Module Requirement: Full notification customization is available with the XDR + SIEM module. The XDR-only module has limited notification capabilities (Gamebook notifications only).
Notification Capabilities by Module
| Feature | XDR Module | XDR + SIEM Module |
|---|---|---|
| Sentinel incident notifications | — | ✓ |
| Severity-based filtering | — | ✓ |
| Per-workspace customization | — | ✓ |
| Gamebook completion notifications | ✓ | ✓ |
| Distribution group support | — | ✓ |
SIEM Notification Overview
With the XDR + SIEM module, you can:Filter by Severity
Choose which incident severities trigger notifications—High, Medium, Low, or Informational
Configure Per Workspace
Set different notification preferences for each customer workspace
Use Distribution Groups
Route notifications to shared mailboxes or team distribution lists
Direct Portal Access
One-click access to incidents directly from notification emails
Configuring Notification Settings
Accessing Settings
1
Open Settings
Click Settings in the ContraForce navigation menu
2
Select Notifications
Click the Notifications tab
3
Choose Workspace
Select the workspace you want to configure from the dropdown
Notification Settings Interface
| Element | Description |
|---|---|
| Workspace Selector | Choose which workspace to configure |
| Severity Toggles | Enable/disable notifications per severity level |
| Recipient Display | Shows current notification recipients |
| Save Button | Apply changes to the selected workspace |
Severity-Based Filtering
Customize which severity levels generate email notifications for each workspace.Default Behavior
By default, notifications are enabled for all severity levels when a workspace is onboarded:- ✅ High severity — Enabled
- ✅ Medium severity — Enabled
- ✅ Low severity — Enabled
- ✅ Informational — Enabled
Configuring Severities
1
Select Workspace
Choose the workspace from the dropdown
2
Toggle Severities
Click the toggle for each severity level to enable or disable
3
Save Changes
Click Save to apply your changes
Severity Level Guidance
- High
- Medium
- Low
- Informational
High severity incidents indicate active threats requiring immediate response.Examples:
- Active malware execution
- Credential theft detected
- Ransomware activity
- Privilege escalation attacks
Per-Workspace Configuration
MSSPs managing multiple customers can configure different notification settings for each workspace.Use Cases
| Scenario | Configuration |
|---|---|
| Premium SLA customer | All severities enabled |
| Standard SLA customer | High and Medium only |
| Development/test workspace | High only or disabled |
| Compliance-focused customer | All severities including Informational |
Configuring Multiple Workspaces
1
Configure First Workspace
Select workspace, set severity preferences, save
2
Switch Workspace
Use the dropdown to select the next workspace
3
Configure Settings
Adjust severity settings for this workspace
4
Repeat
Continue for all workspaces requiring custom settings
Email Notification Details
Sender Address
All ContraForce notifications are sent from:Add this address to your email allowlist and your customers’ allowlists to ensure notifications aren’t blocked by spam filters.
Email Content
Each incident notification email includes:| Field | Description |
|---|---|
| Subject Line | Incident title with severity indicator |
| Incident ID | Unique identifier for tracking |
| Severity | High, Medium, Low, or Informational |
| Description | Summary of the security event |
| MITRE Tactics | Associated ATT&CK techniques |
| Entities | Affected users, devices, IPs, etc. |
| View Incident Button | Direct link to the incident in ContraForce |
Example Email
Distribution Group Notifications
Route notifications to a team distribution list instead of individual users for better team visibility.Benefits
Team Visibility
Entire SOC team sees all alerts in a shared inbox
No Missed Alerts
Alerts aren’t missed when individuals are unavailable
On-Call Routing
Route to on-call rotation distribution groups
Ticketing Integration
Use email-to-ticket systems for automatic tracking
Setting Up Distribution Groups
Distribution group notifications require setup assistance from ContraForce:1
Identify Email Address
Determine the distribution group email address (e.g.,
[email protected])2
Provide During Onboarding
Share the email address during initial workspace onboarding
3
Or Contact Support
For existing workspaces, email [email protected]
4
Engineering Configuration
ContraForce Engineering team configures the distribution group
5
Verification
Test that notifications are reaching the distribution group
Distribution group changes require ContraForce support assistance. Self-service distribution group configuration is planned for a future release.
