ContraForce Release Notes

With each product release, we document changes to the ContraForce Portal. Product releases can include bug fixes, new features, and performance related improvements. We will send an email each time indicating a new release has occurred.

Release Notes: 

May 9, 2025

This release introduces focused enhancements aimed at refining user experience and system usability. Updates include an enhanced device timeline for improved incident context, integrated log search functionality directly within the incident detail page, dynamic adjustment of audit and sign-in log tables based on dock height, and a crucial fix addressing schema detection issues within the Monaco editor. If you have any questions, please contact us at support@contraforce.com.

New Feature(s)

• Added Log Search capability within Incident Detail Pages.

UI Enhancements

• Improved Device Timeline

• Dynamic adjustment of Audit and Sign-in log table heights.

Bug Fix

• Monaco Editor schema detection when switching workspace

Apr 25, 2025

This release introduces powerful enhancements to streamline security operations and improve user efficiency. The Log Search experience has been upgraded with a unified page, allowing analysts to seamlessly query both Microsoft Sentinel and Defender data from a single interface. Users can now easily toggle between modules per workspace using a new dropdown selector and export query results directly to CSV for reporting and collaboration purposes.

Additionally, onboarding Microsoft Sentinel has been enhanced with automated scanning of connected data sources. Upon integration, ContraForce will now detect and display supported data sources within the CMS Analytics page, giving users immediate visibility into their logging environment and improving detection content management.

UI & Performance Enhancements

• Enhanced Log Search Page

  • Unified log search page

  • Dropdown shows sentinel and defender module option for each supported workspace

  • Export results from query to cvs

• Scanning Data Sources from Microsoft Sentinel

  • Onboarding Microsoft Sentinel will now scan connected data sources and display supported data sources in our CMS analytics page

April 18, 2025 

This release brings a comprehensive set of updates focused on enhancing system stability, performance, and user experience. Key improvements include entity insights data, bug fixes for error handling, UI enhancements for a more intuitive interface, performance optimizations, and strengthened security measures. A significant highlight is the new Jira Service Desk (JSD) integration, providing streamlined ticket management and synchronization capabilities.

New Features

• Added comprehensive support for Jira Service Desk, including ticket creation, synchronization, linking, comments management, and enhanced response handling.

UI & Performance Enhancements

• Implemented IAM assignment change tracking for improved data consistency.
• Added validation logic to the detection module.
• Enhanced browser routing and deep-linking capabilities with right-click support.
• Set default behavior to fetch new and active incidents.
• Improved email property handling, defaulting to UPN if email is null.
• Updated AutoTask module to automatically sync configuration upon addition.
• Integrated real-time updates for ServiceNow tickets within the UI.
• Improved Autotask API response handling to manage null values effectively.
• Enabled the create button for gamebooks after execution.
• Optimized logic for deleting email search parameters.

Bug Fixes & Resolutions

• Fixed Email Entity Insights KQL query errors.
• Resolved issues causing gamebooks to hang.
• Corrected RBAC linkage issues affecting gamebook activities like Retry/Approve.
• Addressed a bug causing gamebook history not to update for new accounts.
• Fixed error occurring when canceling wizards in the Security Modules page.
• Prevented Ticketing tab from appearing in incidents when ITSM is not configured.
• Corrected errors when creating tickets without user information.
• Resolved urgency field and service ticket form layout issues in ServiceNow.
• Fixed the inability to bulk-update incidents.
• Corrected "Audit Logs" error when selecting "Load More."
• Validated and corrected links in Apollo email notifications for gamebook approvals.
• Addressed loading issues with CrowdStrike incident details.
• Fixed ownership assignment bugs in Defender incidents.
• Improved resizing behavior for audit logs, sign-in logs tables, and evidence tabs.

Feb 27, 2025

This release brings a comprehensive set of updates focused on enhancing system stability, performance, and user experience. Key improvements include defender for endpoint alert process tree, bug fixes for error handling, UI enhancements for a more intuitive interface, performance optimizations, and strengthened security measures.

Improvements

• Process tree for Defender XDR alerts shows tree for multiple alerts

• Updated the process tree so that clicking a node properly aligns its title, content, and clickable areas.

• Added a copy button for the email subject in insights.

• Displayed group and role details in user insights.

• Removed extra action buttons from the endpoint details modal.

