A focused verification runbook to run after a customer admin completes the Setup Wizard. Use it to confirm every part of the deployment is healthy before declaring the workspace go-live.Documentation Index
Fetch the complete documentation index at: https://docs.contraforce.com/llms.txt
Use this file to discover all available pages before exploring further.
Who is this for?Service-provider operations and onboarding leads verifying a freshly onboarded customer workspace.
Part 1: MSP Platform Onboarding
Pre-onboard the customer workspace
Part 2: Customer Workspace Onboarding
What the customer admin sees on their side
Core Verification
Run these checks first. Any failure here blocks go-live.- The customer workspace shows Active status (not Pending customer setup) in your Workspace Center
- You received the Customer onboarding complete real-time notification in the portal
- Open the customer’s workspace and confirm every pre-selected module shows Connected
- Navigate to the Command Dashboard filtered to the customer workspace and verify incidents appear (allow 5 to 15 minutes for initial sync)
- Open an incident and confirm the Workbench loads with entity context and timeline
- Verify Gamebook response actions appear on incident entities (do not execute on production entities)
Sentinel-Specific Verification
Skip this section if the customer is on Defender-only.- Sentinel incidents are syncing alongside Defender for Endpoint incidents
- Azure Lighthouse delegation completed successfully in the customer’s subscription
- Supporting Azure infrastructure deployed by Sentinel consent shows Active
- Navigate to Content Management System (CMS) and verify the detection rule library is accessible
- Log search is functional
Sentinel Azure infrastructure is provisioned in the background after the customer grants Sentinel consent. If verification fails, allow 5 to 10 extra minutes for the deployment to complete before retrying.
If Something Fails
| Symptom | Likely cause | Where to look |
|---|---|---|
| Workspace stuck in Pending customer setup | Customer hasn’t finished the wizard | Resend the invite or contact the POC |
| Module shows Not Connected in the customer’s view | Consent skipped or denied | Customer can re-open the picker from their Get Started checklist (Re-opening pickers) |
| No incidents appearing after 30 minutes | No active incidents in source system | Check Defender, Sentinel, or CrowdStrike console for existing incidents |
| Sentinel infrastructure didn’t deploy | Insufficient Azure permissions | Verify customer admin has Subscription Owner |
| Gamebook actions unavailable on entities | Response module not connected | Customer reconnects the response module from their Modules tab |
After Verification Passes
Two follow-ups close out the onboarding.Assign your team to the workspace
Use organization-level groups rather than individual users so future onboardings are consistent.| Role | Best for |
|---|---|
| Admin | Team leads, workspace owners |
| Incident Responder | SOC analysts who need response capabilities |
| Incident Analyst | Junior analysts, read-only access |
| Data Source Admin | Integration specialists |
| Content Admin | Detection engineers (Sentinel only) |
User & Group Management
Detailed user and group setup, including organization-level groups
Configure notifications (Sentinel only)
Notifications Configuration
Severity filters, distribution group setup, and test notification verification
Go-Live Communication
- Notify the customer that ContraForce is live on their environment
- Share relevant documentation links with the customer team
- Confirm the customer knows how to reach your delivery team
- Document any customer-specific configuration notes or permission exceptions
- Schedule a follow-up check-in within 7 days to review initial incident volume and rule tuning
Need help? Contact us at support@contraforce.com.