ContraForce Module Overview

Users have the option to deploy two different modules when they onboard ContraForce to their environment. This article will cover what is included in each module.

Overview

ContraForce has two modules that can be selected during the deployment process. There is the XDR module and then there is the XDR + SIEM module. Each module supports different products and can be selected based on the needs of the environment. 

ContraForce XDR Module

The ContraForce XDR module supports onboarding environment where Defender XDR has been deployed. The onboarding guide for the XDR module can be found here. When the XDR module is deployed, the following ContraForce features are not available: 

• SIEM Incidents
• Sentinel Advanced Threat Hunting
• Data Connectors
  • Note that the Data Connectors page will not show any data connectors for a XDR workspace as shown below. 

XDR Module Notifications

Email notifications will not be generated by ContraForce for new incidents in the Defender XDR Module. Email notifications will be sent for Gamebook runs in ContraForce. Deployment of ContraForce will not interrupt the existing Defender notification configuration. More information about Contraforce notifications can be found here. 

ContraForce XDR + SIEM Module

The ContraForce XDR + SIEM module expands on the XDR module as the XDR + SIEM includes the XDR module as well as support for Microsoft Sentinel and QRadar as shown in the screenshot below. 

The onboarding guide for Microsoft Sentinel can be found here. 

The onboarding guide for Q - Radar can be found here. 

Onboarding of a XDR + SIEM module unlocks the functionality of the XDR + SIEM Incidents and Sentinel Advanced Threat Hunting pages. Additionally, onboarding a XDR + SIEM module allows the user to customize notifications by severity per client as shown in the screenshot below.