• Minimize button icon and enabled auto-maximization for investigation canvas.

• Enabled the minimize dock view feature.

• Enhanced the device timeline display by adding UTC conversion for local times.

Bugs

• Fixed an error that caused exceptions when an account was not found.

• Resolved spacing and fixed-height issues in the device timeline.

• Corrected deprecated MudSwitch attribute warnings.

• Resolved issues in the Notifications tab.

• Fixed data mismatches in Defender incidents.

• Corrected tree view labels on the Advanced Hunting page.

• Resolved incident closing status errors.

Security & Validation

• Upgraded vulnerable and deprecated packages—including a migration to MudBlazor v8.0.

• Added assignment validation when editing Workspace Groups and during group assignment.

• Implemented enhanced exception handling for Defender XDR incident errors.

Jan 31, 2025

This release contains some reported bugs from our users and a few improvements.

Improvements

• Unified Incidents Page

  • The incidents table found in the command page now has the filter for source.

  • The ContraForce platform now has unified incidents page

Bugs

• Workspace Owner Assignment - Preonboarding

  • The user that preonboards a customer workspace will be added to the workspace as Owner

• Workspace Module Validation Post Onboarding

  • Validation checks are now executed when the onboarding finished

• CMS UI Rule Deployment Bug

  • A spinning wheel wouldn't go away after a successful rule deployment.

• Investigation Canvas UI error

  • Errors occur when opening investigation canvas

• Related Incidents query for Defender XDR incidents

  • Updated query to fetch related incidents for a specific entity in a Defender XDR incident.

• User Feedback

  • Tabs for entity types when an incident a lot of entities

  • The number of alerts in alert attack activity title

  • The subject of the email insights.

• Group membership validation

  • Workspace role assignment with groups issues resolved.

Dec 13, 2024

This release contains Crowdstrike Gamebooks and some reported bugs from our users.

If you have any questions, please feel free to contact us at support@contraforce.com.

New

• Crowdstrike Gamebooks: improving our current integration

  • Scan Endpoint: users will be able to target and scan a specific endpoint with a gamebook action through Crowdstrike

  • Isolate Endpoint: users will be able to target and isolate a specific endpoint with a gamebook action through Crowdstrike

Bugs

• Add/Update user error fix: there were issues when adding/updating users in the user management tab. this release fixes the inconsistencies

Dec 7, 2024

This release includes updates to provide user management across multiple workspaces and the ability to add multiple tenants to an end-customer tenant. Additionally, this release includes our ServiceNow integration for ticket management and association to incidents in ContraForce..

New

• ContraForce IAM - This feature includes some powerful user management and access functionality. This will enable organization/user administrators to grant access to users in desired workspaces.

  • Organization roles

    • Organization Admin

    • User Admin

    • Workspace Admin

    • Org Member

  • Workspace roles

    • Workspace Owner

    • Workspace Content Admin

    • Incident Responder

    • Incident Analyst

• ServiceNow Ticket Management - this integration will now allow users to create/associate and manage tickets that is connected to their organizations ServiceNow instance

Sep 9, 2024

This release includes our improved IP address entity insights

If you have any questions, please feel free to contact us at support@contraforce.com.

Improvements

• ContraForce Insights now supports IP address entity

  • for every IP address that appears as an entity in a ContraForce incident, ContraForce Insights will pull in signin logs from that IP address and will show if the signins are from a registered device

September 3rd, 2024

This release includes our new detection module SentinelOne. This includes gamebook actions for assets (endpoints) registered in SentinelOne

If you have any questions, please feel free to contact us at support@contraforce.com.

New

• SentinelOne Integration

  • Threats (incidents) are now available in the ContraForce platform

  • Gamebook actions availble to SentinelOne

    • Disconnect from network (isolate endpoint gamebook)

    • Reconnect to network (unisolate endpoint gamebook)

    • Initiate scan (scan endpoint gamebook)

Improvements

• New and improved nav bar menu. This will help users navigate the platform in a better way.

Bug fixes

• n/a

August 2, 2024

This release includes our new detection module Splunk. This will be a beta release of Splunk and will role out enhancements over time.

If you have any questions about version 2024.08.02 please feel free to contact us at support@contraforce.com.