Common Distribution Group Patterns
| Pattern | Email Example | Use Case |
|---|---|---|
| SOC Team Inbox | [email protected] | Shared visibility for all analysts |
| Customer-Specific | [email protected] | Dedicated inbox per customer |
| On-Call Rotation | [email protected] | Routes to current on-call analyst |
| Ticketing System | [email protected] | Auto-creates tickets in ITSM |
Gamebook Notifications
Gamebook notifications are available for all modules (XDR and XDR + SIEM).Gamebook Notification Events
| Event | Notification Sent |
|---|---|
| Gamebook completed successfully | ✓ |
| Gamebook execution failed | ✓ |
| Gamebook requires approval | ✓ |
| Gamebook approved/rejected | ✓ |
Gamebook Email Content
- Gamebook name and type
- Target incident details
- Actions executed
- Execution status (Success/Failed/Pending)
- Workspace name
- Link to view details
Integration with External Tools
Email-to-Ticket Integration
Route notifications to ITSM platforms that support email-based ticket creation:| Platform | Setup Method |
|---|---|
| ServiceNow | Configure inbound email actions |
| Jira Service Management | Use email request channel |
| Autotask | Set up email-to-ticket rules |
| ConnectWise | Configure email connector |
| Zendesk | Use support email address |
ServiceNow Integration
For tighter integration, use our native ServiceNow connector
Microsoft Teams / Slack
For real-time chat notifications:1
Create Email-Enabled Channel
Set up an email address for your Teams channel or Slack workspace
2
Use as Distribution Group
Provide this email to ContraForce as your notification recipient
3
Receive in Chat
Notifications appear directly in your team chat
Best Practices
Start conservative, then expand
Start conservative, then expand
Begin with High severity only, monitor for a week, then gradually enable Medium and Low based on team capacity and incident quality.
Match notifications to SLAs
Match notifications to SLAs
Configure severity settings to match your SLA with each customer. Premium customers might get all severities; standard customers might only get High and Medium.
Use distribution groups for team visibility
Use distribution groups for team visibility
Individual email notifications risk being missed. Distribution groups ensure the entire team has visibility into alerts.
Integrate with ticketing for tracking
Integrate with ticketing for tracking
Route notifications to your ITSM for automatic ticket creation, SLA tracking, and audit trails.
Allowlist the sender address
Allowlist the sender address
Add
[email protected] to email allowlists for your organization and your customers.Review and tune periodically
Review and tune periodically
Monthly review notification settings. If a severity level generates too much noise, consider disabling it while you tune detection rules.
Troubleshooting
Common Issues
| Issue | Possible Cause | Solution |
|---|---|---|
| Not receiving notifications | Spam filter blocking | Add sender to allowlist |
| Not receiving notifications | Wrong module deployed | Verify XDR + SIEM module is active |
| Not receiving notifications | Severity disabled | Check notification settings |
| Not receiving notifications | Distribution group issue | Contact support to verify configuration |
| Too many notifications | All severities enabled | Disable Informational and Low |
| Delayed notifications | Email server delays | Check your mail server; ContraForce sends in near real-time |
| Missing workspaces | Permissions issue | Verify you have admin access to the workspace |
Testing Notifications
To verify notifications are working:1
Check Settings
Confirm notification settings are enabled for the workspace
2
Verify Email Allowlist
Ensure the sender address isn’t blocked
3
Wait for Incident
Wait for a new Sentinel incident (or ask ContraForce to send a test)
4
Check All Folders
Check inbox, spam, and junk folders
5
Verify Content
Confirm the email contains expected incident details
Frequently Asked Questions
What email address sends notifications?
What email address sends notifications?
All notifications are sent from
[email protected]Can I get notifications for Defender XDR incidents?
Can I get notifications for Defender XDR incidents?
No, ContraForce does not send notifications for Defender XDR incidents. Use Microsoft Defender’s built-in notification settings. ContraForce notifications are for Sentinel incidents (XDR + SIEM module) and Gamebook activity.
How do I add a distribution group?
How do I add a distribution group?
Contact [email protected] with the email address. The ContraForce Engineering team will configure it for your account.
Can I customize the email template?
Can I customize the email template?
Email templates are standardized and cannot be customized. For custom formatting, route emails to a ticketing system that can transform them.
Is there a notification delay?
Is there a notification delay?
Notifications are sent in near real-time when Sentinel incidents are processed. Typical delay is under 5 minutes from incident creation.
Can different users get different notifications?
Can different users get different notifications?
Currently, notifications are configured at the workspace level, not per-user. All recipients for a workspace receive the same notifications based on severity settings.
Can I get SMS or push notifications?
Can I get SMS or push notifications?
ContraForce currently supports email only. For SMS or push, route email notifications to PagerDuty, Opsgenie, or similar services.
Related Guides
Module Overview
XDR vs XDR + SIEM module comparison
Sentinel Onboarding
Deploy the XDR + SIEM module
Incident Management
Handling incidents from notifications
Gamebooks
Automated response actions
Questions about notifications? Contact us at [email protected].