Back to home

Knowledge Base

Technical

Integrations - ContraForce Capabilities Matrix

This Knowledge Base article describes the features and capabilities of the ContraForce Security Service Delivery Platform in support of Extended Detection and Response (XDR), Security Incident and Event Management (SIEM), ticketing and other tools.

Available Integrations:

SIEM
- IBM QRadar (IBM QRadar SIEM, and IBM QRadar on Cloud)
- Microsoft Sentinel
- Splunk Enterprise Security
XDR
- CrowdStrike Falcon Insight XDR
- Microsoft Defender XDR
- SentinelOne Singularity XDR
Ticketing
- Datto Autotask PSA
- ServiceNow ITSM
- Jira Service Desk
Other Tools (noted when applicable)
- Microsoft Entra ID
- Microsoft Network Security Group
- Microsoft 365 Exchange

Incident Investigation
- Incident Management
- Entity Enrichment and Triage
- Log Search
- Endpoint Management
Response and Case Management
- Gamebooks
- Gamebook Recommendations
- ITSM/PSA Management
- Apollo Email Notifications
Detection Engineering
- Content Management System

Legend

Y - Capability exists

Y(#) - Capability exists but has dependencies, as noted

1. Incident Investigation

Incident Management

	Bi-directional streaming of incidents	Fetching incident entities	Fetching incident evidence (logs)	Incident alert timelines	Incident investigation audit
Microsoft Sentinel	Y	Y	Y	Y	Y
Splunk	Y				Y
QRadar	Y	Y			Y
Microsoft Defender XDR	Y	Y	Y	Y	Y
CrowdStrike	Y	Y		Y	Y
SentinelOne	Y	Y			Y

Entity Enrichment and Triage

User and IP Insights

	User - Related incidents search	User -Sign-in logs	User - Audit logs	User - Entra ID profile	IP - Insight Logs	IP - Related incidents
Microsoft Sentinel	Y	Y		Y	Y	Y
Splunk
QRadar
Microsoft Defender XDR		Y(1)	Y(1)	Y(1)	Y(2)	Y(3)
CrowdStrike
SentinelOne

(1) Requires that Microsoft Entra ID is connected to the ContraForce Platform

(2) Requires that Microsoft Sentinel is enabled and connected to the ContraForce Platform.

(3) Requires Microsoft Defender for Endpoint Plan 2

Device and Email Insights

	Device - Timeline	Device - Related incidents	Device - Info	Email - Related Incidents	Email - Info
Microsoft Sentinel	Y(1)	Y	Y(1)	Y	Y
Splunk
QRadar
Microsoft Defender XDR	Y(2)	Y(2)	Y	Y	Y(2)
CrowdStrike
SentinelOne

(1) Requires that a Microsoft Defender for Endpoint license is enabled and connected to the ContraForce Platform.

(2) Requires Microsoft Defender for Endpoint Plan 2.

File and URL Insights

	File - Related Incidents	File - Information	URL - Related Incidents	URL - Info
Microsoft Sentinel	Y	Y	Y	Y
Splunk
QRadar
Microsoft Defender XDR	Y	Y	Y	Y(1)
CrowdStrike
SentinelOne

(1) Requires Microsoft Defender for Endpoint Plan 2.

Log Search

	Log Search
Microsoft Sentinel	Y
Splunk
QRadar
Microsoft Defender XDR	Y(1)
CrowdStrike
SentinelOne

(1) Requires Microsoft Defender for Endpoint Plan 2.

Endpoint Management

	View Device List	View Device Info
Microsoft Defender XDR	Y	Y
CrowdStrike
SentinelOne

2. Response and Case Management

Gamebooks

Endpoint Gamebooks

	Isolate Endpoint	Anti-virus Scan	Remove from Isolation
Microsoft Sentinel	Y(1)	Y(1)	Y(1)
Splunk
QRadar
Microsoft Defender XDR	Y	Y	Y
CrowdStrike
SentinelOne	Y	Y	Y

(1) Depends on structure of the underlying rule in Microsoft Sentinel.

File Gamebooks

	Quarantine File
Microsoft Sentinel	Y(1)
Splunk
QRadar
Microsoft Defender XDR
CrowdStrike
SentinelOne	Y

(1) Depends on structure of the underlying rule in Microsoft Sentinel.

User Gamebooks

	Invalidate Existing Sessions	Reset User Password	Lockout User	Unlock User
Microsoft Sentinel	Y(1)	Y(1)	Y(1)	Y(1)
Splunk
QRadar
Microsoft Defender XDR	Y(2)	Y(2)	Y(2)	Y(2)
CrowdStrike
SentinelOne	Y	Y	Y	Y

(1) Requires that Microsoft Entra ID is connected to the ContraForce Platform. Depends on structure of the underlying rule in Microsoft Sentinel.

(2) Requires that Microsoft Entra ID is connected to the ContraForce Platform

IP Address Gamebooks

	Block IP (Azure Network Security Group)
Microsoft Sentinel	Y(1)
Splunk
QRadar
Microsoft Defender XDR
CrowdStrike
SentinelOne	Y

(1) Requires that Microsoft Network Security Group is set up and that it has the ability to block the IP Address. Depends on structure of the underlying rule in Microsoft Sentinel that is using Microsoft Network Security Group.

Email Gamebooks

	Soft-Delete Email
Microsoft Sentinel	Y(1)
Splunk
QRadar
Microsoft Defender XDR	Y(2)
CrowdStrike
SentinelOne	Y

(1) Requires a Microsoft 365 Exchange license. Depends on structure of the underlying rule in Microsoft Sentinel that is using Microsoft Network Security Group.

(2) Requires a Microsoft 365 Exchange license.

Gamebook Recommendations & Auto-Run

	View Gamebook recommendations for all deployed rules	Enable auto-run for Gamebook recommendations
Microsoft Sentinel	Y	Y
Splunk
QRadar
Microsoft Defender XDR
CrowdStrike
SentinelOne

IT Service Management (ITSM) / Professional Services Automation (PSA)

	Associate tickets to incidents	Create and link ticket manually	Auto-create ticket from incident source
Datto Autotask PSA	Y	Y
ServiceNow IT Service Management	Y	Y
Jira Service Desk	Y	Y

Apollo Email Notification Service

	Send incident notification email
Microsoft Sentinel	Y
Splunk
QRadar
Microsoft Defender XDR
CrowdStrike
SentinelOne

3. Detection Engineering

Content Management System (CMS)

	Add data source specific rule	Remove data source specific rule	Subscribe to auto-update for rules
Microsoft Sentinel	Y(1)	Y(1)	Y(1)
Splunk
QRadar
Microsoft Defender XDR
CrowdStrike
SentinelOne

(1) Applies to content developed by ContraForce Security Engineering team.