This Knowledge Base article describes the features and capabilities of the ContraForce Security Service Delivery Platform in support of Extended Detection and Response (XDR), Security Incident and Event Management (SIEM), ticketing and other tools.
Available Integrations:
- SIEM
- IBM QRadar (IBM QRadar SIEM, and IBM QRadar on Cloud)
- Microsoft Sentinel
- Splunk Enterprise Security
- XDR
- CrowdStrike Falcon Insight XDR
- Microsoft Defender XDR
- SentinelOne Singularity XDR
- Ticketing
- Datto Autotask PSA
- ServiceNow ITSM
- Other Tools (noted when applicable)
- Microsoft Entra ID
- Microsoft Network Security Group
- Microsoft 365 Exchange
Table of Contents
- Incident Investigation
- Incident Management
- Entity Enrichment and Triage
- Log Search
- Endpoint Management
- Response and Case Management
- Gamebooks
- Gamebook Recommendations
- ITSM/PSA Management
- Apollo Email Notifications
- Detection Engineering
- Content Management System
Legend
Y - Capability exists
Y(#) - Capability exists but has dependencies, as noted
1. Incident Investigation
Incident Management
| Bi-directional streaming of incidents | Fetching incident entities | Fetching incident evidence (logs) | Incident alert timelines | Incident investigation audit | |
|
Microsoft Sentinel |
Y | Y | Y | Y | Y |
| Splunk | Y | Y | |||
| QRadar | Y | Y | Y | ||
| Microsoft Defender XDR | Y | Y | Y | Y | Y |
| CrowdStrike | Y | Y | Y | Y | |
| SentinelOne | Y | Y | Y |
Entity Enrichment and Triage
User and IP Insights
| User - Related incidents search | User -Sign-in logs | User - Audit logs | User - Entra ID profile | IP - Insight Logs | IP - Related incidents | |
|
Microsoft Sentinel |
Y | Y | Y | Y | Y | |
| Splunk | ||||||
| QRadar | ||||||
| Microsoft Defender XDR | Y(1) | Y(1) | Y(1) | Y(2) | Y(3) | |
| CrowdStrike | ||||||
| SentinelOne |
(1) Requires that Microsoft Entra ID is connected to the ContraForce Platform
(2) Requires that Microsoft Sentinel is enabled and connected to the ContraForce Platform.
(3) Requires Microsoft Defender for Endpoint Plan 2
Device and Email Insights
| Device - Timeline | Device - Related incidents | Device - Info | Email - Related Incidents | Email - Info | |
|
Microsoft Sentinel |
Y(1) | Y | Y(1) | Y | Y |
| Splunk | |||||
| QRadar | |||||
| Microsoft Defender XDR | Y(2) | Y(2) | Y | Y | Y(2) |
| CrowdStrike | |||||
| SentinelOne |
(1) Requires that a Microsoft Defender for Endpoint license is enabled and connected to the ContraForce Platform.
(2) Requires Microsoft Defender for Endpoint Plan 2.
File and URL Insights
| File - Related Incidents | File - Information | URL - Related Incidents | URL - Info | |
|
Microsoft Sentinel |
Y | Y | Y | Y |
| Splunk | ||||
| QRadar | ||||
| Microsoft Defender XDR | Y | Y | Y | Y(1) |
| CrowdStrike | ||||
| SentinelOne |
(1) Requires Microsoft Defender for Endpoint Plan 2.
Log Search
| Log Search | |
|
Microsoft Sentinel |
Y |
| Splunk | |
| QRadar | |
| Microsoft Defender XDR | Y(1) |
| CrowdStrike | |
| SentinelOne |
(1) Requires Microsoft Defender for Endpoint Plan 2.
Endpoint Management
| View Device List | View Device Info | |
| Microsoft Defender XDR | Y | Y |
| CrowdStrike | ||
| SentinelOne |
2. Response and Case Management
Gamebooks
Endpoint Gamebooks
| Isolate Endpoint | Anti-virus Scan | Remove from Isolation | |
|
Microsoft Sentinel |
Y(1) | Y(1) | Y(1) |
| Splunk | |||
| QRadar | |||
| Microsoft Defender XDR | Y | Y | Y |
| CrowdStrike | |||
| SentinelOne | Y | Y | Y |
(1) Depends on structure of the underlying rule in Microsoft Sentinel.
File Gamebooks
| Quarantine File | |
|
Microsoft Sentinel |
Y(1) |
| Splunk | |
| QRadar | |
| Microsoft Defender XDR | |
| CrowdStrike | |
| SentinelOne | Y |
(1) Depends on structure of the underlying rule in Microsoft Sentinel.
User Gamebooks
| Invalidate Existing Sessions | Reset User Password | Lockout User | Unlock User | |
|
Microsoft Sentinel |
Y(1) | Y(1) | Y(1) | Y(1) |
| Splunk | ||||
| QRadar | ||||
| Microsoft Defender XDR | Y(2) | Y(2) | Y(2) | Y(2) |
| CrowdStrike | ||||
| SentinelOne | Y | Y | Y | Y |
(1) Requires that Microsoft Entra ID is connected to the ContraForce Platform. Depends on structure of the underlying rule in Microsoft Sentinel.
(2) Requires that Microsoft Entra ID is connected to the ContraForce Platform
IP Address Gamebooks
| Block IP (Azure Network Security Group) | |
|
Microsoft Sentinel |
Y(1) |
| Splunk | |
| QRadar | |
| Microsoft Defender XDR | |
| CrowdStrike | |
| SentinelOne | Y |
(1) Requires that Microsoft Network Security Group is set up and that it has the ability to block the IP Address. Depends on structure of the underlying rule in Microsoft Sentinel that is using Microsoft Network Security Group.
Email Gamebooks
| Soft-Delete Email | |
|
Microsoft Sentinel |
Y(1) |
| Splunk | |
| QRadar | |
| Microsoft Defender XDR | Y(2) |
| CrowdStrike | |
| SentinelOne | Y |
(1) Requires a Microsoft 365 Exchange license. Depends on structure of the underlying rule in Microsoft Sentinel that is using Microsoft Network Security Group.
(2) Requires a Microsoft 365 Exchange license.
Gamebook Recommendations
| View Gamebook recommendations for all deployed rules | Enable auto-run for Gamebook recommendations | |
|
Microsoft Sentinel |
Y | Y |
| Splunk | ||
| QRadar | ||
| Microsoft Defender XDR | ||
| CrowdStrike | ||
| SentinelOne |
IT Service Management (ITSM) / Professional Services Automation (PSA)
| Associate tickets to incidents | Create and link ticket manually | Auto-create ticket from incident source | |
| Datto Autotask PSA | Y | Y | |
| ServiceNow IT Service Management | Y | Y |
Apollo Email Notification Service
| Send incident notification email | |
|
Microsoft Sentinel |
Y |
| Splunk | |
| QRadar | |
| Microsoft Defender XDR | |
| CrowdStrike | |
| SentinelOne |
3. Detection Engineering
Content Management System (CMS)
| Add data source specific rule | Remove data source specific rule | Subscribe to auto-update for rules | |
|
Microsoft Sentinel |
Y(1) | Y(1) | Y(1) |
| Splunk | |||
| QRadar | |||
| Microsoft Defender XDR | |||
| CrowdStrike | |||
| SentinelOne |
(1) Applies to content developed by ContraForce Security Engineering team.