full XDR capabilities |
| Microsoft 365 E5 | ✓ | Full XDR capabilities + advanced features |
| Standalone Defender for Endpoint | ✓ | Endpoint features only |
Capability Matrix
View detailed feature availability by license tier
Module Options
ContraForce offers two deployment modules. Choose based on your security stack:XDR Module
Microsoft Defender XDR only
- Defender XDR incidents
- Endpoint management
- Identity and email response
- Gamebook actions
XDR + SIEM Module
Defender XDR + Microsoft Sentinel
- Everything in XDR module
- Sentinel incidents
- Advanced threat hunting
- Data connectors
- Custom notifications by severity
Feature Comparison
| Feature | XDR Module | XDR + SIEM Module |
|---|---|---|
| Defender XDR Incidents | ✓ | ✓ |
| Endpoint Management | ✓ | ✓ |
| Gamebook Response Actions | ✓ | ✓ |
| Entity Insights | ✓ | ✓ |
| Sentinel Incidents | — | ✓ |
| Advanced Threat Hunting | — | ✓ |
| Data Connectors | — | ✓ |
| Custom Severity Notifications | — | ✓ |
Onboarding Process
Follow these seven steps to complete the XDR module deployment.Step 1: Sign into the Onboarding Wizard
- Open the Onboarding Wizard link provided by the ContraForce team
- Click Sign In
- Authenticate with a Global Administrator account from the target tenant
Step 2: Consent Core Enterprise Applications
The first consent step authorizes the foundational ContraForce applications.
Consent ContraForce API
- Click Consent for the ContraForce API
- Review the requested permissions
- Click Accept to grant consent
Consent ContraForce Portal
- Click Consent for the ContraForce Portal
- Review the requested permissions
- Click Accept to grant consent
These two applications (API and Portal) are required for all ContraForce deployments, regardless of module selection.
Step 3: Select the XDR Module
- In the Onboarding Wizard menu, select XDR module
- Review the module description
- Click Consent Microsoft Defender XDR to proceed
Step 4: Consent Microsoft Defender XDR Application
A series of consent windows will appear for the Defender XDR integration.
1
First Consent Window
Grants read access to Defender for Endpoint data
2
Second Consent Window
Grants access to security events and incidents
3
Third Consent Window
Completes the Defender XDR integration
- Review the requested permissions
- Click Accept to proceed
- Wait for the redirect to the next step
Step 5: Add Users (Optional)
- Search by email — Enter the user’s email address
- Select user — Choose from the search results (pulled from Entra ID)
- Assign role — Select the appropriate permission level
| Role | Best For |
|---|---|
| Admin | Team leads, workspace owners |
| Incident Responder | SOC analysts who need response capabilities |
| Incident Analyst | Junior analysts, read-only access |
| Data Source Admin | Integration specialists |
User Roles Reference
View detailed permissions for each role
Adding users is optional during onboarding. You can always add more users later through Settings > User Management.
Step 6: Authorize Gamebook Service Principals
To enable Gamebook response actions, you need to consent additional service principals after the wizard completes.
Navigate to Workspace Settings
- Go to the Workspaces page
- Find your newly onboarded workspace
- Click the gear icon to open settings
Consent Gamebooks for Microsoft Defender XDR
- Scroll to find Gamebooks for Microsoft Defender XDR
- Click Consent
- Complete the Microsoft authentication flow
- Click Accept on the permissions prompt
- Direct Workspace
- Partner/Child Workspace
For workspaces you manage directly, click Consent only.
Additional Service Principals (Optional)
Depending on your needs, consent these additional applications:| Application | Purpose | When to Consent |
|---|---|---|
| Gamebooks for Identity | User response actions (disable, reset password) | If managing Entra ID identities |
| Microsoft 365 Response | Email response actions (delete email) | If using Defender for Office 365 |
| Azure Response | Azure resource response actions | If responding to Azure-based threats |
Step 7: Onboarding Complete
- Defender XDR incidents begin syncing to ContraForce (may take 15-30 minutes)
- Endpoints appear on the Endpoints page
- Gamebook actions become available for incident response
Post-Onboarding Checklist
After completing the wizard, verify your deployment:1
Check Incidents
Navigate to the Command Page and verify Defender XDR incidents are appearing
2
Verify Endpoints
Go to the Endpoints page and confirm devices are listed
3
Test Gamebooks
Open an incident and verify Gamebook actions are available
4
Add Team Members
Go to Settings > User Management and add remaining users
5
Configure Notifications
Set up notification preferences for incident alerts
XDR Module Limitations
When using the XDR module (without SIEM), the following features are not available:| Feature | Status | Alternative |
|---|---|---|
| SIEM Incidents | Not available | Upgrade to XDR + SIEM |
| Sentinel Advanced Threat Hunting | Not available | Upgrade to XDR + SIEM |
| Data Connectors page | Empty | Upgrade to XDR + SIEM |
| Custom severity notifications | Not available | Upgrade to XDR + SIEM |
Notifications
XDR Module Notification Behavior:
- Email notifications are not generated by ContraForce for new Defender XDR incidents
- Email notifications are sent for Gamebook runs
- ContraForce does not interrupt existing Defender notification configurations
Notifications Guide
Learn more about ContraForce notification options
Troubleshooting
Common Issues
| Issue | Possible Cause | Solution |
|---|---|---|
| Consent fails | Insufficient permissions | Verify you’re using a Global Administrator account |
| No incidents appearing | Sync in progress | Wait 15-30 minutes for initial sync |
| No incidents appearing | No incidents in Defender | Verify incidents exist in Microsoft Defender XDR portal |
| Endpoints page empty | MDE consent incomplete | Re-consent the Microsoft Defender XDR application |
| Gamebooks unavailable | Service principal not consented | Consent Gamebooks for Microsoft Defender XDR in workspace settings |
| Partner consent button missing | Not a partner relationship | Only appears for partner/child workspace configurations |
Getting Help
If you encounter issues during onboarding:- Check consent status in workspace settings
- Verify admin permissions in the target tenant
- Review error messages for specific guidance
- Contact support at [email protected]
Related Documentation
Enterprise Applications
Enterprise Applications Overview
Overview of all ContraForce service principals
Microsoft Defender XDR Application
Detailed permissions reference
Gamebooks for Defender XDR
Endpoint response permissions
Portal Application
Core portal permissions
Next Steps
Incident Management Guide
Learn the incident workflow
Gamebooks
Start using response actions
User Management
Add and manage users
Command Page
Navigate your dashboard
Questions about XDR module onboarding? Contact us at [email protected].