New

• CalVer versioning system is going to be used from now on

• Splunk Module (Beta) - Splunk notable events will be now visible as a ContraForce incident in the platform. Features include:

  • Assign users to notable events

  • Change notable event status

  • filtering notable events by title, severity, status and time

  • Entities and alert timelines are only supported in Splunk notable events when Microsoft Defender logs are present

Improvements

• n/a

Bug fixes

• CSS bugfix with gamebook queue in incident detail page

July 15, 2024

This release includes the launch of the UIE 2.0 and Service Provider Onboarding.

New

• Unified Investigation Experience (UIE) 2.0 is now available in production. This release standardized an investigation of an incident for a user in the ContraForce platform. Every incident, regardless of source (SIEM or XDR), will have ContraForce insights and enriched entities available in the incident detail view and gamebook workbench.

  • For User/Account entity, sign-in and audit logs are displayed in a table with a time filter option

  • For IP Address entity, ContraForce specific insights are displayed in the insights tab

  • Related incidents tab shows a related incident feed that shows an incident investigation audit with incident closing comment (if incident is closed)

• Service Provider Onboarding has enabled service providers to get started and pre-onboard their customers faster than ever. In a few steps, service providers can connect their ticketing system (AutoTask), add users, and pre-onboard customers before they get to the main ContraForce platform.

Improvements

• New quick link buttons in incident table

  • Gamepad button - takes you straight to desired incident gamebook workbench

  • Expand button - takes you straight to the incident detail

Bug fixes

• n/a

June 4th, 2024

This release includes the launch of the Email Gamebook Actions and Microsoft Entra ID SIgn-in logs.

New

• General availability of Email Gamebook actions. The email gamebook actions allows users to remove specific emails from an inbox when phishing or malicious activity is suspected. This is the first action that we are making available related to email. More to come in the future.

• Microsoft Entra ID sign-in logs for an account entity in gamebook workbench

  • In the gamebook workbench, you can now click on an Account entity and it will fetch sign-in logs from Microsoft Entra ID. This will only fetch sign-in logs from that account entity if the user exist in the specific Microsoft Entra ID tenant.

Improvements

• Incident caching

  • this allows the incident data to be cached temporarily so that the incident data doesn’t have to be fetched again. This has increased efficiency and load times of the portal.

Bug fixes

• Bulk update for incidents bug fix

  • Bulk update would not successfully send the request to change/update the incident from the command page

• Consenting gamebook modules from gamebooks workbench redirect bugfix

  • When consenting a gamebook module from the gamebook workbench, the redirecting from Microsoft Identity Platform to the ContraForce Platform would cut off the redirect link and cause the incident entities/information to not be present in the gamebook workbench page.

April 26th, 2024

This release includes the launch of the Autotask workspace module. It is the first of our series of ITSM integrations.

New

• General availability of the Autotask workspace ITSM module. Connecting this module allows creating, linking, and managing Autotask tickets to ContraForce Incidents in the ContraForce platform

Improvements

• Updated data mapping for QRadar offense data in the ContraForce incident modal

• Optimized multitenancy data flow for service provider accounts

Bug fixes

• Corrected CrowdStrike Falcon XDR workspace module labels.

April 3rd, 2024

This release includes the launch of the CrowdStrike Falcon XDR Workspace module.

New

• General availability of the CrowdStrike Falcon XDR Workspace module. Connecting this module to a workspace allows for CrowdStrike Falcon XDR incidents to be managed in ContraForce

Improvements

• Updated onboarding flow to allow for onboarding a workspace without connecting an incident source

Bug fixes

• Resolves issue with Command page incident severity filtering

March 11th, 2024

This release includes several new features, including: the IBM QRadar Workspace module; consolidation of our SIEM incident sources into its own page and XDR incident sources into its own page; and a new workspace onboarding flow.

New

• General availability of the IBM QRadar Workspace Module. Connecting this module to a workspace allows for IBM QRadar offenses to be managed as incidents in ContraForce.

