This Knowledge Base article describes the features and capabilities of the ContraForce Security Service Delivery Platform in support of Extended Detection and Response (XDR), Security Incident and Event Management (SIEM), ticketing and other tools.
Available Integrations:
- SIEM
- IBM QRadar (IBM QRadar SIEM, and IBM QRadar on Cloud)
- Microsoft Sentinel
- Splunk Enterprise Security
- XDR
- CrowdStrike Falcon Insight XDR
- Microsoft Defender XDR
- SentinelOne Singularity XDR
- Ticketing
- Datto Autotask PSA
- ServiceNow ITSM
- Other Tools (noted when applicable)
- Microsoft Entra ID
- Microsoft Network Security Group
- Microsoft 365 Exchange
Table of Contents
- Incident Investigation
- Incident Management
- Entity Enrichment and Triage
- Log Search
- Endpoint Management
- Response and Case Management
- Gamebooks
- Gamebook Recommendations
- ITSM/PSA Management
- Apollo Email Notifications
- Detection Engineering
- Content Management System
Legend
Y - Capability exists
Y(#) - Capability exists but has dependencies, as noted
1. Incident Investigation
Incident Management
Bi-directional streaming of incidents | Fetching incident entities | Fetching incident evidence (logs) | Incident alert timelines | Incident investigation audit | |
Microsoft Sentinel |
Y | Y | Y | Y | Y |
Splunk | Y | Y | |||
QRadar | Y | Y | Y | ||
Microsoft Defender XDR | Y | Y | Y | Y | Y |
CrowdStrike | Y | Y | Y | Y | |
SentinelOne | Y | Y | Y |
Entity Enrichment and Triage
User and IP Insights
User - Related incidents search | User -Sign-in logs | User - Audit logs | User - Entra ID profile | IP - Insight Logs | IP - Related incidents | |
Microsoft Sentinel |
Y | Y | Y | Y | Y | |
Splunk | ||||||
QRadar | ||||||
Microsoft Defender XDR | Y(1) | Y(1) | Y(1) | Y(2) | Y(3) | |
CrowdStrike | ||||||
SentinelOne |
(1) Requires that Microsoft Entra ID is connected to the ContraForce Platform
(2) Requires that Microsoft Sentinel is enabled and connected to the ContraForce Platform.
(3) Requires Microsoft Defender for Endpoint Plan 2
Device and Email Insights
Device - Timeline | Device - Related incidents | Device - Info | Email - Related Incidents | Email - Info | |
Microsoft Sentinel |
Y(1) | Y | Y(1) | Y | Y |
Splunk | |||||
QRadar | |||||
Microsoft Defender XDR | Y(2) | Y(2) | Y | Y | Y(2) |
CrowdStrike | |||||
SentinelOne |
(1) Requires that a Microsoft Defender for Endpoint license is enabled and connected to the ContraForce Platform.
(2) Requires Microsoft Defender for Endpoint Plan 2.
File and URL Insights
File - Related Incidents | File - Information | URL - Related Incidents | URL - Info | |
Microsoft Sentinel |
Y | Y | Y | Y |
Splunk | ||||
QRadar | ||||
Microsoft Defender XDR | Y | Y | Y | Y(1) |
CrowdStrike | ||||
SentinelOne |
(1) Requires Microsoft Defender for Endpoint Plan 2.
Log Search
Log Search | |
Microsoft Sentinel |
Y |
Splunk | |
QRadar | |
Microsoft Defender XDR | Y(1) |
CrowdStrike | |
SentinelOne |
(1) Requires Microsoft Defender for Endpoint Plan 2.
Endpoint Management
View Device List | View Device Info | |
Microsoft Defender XDR | Y | Y |
CrowdStrike | ||
SentinelOne |
2. Response and Case Management
Gamebooks
Endpoint Gamebooks
Isolate Endpoint | Anti-virus Scan | Remove from Isolation | |
Microsoft Sentinel |
Y(1) | Y(1) | Y(1) |
Splunk | |||
QRadar | |||
Microsoft Defender XDR | Y | Y | Y |
CrowdStrike | |||
SentinelOne | Y | Y | Y |
(1) Depends on structure of the underlying rule in Microsoft Sentinel.
File Gamebooks
Quarantine File | |
Microsoft Sentinel |
Y(1) |
Splunk | |
QRadar | |
Microsoft Defender XDR | |
CrowdStrike | |
SentinelOne | Y |
(1) Depends on structure of the underlying rule in Microsoft Sentinel.
User Gamebooks
Invalidate Existing Sessions | Reset User Password | Lockout User | Unlock User | |
Microsoft Sentinel |
Y(1) | Y(1) | Y(1) | Y(1) |
Splunk | ||||
QRadar | ||||
Microsoft Defender XDR | Y(2) | Y(2) | Y(2) | Y(2) |
CrowdStrike | ||||
SentinelOne | Y | Y | Y | Y |
(1) Requires that Microsoft Entra ID is connected to the ContraForce Platform. Depends on structure of the underlying rule in Microsoft Sentinel.
(2) Requires that Microsoft Entra ID is connected to the ContraForce Platform
IP Address Gamebooks
Block IP (Azure Network Security Group) | |
Microsoft Sentinel |
Y(1) |
Splunk | |
QRadar | |
Microsoft Defender XDR | |
CrowdStrike | |
SentinelOne | Y |
(1) Requires that Microsoft Network Security Group is set up and that it has the ability to block the IP Address. Depends on structure of the underlying rule in Microsoft Sentinel that is using Microsoft Network Security Group.
Email Gamebooks
Soft-Delete Email | |
Microsoft Sentinel |
Y(1) |
Splunk | |
QRadar | |
Microsoft Defender XDR | Y(2) |
CrowdStrike | |
SentinelOne | Y |
(1) Requires a Microsoft 365 Exchange license. Depends on structure of the underlying rule in Microsoft Sentinel that is using Microsoft Network Security Group.
(2) Requires a Microsoft 365 Exchange license.
Gamebook Recommendations
View Gamebook recommendations for all deployed rules | Enable auto-run for Gamebook recommendations | |
Microsoft Sentinel |
Y | Y |
Splunk | ||
QRadar | ||
Microsoft Defender XDR | ||
CrowdStrike | ||
SentinelOne |
IT Service Management (ITSM) / Professional Services Automation (PSA)
Associate tickets to incidents | Create and link ticket manually | Auto-create ticket from incident source | |
Datto Autotask PSA | Y | Y | |
ServiceNow IT Service Management | Y | Y |
Apollo Email Notification Service
Send incident notification email | |
Microsoft Sentinel |
Y |
Splunk | |
QRadar | |
Microsoft Defender XDR | |
CrowdStrike | |
SentinelOne |
3. Detection Engineering
Content Management System (CMS)
Add data source specific rule | Remove data source specific rule | Subscribe to auto-update for rules | |
Microsoft Sentinel |
Y(1) | Y(1) | Y(1) |
Splunk | |||
QRadar | |||
Microsoft Defender XDR | |||
CrowdStrike | |||
SentinelOne |
(1) Applies to content developed by ContraForce Security Engineering team.