Technical
      Back to home
      1. Knowledge Base
      2. Technical

      ContraForce Enterprise Applications Overview

      This article will provide an overview of the ContraForce API and Portal Enterprise Applications and the usage of each respective application.

      Overview

      The ContraForce Platform is built using two different enterprise applications which are defined as the ContraForce API and the ContraForce Portal. Below are the actions and abilities of the ContraForce enterprise applications during onboarding as well as usage of the enterprise applications in the single and multi-tenant modes.

      ContraForce Enterprise Application Onboarding

      1. Onboarding Welcome Page & Sign-in with Global Admin User
        1. Admin consents ContraForce API Enterprise Application
        2. Admin consents ContraForce Portal Enterprise Application
      2. Selection for Subscription, Resource Group, and Sentinel Workspace
        1. ContraForce automation utilizes the Global Admin user identity to assign the Owner role to the ContraForce API Enterprise Application within the selected Azure subscription
        2. ContraForce automation utilizes the Global Admin user identity to create an Azure security group with the ContraForce Platform and assigns the security group as Contributor to the selected Azure subscription
        3. ContraForce automation utilizes the Global Admin user identity to deploys Azure Lighthouse definition deployment with the ContraForce Platform
      3. Incident Notification Engine
        1. ContraForce automation utilizes the Global Admin user identity to deploy automation rule to target selected Sentinel Workspace with the ContraForce Platform 
        2. ContraForce automation utilizes the Global Admin user identity to deploy Logic App and an Azure Function for relaying incidents through the ContraForce Platform
      4. ContraForce Data Connector Auto Detector
        1. ContraForce automation utilizes the Global Admin user identity to initiate scan of connected data connectors to the Sentinel Workspace through the ContraForce Platform

      Single and Multi-Tenant Overview

      The next two sections cover how the ContraForce Enterprise Applications function in both the Single and Multi-Tenant modes. Additional information around the Multi-Tenant mode can be found here

      ContraForce Platform Enterprise Application - Single Tenant Mode

      1. Identity of Signed-in User to ContraForce Portal 
        1. All ContraForce Platform requests are made on behalf of the signed in user through the ContraForce API Enterprise Application
          1. Data Read / Write from Sentinel
            1. Incident Management and Workflow
              1. Assign user to incident
              2. Change status of incident
              3. Change severity of incident
              4. Add comment to incident
          2. Queries sent to Sentinel/Log Analytics Workspace from ContraForce Platform
            1. Incident Queries
            2. Entity Queries
            3. Related Alert Queries
          3. Active Directory/ Microsoft Entra ID Read Permissions
            1. User Look Up
            2. Group Read/Write
          4. Defender for Endpoint
            1. Machine Read
            2. Machine Action Write
          5. Gamebook Execution
            1. User Entity Security Management
              1. Invalidate Existing Sessions 
              2. Re-Set Password 
              3. Lockout User 
              4. Unlock User
            2. Endpoint Entity (Machine Action Write) Security Management 
              1. Scan
              2. Isolate
              3. Quarantine File

      ContraForce Platform Enterprise Application - Multi-Tenant Mode

      1. Identity of Signed-in User to ContraForce Portal 
        1. Multi-Tenant mode builds upon the actions shown above in the Single Tenant mode and uses the ContraForce API Enterprise Application Permissions to make requests to the target Azure environment and Sentinel Workspace.
          1. ContraForce API runs user verification to determine if signed-in user is authorized to access registered Sentinel Workspaces
          2. After authorization has been validated, the ContraForce API Enterprise Application fetches all data for each Sentinel Workspace using the ContraForce API Enterprise Application Permissions to populate the Multi-Tenant Command page and tenant drop-down. 
        2. Executing Gamebook Actions in Registered Sentinel Workspaces
          1. ContraForce API runs user verification to determine if signed-in user is authorized to access registered Sentinel Workspaces
          2. After authorization has been validated, the ContraForce API Enterprise Application allows the user to execute Gamebook Response Actions within registered Sentinel Workspaces
          3. The Gamebook action is logged within the ContraForce Platform
        3. After authorization has been validated, the ContraForce API Enterprise Application allows the user to fetch Defender for Endpoint data registered Sentinel Workspaces

      If you have any questions, please contact us at support@contraforce.com. We are happy to answer any questions that you may have.