Module Requirement: Full notification customization is available with the XDR + SIEM module. The XDR-only module has limited notification capabilities (Gamebook notifications only).
Notification Capabilities by Module
| Feature | XDR Module | XDR + SIEM Module |
|---|---|---|
| Sentinel incident notifications | — | ✓ |
| Severity-based filtering | — | ✓ |
| Per-workspace customization | — | ✓ |
| Gamebook completion notifications | ✓ | ✓ |
| Distribution group support | — | ✓ |
SIEM Notification Overview
With the XDR + SIEM module, you can:Filter by Severity
Choose which incident severities trigger notifications—High, Medium, Low, or Informational
Configure Per Workspace
Set different notification preferences for each customer workspace
Use Distribution Groups
Route notifications to shared mailboxes or team distribution lists
Direct Portal Access
One-click access to incidents directly from notification emails
Configuring Notification Settings
Accessing Settings
Direct link: portal.contraforce.com/settings/notifications
Notification Settings Interface
| Element | Description |
|---|---|
| Workspace Selector | Choose which workspace to configure |
| Severity Toggles | Enable/disable notifications per severity level |
| Recipient Display | Shows current notification recipients |
| Save Button | Apply changes to the selected workspace |
Severity-Based Filtering
Customize which severity levels generate email notifications for each workspace.Default Behavior
By default, notifications are enabled for all severity levels when a workspace is onboarded:- ✅ High severity — Enabled
- ✅ Medium severity — Enabled
- ✅ Low severity — Enabled
- ✅ Informational — Enabled
Configuring Severities
Severity Level Guidance
- High
- Medium
- Low
- Informational
High severity incidents indicate active threats requiring immediate response.Examples:
- Active malware execution
- Credential theft detected
- Ransomware activity
- Privilege escalation attacks
Per-Workspace Configuration
MSSPs managing multiple customers can configure different notification settings for each workspace.Use Cases
| Scenario | Configuration |
|---|---|
| Premium SLA customer | All severities enabled |
| Standard SLA customer | High and Medium only |
| Development/test workspace | High only or disabled |
| Compliance-focused customer | All severities including Informational |
Configuring Multiple Workspaces
Email Notification Details
Sender Address
All ContraForce notifications are sent from:Add this address to your email allowlist and your customers’ allowlists to ensure notifications aren’t blocked by spam filters.
Email Content
Each incident notification email includes:| Field | Description |
|---|---|
| Subject Line | Incident title with severity indicator |
| Incident ID | Unique identifier for tracking |
| Severity | High, Medium, Low, or Informational |
| Description | Summary of the security event |
| MITRE Tactics | Associated ATT&CK techniques |
| Entities | Affected users, devices, IPs, etc. |
| View Incident Button | Direct link to the incident in ContraForce |
Example Email
Distribution Group Notifications
Route notifications to a team distribution list instead of individual users for better team visibility.Benefits
Team Visibility
Entire SOC team sees all alerts in a shared inbox
No Missed Alerts
Alerts aren’t missed when individuals are unavailable
On-Call Routing
Route to on-call rotation distribution groups
Ticketing Integration
Use email-to-ticket systems for automatic tracking
Setting Up Distribution Groups
Distribution group notifications require setup assistance from ContraForce:Identify Email Address
Determine the distribution group email address (e.g.,
[email protected])Or Contact Support
For existing workspaces, email [email protected]
Distribution group changes require ContraForce support assistance. Self-service distribution group configuration is planned for a future release.
