Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.contraforce.com/llms.txt

Use this file to discover all available pages before exploring further.

ContraForce integrates with CrowdStrike Falcon to bring detections, cases, and automated leads into the unified Command Dashboard, and to power Gamebook response actions on Falcon-managed devices. The integration is split across two CrowdStrike API clients — one for ingestion, one for response — so each client carries only the scopes it needs.
This page describes what the integration does and what the tier you pick on the configuration page unlocks. For the step-by-step setup, see CrowdStrike Falcon Detection and Response Modules.

What the Integration Does

Ingestion

Polls CrowdStrike’s unified Alerts API + Cases API on a continuous loop and surfaces new items in the Command Dashboard as ContraForce incidents.

Investigation

Hydrates the alert with process tree, events timeline, device, and identity context drawn from CrowdStrike NG-SIEM and the alert payload itself.

Status round-trip

Status changes you make in ContraForce (New → In Progress → Closed) PATCH back to CrowdStrike via the Alerts and Cases APIs.

Owner assignment (audit-only)

Assigning a CrowdStrike incident in ContraForce records the owner in the ContraForce audit log. The assignment does not flow to CrowdStrike — see the callout below.

Response actions

Powers the Contain, Lift Containment, and On-Demand Scan Gamebooks on Falcon-managed devices via the Response API client.

Agents on queue

Triggers Security Delivery Agents on every CrowdStrike incident that lands in the unified pipeline.
Why owner assignment is audit-only. In MSSP topologies the ContraForce user (Entra UPN) frequently has no matching principal in the customer’s CrowdStrike tenant, so pushing the assignment to Falcon either fails or assigns to the wrong account. Recording the assignment locally lets every ContraForce user who can see the incident see the assigned owner without requiring a vendor-side identity match. The list view and the incident detail both hydrate the owner from the audit log on read.

Tier Selection — What You Pick on the Configuration Page

When you configure the Detection module in ContraForce, you pick which Falcon tier the customer is licensed for. The tier you declare is the source of truth for everything tier-driven downstream — the incidents table shape, the “Incidents Detected” metric, gamebook auto-run triggers, agents on queue, and which Entity Insights surfaces are available. There are three options:
For tenants on Falcon Insight (EDR) only. Cases workbench is not available on this tier; automated leads aren’t either.
BehaviourWhat you get
Incidents table shapeEach Falcon detection becomes its own row in the incidents table
Cases / automated leadsNot surfaced (don’t exist on this tier)
Process TreeFalls back to the alert payload’s 3-level lineage (no NG-SIEM ancestor walk)
Events TimelineFalls back to the detection alerts on the device itself (no LogScale events)
Agents on queue / gamebook auto-runTrigger on every detection
”Incidents Detected” metricCounts every detection ingested
Picking the wrong tier on the configuration page doesn’t just hide UI surfaces — it changes what gets ingested. An EDR-licensed tenant configured as NG-SIEM will look empty (no cases / automated leads exist on EDR); an NG-SIEM-licensed tenant configured as EDR will surface every detection as its own row instead of the cleaner case-grouped view. The tier you declare must match the customer’s actual Falcon SKU.

How Tier Drives the Pipeline

The tier selection is the single gate at the ingestion layer. Every downstream consumer reads from the same unified incident pipeline, so the choice propagates consistently:
StageBehaviour by tier
Poller (continuous)Filters the alerts pulled from CrowdStrike to match the per-tier ingestion set before queuing them to the unified pipeline
Interactive incidents-table querySame per-tier filter so what you see on a refresh matches what was queued
IncidentDetected audit / metricWritten once per incident that enters the pipeline — the tier choice determines what an “incident” is
Gamebook auto-run subscriberTriggered from the same pipeline; sees only incidents that match the tier’s ingestion shape
Agents on queueSame — agents trigger on the same set the pipeline emits
There is no per-stage tier check downstream; the tier is enforced once at the poller and the result flows everywhere.

