Integrations - ContraForce Capabilities Matrix

This Knowledge Base article describes the features and capabilities of the ContraForce Security Service Delivery Platform in support of Extended Detection and Response (XDR), Security Incident and Event Management (SIEM), ticketing and other tools.

Available Integrations:

  • SIEM
    • IBM QRadar (IBM QRadar SIEM, and IBM QRadar on Cloud)
    • Microsoft Sentinel
    • Splunk Enterprise Security
  • XDR
    • CrowdStrike Falcon Insight XDR
    • Microsoft Defender XDR
    • SentinelOne Singularity XDR
  • Ticketing
    • Datto Autotask PSA
    • ServiceNow ITSM
  • Other Tools (noted when applicable)
    • Microsoft Entra ID
    • Microsoft Network Security Group
    • Microsoft 365 Exchange

Table of Contents

  1. Incident Investigation
    • Incident Management
    • Entity Enrichment and Triage
    • Log Search
    • Endpoint Management
  2. Response and Case Management
    • Gamebooks
    • Gamebook Recommendations
    • ITSM/PSA Management
    • Apollo Email Notifications
  3. Detection Engineering
    • Content Management System

Legend

Y - Capability exists

Y(#) - Capability exists but has dependencies, as noted

1. Incident Investigation

Incident Management

  Bi-directional streaming of incidents Fetching incident entities Fetching incident evidence (logs) Incident alert timelines Incident investigation audit

Microsoft

Sentinel

Y Y Y Y Y
Splunk Y       Y
QRadar Y Y     Y
Microsoft Defender XDR Y Y Y Y Y
CrowdStrike Y Y   Y Y
SentinelOne Y Y     Y

 

Entity Enrichment and Triage

User and IP Insights

  User - Related incidents search User -Sign-in logs User - Audit logs User - Entra ID profile IP - Insight Logs IP - Related incidents

Microsoft

Sentinel

Y Y   Y Y Y
Splunk            
QRadar            
Microsoft Defender XDR   Y(1) Y(1) Y(1) Y(2) Y(3)
CrowdStrike            
SentinelOne            

(1) Requires that Microsoft Entra ID is connected to the ContraForce Platform

(2) Requires that Microsoft Sentinel is enabled and connected to the ContraForce Platform.

(3) Requires Microsoft Defender for Endpoint Plan 2

 

Device and Email Insights

  Device - Timeline Device - Related incidents Device - Info Email - Related Incidents Email - Info

Microsoft

Sentinel

Y(1) Y Y(1) Y Y
Splunk          
QRadar          
Microsoft Defender XDR Y(2) Y(2) Y Y Y(2)
CrowdStrike          
SentinelOne          

(1) Requires that a Microsoft Defender for Endpoint license is enabled and connected to the ContraForce Platform.

(2) Requires Microsoft Defender for Endpoint Plan 2.

 

File and URL Insights

  File - Related Incidents File - Information URL - Related Incidents URL - Info

Microsoft

Sentinel

Y Y Y Y
Splunk        
QRadar        
Microsoft Defender XDR Y Y Y Y(1)
CrowdStrike        
SentinelOne        

(1) Requires Microsoft Defender for Endpoint Plan 2.

 

Log Search

  Log Search

Microsoft

Sentinel

Y
Splunk  
QRadar  
Microsoft Defender XDR Y(1)
CrowdStrike  
SentinelOne  

(1) Requires Microsoft Defender for Endpoint Plan 2.

Endpoint Management

  View Device List View Device Info
Microsoft Defender XDR Y Y
CrowdStrike    
SentinelOne    

 

2. Response and Case Management

Gamebooks

Endpoint Gamebooks

  Isolate Endpoint Anti-virus Scan Remove from Isolation

Microsoft

Sentinel

Y(1) Y(1) Y(1)
Splunk      
QRadar      
Microsoft Defender XDR Y Y Y
CrowdStrike      
SentinelOne Y Y Y

(1) Depends on structure of the underlying rule in Microsoft Sentinel.

 

File Gamebooks

  Quarantine File

Microsoft

Sentinel

Y(1)
Splunk  
QRadar  
Microsoft Defender XDR  
CrowdStrike  
SentinelOne Y

(1) Depends on structure of the underlying rule in Microsoft Sentinel.

 

User Gamebooks

  Invalidate Existing Sessions Reset User Password Lockout User Unlock User

Microsoft

Sentinel

Y(1) Y(1) Y(1) Y(1)
Splunk        
QRadar        
Microsoft Defender XDR Y(2) Y(2) Y(2) Y(2)
CrowdStrike        
SentinelOne Y Y Y Y

(1) Requires that Microsoft Entra ID is connected to the ContraForce Platform. Depends on structure of the underlying rule in Microsoft Sentinel.

(2) Requires that Microsoft Entra ID is connected to the ContraForce Platform

 

IP Address Gamebooks

  Block IP (Azure Network Security Group)

Microsoft

Sentinel

Y(1)
Splunk  
QRadar  
Microsoft Defender XDR  
CrowdStrike  
SentinelOne Y

(1) Requires that Microsoft Network Security Group is set up and that it has the ability to block the IP Address. Depends on structure of the underlying rule in Microsoft Sentinel that is using Microsoft Network Security Group.

 

Email Gamebooks

  Soft-Delete Email

Microsoft

Sentinel

Y(1)
Splunk  
QRadar  
Microsoft Defender XDR Y(2)
CrowdStrike  
SentinelOne Y

(1) Requires a Microsoft 365 Exchange license. Depends on structure of the underlying rule in Microsoft Sentinel that is using Microsoft Network Security Group.

(2) Requires a Microsoft 365 Exchange license.

 

Gamebook Recommendations

  View Gamebook recommendations for all deployed rules Enable auto-run for Gamebook recommendations

Microsoft

Sentinel

Y Y
Splunk    
QRadar    
Microsoft Defender XDR    
CrowdStrike    
SentinelOne    

 

IT Service Management (ITSM) / Professional Services Automation (PSA)

  Associate tickets to incidents Create and link ticket manually Auto-create ticket from incident source
Datto Autotask PSA Y Y  
ServiceNow IT Service Management Y Y  

 

Apollo Email Notification Service

  Send incident notification email

Microsoft

Sentinel

Y
Splunk  
QRadar  
Microsoft Defender XDR  
CrowdStrike  
SentinelOne  

 

3. Detection Engineering

Content Management System (CMS)

  Add data source specific rule Remove data source specific rule Subscribe to auto-update for rules

Microsoft

Sentinel

Y(1) Y(1) Y(1)
Splunk      
QRadar      
Microsoft Defender XDR      
CrowdStrike      
SentinelOne      

(1) Applies to content developed by ContraForce Security Engineering team.