Common Distribution Group Patterns
| Pattern | Email Example | Use Case |
|---|---|---|
| SOC Team Inbox | [email protected] | Shared visibility for all analysts |
| Customer-Specific | [email protected] | Dedicated inbox per customer |
| On-Call Rotation | [email protected] | Routes to current on-call analyst |
| Ticketing System | [email protected] | Auto-creates tickets in ITSM |
Gamebook Notifications
Gamebook notifications are available for all modules (XDR and XDR + SIEM).Gamebook Notification Events
| Event | Notification Sent |
|---|---|
| Gamebook completed successfully | ✓ |
| Gamebook execution failed | ✓ |
| Gamebook requires approval | ✓ |
| Gamebook approved/rejected | ✓ |
Gamebook Email Content
- Gamebook name and type
- Target incident details
- Actions executed
- Execution status (Success/Failed/Pending)
- Workspace name
- Link to view details
Integration with External Tools
Email-to-Ticket Integration
Route notifications to ITSM platforms that support email-based ticket creation:| Platform | Setup Method |
|---|---|
| ServiceNow | Configure inbound email actions |
| Jira Service Management | Use email request channel |
| Autotask | Set up email-to-ticket rules |
| ConnectWise | Configure email connector |
| Zendesk | Use support email address |
ServiceNow Integration
For tighter integration, use our native ServiceNow connector
Microsoft Teams / Slack
For real-time chat notifications:Best Practices
Start conservative, then expand
Start conservative, then expand
Begin with High severity only, monitor for a week, then gradually enable Medium and Low based on team capacity and incident quality.
Match notifications to SLAs
Match notifications to SLAs
Configure severity settings to match your SLA with each customer. Premium customers might get all severities; standard customers might only get High and Medium.
Use distribution groups for team visibility
Use distribution groups for team visibility
Individual email notifications risk being missed. Distribution groups ensure the entire team has visibility into alerts.
Integrate with ticketing for tracking
Integrate with ticketing for tracking
Route notifications to your ITSM for automatic ticket creation, SLA tracking, and audit trails.
Allowlist the sender address
Allowlist the sender address
Add
[email protected] to email allowlists for your organization and your customers.Review and tune periodically
Review and tune periodically
Monthly review notification settings. If a severity level generates too much noise, consider disabling it while you tune detection rules.
Troubleshooting
Common Issues
| Issue | Possible Cause | Solution |
|---|---|---|
| Not receiving notifications | Spam filter blocking | Add sender to allowlist |
| Not receiving notifications | Wrong module deployed | Verify XDR + SIEM module is active |
| Not receiving notifications | Severity disabled | Check notification settings |
| Not receiving notifications | Distribution group issue | Contact support to verify configuration |
| Too many notifications | All severities enabled | Disable Informational and Low |
| Delayed notifications | Email server delays | Check your mail server; ContraForce sends in near real-time |
| Missing workspaces | Permissions issue | Verify you have admin access to the workspace |
Testing Notifications
To verify notifications are working:Frequently Asked Questions
What email address sends notifications?
What email address sends notifications?
All notifications are sent from
[email protected]Can I get notifications for Defender XDR incidents?
Can I get notifications for Defender XDR incidents?
No, ContraForce does not send notifications for Defender XDR incidents. Use Microsoft Defender’s built-in notification settings. ContraForce notifications are for Sentinel incidents (XDR + SIEM module) and Gamebook activity.
How do I add a distribution group?
How do I add a distribution group?
Contact [email protected] with the email address. The ContraForce Engineering team will configure it for your account.
Can I customize the email template?
Can I customize the email template?
Email templates are standardized and cannot be customized. For custom formatting, route emails to a ticketing system that can transform them.
Is there a notification delay?
Is there a notification delay?
Notifications are sent in near real-time when Sentinel incidents are processed. Typical delay is under 5 minutes from incident creation.
Can different users get different notifications?
Can different users get different notifications?
Currently, notifications are configured at the workspace level, not per-user. All recipients for a workspace receive the same notifications based on severity settings.
Can I get SMS or push notifications?
Can I get SMS or push notifications?
ContraForce currently supports email only. For SMS or push, route email notifications to PagerDuty, Opsgenie, or similar services.
Related Guides
Module Overview
XDR vs XDR + SIEM module comparison
Sentinel Onboarding
Deploy the XDR + SIEM module
Incident Management
Handling incidents from notifications
Gamebooks
Automated response actions
Questions about notifications? Contact us at [email protected].