Verification Panel

After you click Test Connection on the configuration page, ContraForce runs a live probe of the API client and renders a verification panel below the form. The panel doesn’t override your tier choice — it confirms the claim against what’s actually present on the API client:
IndicatorMeaning
✓ on Cases workbenchThe Cases endpoint returned data; XDR and NG-SIEM tiers will populate cases as incident rows
✗ on Cases workbenchCases endpoint returned no data — add Cases: Read + Write to the API client and confirm the tenant has the workbench enabled
✓ on NG-SIEMNG-SIEM is reachable; if the tenant has retention metadata, the panel shows the approximate base_sensor retention horizon
✗ on NG-SIEM (NG-SIEM tier picked)Add NGSIEM: Read + Write to the API client and confirm the tenant has the NG-SIEM SKU before saving
ℹ︎ on NG-SIEM (EDR / XDR tier picked)NG-SIEM is reachable on this client but the declared tier doesn’t use it; pick the NG-SIEM tier to unlock the Process Tree ancestor walk and Events Timeline
The verification panel is informational — you can save with a missing-required indicator, but the corresponding feature won’t work until you add the scope and re-test.

CrowdStrike Data Retention — How It Affects the Platform

The data ContraForce surfaces from CrowdStrike is bounded by Falcon’s own retention policy. The Falcon console may have access to additional historical data that ContraForce doesn’t query.

Where retention shows up in the platform

SurfaceWhat’s boundedBy what
Detection Events Timeline (NG-SIEM tier)The events shown for a detectionThe base_sensor repository’s retention horizon on your Falcon NG-SIEM SKU. ContraForce reads this from the NG-SIEM repos-metadata endpoint at Test Connection / Save and persists it on the workspace; the Detection Events Timeline only queries within that window.
Process Tree ancestors (NG-SIEM tier)How far back the ancestor walk reachesSame base_sensor retention. Ancestor processes that started before the retention window are missing from the tree. The Falcon console can sometimes show ancestors beyond this because it has access to repositories ContraForce doesn’t query.
Detection / case visibilityThe earliest incident you can investigate in ContraForceCrowdStrike’s standard alert / case retention. Items older than that no longer come back from the Alerts / Cases APIs at all.
Module configuration pageHow fresh the verification panel’s NG-SIEM retention number isThe probe runs on Test Connection / Save. If retention has changed since you last saved, the displayed number may be stale until the next save.

What this means in practice

The Detection Events Timeline and Process Tree are subsets, not the full Falcon view. ContraForce surfaces a banner above both surfaces on CrowdStrike incidents to remind you that the data shown is bounded by your tenant’s NG-SIEM retention policy. If you need data beyond the retention window — older ancestors in the process tree, older events in the timeline — you must query the Falcon console directly.
Symptom you might seeLikely cause
Process tree stops at a process you’d expect to have a parentParent process started before the base_sensor retention horizon
Events Timeline shows fewer events than the Falcon console for the same detectionDetection’s process lifetime spans events older than the NG-SIEM retention window
Detection Events Timeline is empty on the NG-SIEM tierEither NG-SIEM scope is missing on the API client, or the tenant’s retention is shorter than the alert’s process lifetime — the verification panel and the saved retention horizon will tell you which
Older incidents from a few months ago aren’t accessibleThe CrowdStrike Alerts / Cases retention has expired for those records on the tenant side

Tuning the retention horizon

ContraForce does not control your CrowdStrike retention — it’s set by the customer’s NG-SIEM SKU. To change it:
  1. Open the Falcon console
  2. Navigate to Next-Gen SIEM → Configuration → Settings → Data ingest (path may vary by tenant)
  3. Adjust the retention policy on the base_sensor repository according to your subscription terms
  4. After the change takes effect, run Test Connection on the ContraForce configuration page so the new horizon persists on the workspace

How the Pieces Fit Together

The Detection API client carries the scopes for everything in the top-half (ingestion + investigation + status writeback); the Response API client carries the scopes for the Hosts / ODS gamebook actions in the bottom half.

CrowdStrike Falcon Detection and Response Modules

Step-by-step setup with per-tier scope requirements

What are Gamebooks?

How Gamebook response actions work

Entity Insights

Investigation context for an incident’s entities

Roles and Permissions

Detailed role reference for ContraForce users
Questions about the CrowdStrike Falcon integration? Contact us at support@contraforce.com.