ContraForce empowers analysts to efficiently manage incidents across multiple tenants and data sources. This workflow is designed to help you resolve incidents faster and deliver better service to your customers.
Workflow Overview
1
Filter Workspaces
Focus on specific tenants or view all incidents across your environment
2
Assign Incidents
Route incidents to the appropriate analyst
3
Investigate
Review the incident summary, entities, timeline, and evidence
4
Respond with Gamebooks
Execute automated response actions with one click
5
Close the Incident
Document findings and close with proper classification
1. Workspace Filtering
The Command Page allows you to customize which incidents are displayed by filtering on Workspace, Severity, and Status. These filters persist as you navigate between pages in ContraForce.Setting Your Workspace Filter
1
Open the Filter
Click the workspace dropdown menu in the top bar of the Command Page
2
Select Workspaces
Choose one or more workspaces to display
3
View Filtered Results
The Incidents table updates to show only incidents from selected workspaces
Additional Filters
Beyond workspace filtering, you can further refine your view:| Filter | Options | Use Case |
|---|---|---|
| Severity | High, Medium, Low, Informational | Focus on critical incidents first |
| Status | New, Active, Closed | View only incidents requiring action |
| Module | Sentinel, Defender XDR | Filter by security product |
2. Incident Assignment
Proper incident assignment ensures the right analyst handles each incident and provides clear ownership for tracking.Individual Assignment
To assign a single incident:- Locate the incident in the Incidents table
- Click the dropdown in the Owner column
- Select an analyst from the list of portal users
Bulk Assignment
To assign multiple incidents at once:1
Select Incidents
Check the boxes next to incidents you want to update
2
Click Update Incidents
Click the “Update Incidents” button in the table header
3
Set Owner and Status
Choose the assignee and optionally update the status
4
Apply Changes
Confirm to apply changes to all selected incidents
3. Incident Summary
The Incident Summary provides a complete view of an incident with all the context you need for investigation.Accessing the Summary
Click any Incident ID in the Incidents table to open its Summary view.
Summary Tabs
- Entities
- Threat Intel
- Timeline
- Evidence
- Comments
Associated Entities shows all entities involved in the incident (users, devices, IPs, etc.).
- Click the dropdown on any entity to see other incidents it’s associated with
- Click an incident ID to open it in a new tab
- Use entity insights to understand the full scope of the threat
4. Gamebook Responses
Gamebooks are pre-built and custom response actions that let you remediate threats with a single click.Available Gamebook actions are determined by the entity types present in the incident. ContraForce automatically suggests relevant actions based on what it detects.
Using Suggested Gamebooks
If a Gamebook has been previously executed for similar incidents, ContraForce suggests it automatically:
Creating a Custom Gamebook
1
Open the Workbench
Click the dropdown next to “Edit” and select Create New Gamebook
2
Explore Available Actions
Click entity icons in the Entity Graph to see available response actions
3
Build Your Response
- Use the arrows to navigate through action options
- Click the green + icon to add an action
- Click the red - icon to remove an action
4
Execute
Click Run Gamebook to execute all selected actions
Gamebook Approval Workflow
Some Gamebook actions require approval before execution: To request approval:- Build your Gamebook as usual
- Click Request Gamebook Approval (instead of Run Gamebook)
- The request is sent to authorized approvers
- Approvers can approve directly from the incident, or
- Use the Gamebook Activity tab to review and approve pending requests
5. Incident Closure
After completing your investigation and response, close the incident with proper documentation.Quick Close from Gamebook
After a Gamebook completes, a green Close Incident button appears at the bottom of the entity graph:
Closure Fields
| Field | Options | Purpose |
|---|---|---|
| Status | Closed | Marks the incident as resolved |
| Classification | True Positive, False Positive, Benign Positive, Undetermined | Categorizes the incident outcome |
| Classification Reason | Free text | Documents why this classification was chosen |
| Comments | Free text | Final notes on resolution |
Bulk Closure
You can also close incidents in bulk from the Command Page:- Select multiple incidents using checkboxes
- Click Update Incidents
- Set status to Closed and add classification details
- Apply changes
Putting It Together
The ContraForce incident management workflow is designed to help you:Triage Faster
Filter and prioritize incidents across all your tenants from one dashboard
Respond Automatically
Execute proven response actions with Gamebooks instead of manual remediation
Document Everything
Maintain complete audit trails with comments, classifications, and history
Related Guides
Command Page
Learn more about the central incident dashboard
What are Gamebooks?
Deep dive into automated response actions
Security Workbench
Create custom response workflows
Incident Classifications
Understand True Positive, False Positive, and more
Questions about this workflow? Contact us at [email protected]. We’re happy to help optimize your incident management process.