Notification capabilities vary by module. The XDR + SIEM module offers full customization, while the XDR-only module has limited notification options.
Notification Overview
Incident Alerts
Get notified when new security incidents are detected
Gamebook Activity
Receive updates when Gamebook actions complete
Severity Filtering
Choose which severity levels trigger notifications
Notification Capabilities by Module
Notification features depend on which ContraForce module you’ve deployed:| Feature | XDR Module | XDR + SIEM Module |
|---|---|---|
| Sentinel incident notifications | — | ✓ |
| Defender XDR incident notifications | — | — |
| Gamebook completion notifications | ✓ | ✓ |
| Severity-based filtering | — | ✓ |
| Per-workspace customization | — | ✓ |
| Distribution group support | — | ✓ |
Email Notification Details
Sender Address
All ContraForce notifications are sent from:Add this address to your email allowlist to ensure notifications aren’t blocked by spam filters.
Email Content
Incident notification emails include:| Field | Description |
|---|---|
| Title | Incident name/description |
| Description | Summary of the security event |
| Severity | High, Medium, Low, or Informational |
| Incident ID | Unique identifier for tracking |
| MITRE Tactics | Associated attack techniques |
| Entities | Affected users, devices, IPs, etc. |
| View Incident Button | Direct link to open the incident in ContraForce |
Example Email
Configuring Notifications
Accessing Notification Settings
1
Open Settings
Click Settings in the navigation menu
2
Select Notifications
Click the Notifications tab
3
Configure Preferences
Adjust settings by workspace and severity
Severity-Based Filtering
For XDR + SIEM deployments, you can customize which severity levels trigger notifications:
- High
- Medium
- Low
- Informational
High severity incidents typically indicate active threats requiring immediate response.Recommendation: Always enable
Per-Workspace Configuration
Configure different notification preferences for each customer workspace:- Navigate to Settings > Notifications
- Select the Workspace you want to configure
- Enable or disable severity levels for that workspace
- Save changes
Distribution Group Notifications
Send notifications to a team distribution list instead of individual users.Use Cases
SOC Team Inbox
Route all alerts to a shared SOC mailbox for team visibility
On-Call Rotation
Send to a distribution group that routes to the current on-call analyst
Ticketing Integration
Route to an email address that auto-creates tickets in your ITSM
Customer Notifications
Keep customers informed by CCing their security team
Setting Up Distribution Groups
Distribution group notifications require setup assistance from the ContraForce team:1
Identify Email Address
Determine the distribution group email address you want to use
2
Contact ContraForce
Provide the email address during onboarding or contact [email protected]
3
Engineering Setup
The ContraForce Engineering team configures the distribution group
4
Verify
Test that notifications are reaching the distribution group
Distribution group setup is typically completed during onboarding. If you need to add or change distribution groups later, contact support.
Gamebook Notifications
Gamebook notifications are available for all modules (XDR and XDR + SIEM).When You’ll Receive Notifications
| Event | Notification Sent |
|---|---|
| Gamebook execution started | — |
| Gamebook completed successfully | ✓ |
| Gamebook failed | ✓ |
| Gamebook requires approval | ✓ |
| Gamebook approved | ✓ |
Gamebook Email Content
Gamebook notifications include:- Gamebook name
- Target incident
- Actions executed
- Execution status (Success/Failed)
- Workspace name
- Link to view details
Notification Best Practices
Start with High severity only
Start with High severity only
Begin with High severity notifications enabled for all workspaces. Add Medium and Low severities gradually based on team capacity to avoid alert fatigue.
Use distribution groups for team visibility
Use distribution groups for team visibility
Route notifications to a shared mailbox so the entire SOC team has visibility. This prevents missed alerts when individuals are unavailable.
Create email rules for organization
Create email rules for organization
Set up email folder rules to automatically categorize ContraForce notifications by workspace or severity for easier triage.
Integrate with ticketing systems
Integrate with ticketing systems
Route notifications to an email address that creates tickets in your ITSM (ServiceNow, Jira, etc.) for automatic tracking and SLA management.
Review and adjust periodically
Review and adjust periodically
Regularly review notification settings. If you’re experiencing alert fatigue, consider disabling lower severity levels or refining detection rules.
Allowlist the sender address
Allowlist the sender address
Add
[email protected] to your email allowlist to prevent notifications from being caught by spam filters.Integrating Notifications with Other Tools
Email-to-Ticket Integration
Many ITSM platforms support email-based ticket creation:| Platform | Method |
|---|---|
| ServiceNow | Configure inbound email actions |
| Jira Service Management | Use email request channel |
| Autotask | Set up email-to-ticket rules |
| ConnectWise | Configure email connector |
Microsoft Teams / Slack
For real-time team notifications:- Create an email-enabled channel in Teams or Slack
- Use that email address as a distribution group in ContraForce
- Notifications appear directly in your chat platform
Troubleshooting
Common Issues
| Issue | Possible Cause | Solution |
|---|---|---|
| Not receiving notifications | Spam filter blocking | Add sender to allowlist |
| Not receiving notifications | Wrong module deployed | Verify you have XDR + SIEM module |
| Not receiving notifications | Severity disabled | Check notification settings |
| Missing workspaces in settings | Permissions issue | Verify you have admin access |
| Distribution group not working | Not configured | Contact ContraForce support |
| Too many notifications | All severities enabled | Disable Informational and Low |
Testing Notifications
To verify notifications are working:- Ensure notification settings are enabled for the workspace
- Wait for a new incident to be detected (or ask ContraForce to send a test)
- Check your inbox (including spam/junk folders)
- Verify the email contains expected content
Frequently Asked Questions
What email address sends ContraForce notifications?
What email address sends ContraForce notifications?
All notifications are sent from
[email protected]Can I get notifications for Defender XDR incidents?
Can I get notifications for Defender XDR incidents?
ContraForce does not send email notifications for Defender XDR incidents directly. Use Microsoft Defender’s built-in notification settings for those alerts. ContraForce sends notifications for Sentinel incidents (XDR + SIEM module) and Gamebook activity (all modules).
How do I add a distribution group?
How do I add a distribution group?
Contact [email protected] with the email address you want to use. The ContraForce Engineering team will configure it for your account.
Can I customize the email template?
Can I customize the email template?
Email templates are standardized and cannot be customized. For custom notification formatting, consider routing emails to a ticketing system that can reformat them.
Is there a notification delay?
Is there a notification delay?
Notifications are sent in near real-time when incidents are detected and processed by ContraForce. Typical delay is under 5 minutes.
Can I get SMS or push notifications?
Can I get SMS or push notifications?
ContraForce currently supports email notifications only. For SMS or push, route email notifications to a service like PagerDuty or Opsgenie.
Related Guides
Capabilities Matrix
Full feature comparison by integration
Module Overview
XDR vs XDR + SIEM modules
ServiceNow Integration
Native ticketing integration
Jira Integration
Connect Jira for ticket creation
Questions about notifications? Contact us at [email protected].