Skip to main content
This capability matrix details which ContraForce features are available for Microsoft Defender XDR based on your Microsoft 365 license tier. Use this reference to understand what capabilities you can leverage and what dependencies may apply.
This matrix only covers the Microsoft Defender XDR module capabilities.

Understanding the Matrix

Legend

SymbolMeaning
Capability fully available
✓(1)Requires Microsoft Entra ID connection
✓(2)Requires Microsoft Sentinel connection
✓(3)Requires Defender for Endpoint Plan 2
✓(4)Requires Microsoft 365 Exchange license
Not available

License Tiers

Business Premium

Small/medium business license with Defender for Business

Enterprise E3

Enterprise license with Defender for Endpoint P1

Enterprise E5

Full enterprise license with Defender for Endpoint P2

Incident Investigation

Core capabilities for investigating security incidents detected by Microsoft Defender XDR.

Incident Management

CapabilityBusiness PremiumE3E5
Bi-directional streaming of incidents
Fetching incident entities
Fetching incident evidence (logs)
Incident alert timelines
Incident investigation audit
All core incident management features are available across all license tiers. ContraForce provides full incident visibility regardless of your Microsoft 365 license.

Entity Enrichment & Triage

Capabilities for enriching entity data and correlating related incidents during investigation.

User Insights

CapabilityBusiness PremiumE3E5
Related incident search
Sign-in logs✓(1)✓(1)✓(1)
Audit logs✓(1)✓(1)✓(1)
Entra ID profile✓(1)✓(1)✓(1)
(1) User insights require Microsoft Entra ID to be connected to ContraForce. Consent the appropriate enterprise applications during onboarding.

IP Address Insights

CapabilityBusiness PremiumE3E5
Sign-in log activity✓(2)✓(2)✓(2)
Related incidents✓(3)✓(3)
(2) IP sign-in activity requires Microsoft Sentinel connection (XDR + SIEM module).(3) Some IP insights require Defender for Endpoint Plan 2 on Business Premium and E3.

Device Insights

CapabilityBusiness PremiumE3E5
Device info
Device timeline✓(3)✓(3)
Related incidents✓(3)✓(3)
(3) Device timeline and related incidents require Defender for Endpoint Plan 2 add-on for Business Premium and E3 licenses.

Email Insights

CapabilityBusiness PremiumE3E5
Related incidents
Email info✓(3)✓(3)

File Insights

CapabilityBusiness PremiumE3E5
Related incidents
File info

URL Insights

CapabilityBusiness PremiumE3E5
Related incidents
URL info✓(3)✓(3)
Advanced hunting and log query capabilities.
CapabilityBusiness PremiumE3E5
Log search (Advanced Hunting)✓(3)✓(3)
Log search requires Defender for Endpoint Plan 2 for Business Premium and E3 licenses. E5 includes this capability natively.

Endpoint Management

Capabilities for managing and monitoring endpoints through ContraForce.
CapabilityBusiness PremiumE3E5
View device list
View device info
All endpoint visibility features are available across all license tiers. The Endpoints page in ContraForce shows all devices managed by Defender for Endpoint.

Gamebook Response Actions

Automated response capabilities organized by entity type.

Endpoint Actions

CapabilityBusiness PremiumE3E5
Isolate endpoint
Anti-virus scan of endpoint
Remove from isolation
Endpoint Gamebook actions require the Gamebooks for Microsoft Defender XDR enterprise application to be consented.

File Actions

CapabilityBusiness PremiumE3E5
Quarantine file

User Actions

CapabilityBusiness PremiumE3E5
Invalidate existing sessions✓(1)✓(1)✓(1)
Reset user password✓(1)✓(1)✓(1)
Lock out user✓(1)✓(1)✓(1)
Unlock user✓(1)✓(1)✓(1)
(1) User Gamebook actions require Microsoft Entra ID connection and the Gamebooks for Identity enterprise application.

IP Address Actions

CapabilityBusiness PremiumE3E5
Block IP (Azure NSG)
IP blocking via Azure Network Security Groups is planned for future release.

Email Actions

CapabilityBusiness PremiumE3E5
Soft delete email✓(4)✓(4)✓(4)
(4) Email actions require a Microsoft 365 Exchange license and the Microsoft 365 Response enterprise application.

Dependencies Reference

Dependency (1): Microsoft Entra ID

Required for: User insights, User Gamebook actions How to enable:
  1. During onboarding, consent the ContraForce enterprise applications
  2. The Gamebooks for Identity service principal must be consented for user response actions
Enterprise Applications:
  • ContraForce API
  • ContraForce Portal
  • Gamebooks for Identity

Dependency (2): Microsoft Sentinel

Required for: IP sign-in activity How to enable:
  1. Deploy the XDR + SIEM module instead of XDR-only
  2. Connect your Sentinel workspace during onboarding

Sentinel Onboarding

Complete Sentinel onboarding guide

Dependency (3): Defender for Endpoint Plan 2

Required for: Device timeline, IP/Email/URL detailed insights, Log search How to enable:
  • E5 licenses include Plan 2 natively
  • Business Premium and E3 require the Defender for Endpoint Plan 2 add-on
License options:
Base LicenseAdd-on Required
Business PremiumDefender for Endpoint Plan 2
Enterprise E3Defender for Endpoint Plan 2
Enterprise E5Included

Dependency (4): Microsoft 365 Exchange

Required for: Email Gamebook actions (soft delete) How to enable:
  1. Ensure users have Exchange Online licenses
  2. Consent the Microsoft 365 Response enterprise application

M365 Response Application

Microsoft 365 Response enterprise application details

Complete Capability Summary

By License Tier

Full capabilities:
  • All incident management features
  • Endpoint management (view devices)
  • All endpoint Gamebook actions
  • File quarantine
  • Basic entity insights
With Entra ID:
  • User insights (sign-in, audit, profile)
  • User Gamebook actions
With Exchange:
  • Email soft delete
Requires Plan 2 add-on:
  • Device timeline
  • Advanced log search
  • Detailed IP/Email/URL insights

Quick Reference by Feature Area

Feature AreaDependenciesNotes
Incident ManagementNoneFull capability on all licenses
Endpoint ManagementNoneFull capability on all licenses
Endpoint GamebooksGamebooks for Defender XDRFull capability on all licenses
User InsightsEntra ID (1)Same across all licenses
User GamebooksEntra ID (1) + Gamebooks for IdentitySame across all licenses
Device TimelinePlan 2 (3)Native on E5
Log SearchPlan 2 (3)Native on E5
Email ActionsExchange (4) + M365 ResponseSame across all licenses
IP Sign-in ActivitySentinel (2)Requires XDR + SIEM module

Maximizing Your Capabilities

User insights and user Gamebook actions are essential for identity-based investigations. Ensure you consent all identity-related enterprise applications during onboarding.
If you frequently need device timelines, advanced hunting, or detailed entity insights, the Defender for Endpoint Plan 2 capabilities are worth the investment.
The XDR + SIEM module adds Sentinel incidents, advanced threat hunting, CMS, and IP sign-in insights. Consider upgrading if you use Sentinel.

Full Capabilities Matrix

Complete matrix including SIEM integrations

XDR Onboarding

Deploy the XDR module

Enterprise Applications

All service principals and permissions

Gamebooks

Response action capabilities
Questions about capabilities or licensing? Contact us at [email protected].