• General availability of the SIEM Incidents page for management of aggregated incidents across all SIEM incident sources

• General availability of the XDR Incidents page for management of aggregated incidents across all XDR incident sources

• General availability of the workspace onboarding flow to support pre-configuring which modules additional workspaces can configure during onboarding

Improvements

• Updated workspaces page that enables a user to manage the configuration of their workspace modules and enterprise application permissions

• Updated interface for the Endpoints page

• Graceful handling of unsupported incident management flows

• Automated comments on Defender XDR Incident management actions

• Microsoft Defender XDR Account Gamebook coverage enhancements

December 4th, 2023

This release includes several new features, as well as significant improvements to the architecture of the ContraForce applications. These include Portal support for the Microsoft Defender incident source, Advanced Hunting for both Microsoft Sentinel and Microsoft Defender, and a distributed service principal application deployment.

New

• General availability of the Microsoft Defender Incidents page in both global and single-tenant contexts. This page provides a dedicated Portal interface for managing Microsoft Defender incidents, including their ownership, status, and comments.

• General availability of the Microsoft Sentinel Incidents page in both global and single-tenant contexts. This page provides a dedicated Portal interface for managing a connected workspace’s Microsoft Sentinel incidents.
• General availability of the Microsoft Defender Advanced Hunting page in both global and single-tenant contexts. This page empowers users to hunt for deeper event context by directly querying Defender's raw data with KQL. Query editor interface provides real-time IntelliSense autosuggest and workspace schema tree visibility for accelerating query writing.
• General availability of the Microsoft Sentinel Advanced Hunting page in both global and single-tenant contexts. This Portal page empowers users to hunt for deeper event context by directly querying their Microsoft Sentinel workspace(s) with KQL. Query editor interface provides real-time IntelliSense autosuggest and workspace schema tree visibility for accelerated query writing.

Improvements

• Automated post-onboarding downgrade of subscription-scoped Azure RBAC Owner Role for ContraForce API service principal
• Distributed application permissions across multiple service principals designed for least-privilege access

August 5th, 2023

This release includes major features for the ContraForce portal, including the "Bring your own Sentinel" deployment model and support for multi-tenant management. Additionally, the ContraForce API has been made available for use by service providers. 

New

• General availability of the Gamebooks History page into the Portal. This page provides users the ability to manage Gamebook requests, as well as view any gamebook actions that have been run by the organization in the ContraForce portal. The status of each gamebook, the associated incident, and the entity each Action operates on are shown. Only users with the appropriate ContraForce permissions can grant approval for Gamebook Actions that require it.
• General availability of the ContraForce API. The ContraForce API empowers service providers to leverage ContraForce functionality in their own incident automation and service workflows. Users can list and query for their organization's incidents, as well as retrieve the evidence, entities, and detail data associated with any specific incident.
  • ContraForce API GitHub
• General availability of the Bring Your Own Sentinel deployment method. This capability enables organizations to augment and optimize an existing Sentinel environment with the Gamebooks, Data Connectors, and Security Engineering on Demand that ContraForce's hyperautomated security platform provides.
• General availability of the Managed Tenants Settings page. This capability gives service providers a self-service method to onboard additional customer Azure tenants into ContraForce. When a user with the appropriate RBAC permissions uses the service provider's ContraForce onboarding link, the customer’s Azure environment will automatically be linked to the service provider’s, allowing a service provider to manage delivery of security outcomes rapidly and effectively.
• General availability of related incidents per entity. When viewing an incident entity in ContraForce, all incidents related to that entity are shown to help the user understand where that entity may also demonstrate suspicious activity in their environment.
• General availability of threat intelligence into ContraForce using Virus Total. For entities associated with an incident, any flags of the entity on Virus Total are shown to help the user validate the reputation of a selected entity. 
• General availability of the Global Command page. The Global Command page empowers service providers to monitor and respond to incidents for all their customers through a single pane of glass. The Global Command page features:
  • An Incident Tracker table that displays aggregate and per-workspace incident metrics
  • A Data Connector Anomalies card that provides visibility when a workspace's data connector has an anomalous ingestion gap
  • A Workspaces dropdown that enables users to dynamically select which of their onboarded workspaces to include in the Global Command page
  • An aggregate incident table showing all open or active incidents to enable collaborative incident response and case management at scale

Improvements

• Workbench Actions that require administrative approval display a red padlock

• Gamebook Workbench navigation and display enhancements
• Ability to switch between multiple incidents using tabs on the incident summary page

Bug Fixes

• Ensure sufficient permissions for successful deployment of resources with Azure RBAC Subscription 'Owner' onboarding check

April 17, 2023

This release included backend infrastructure improvements, and updates to the Command page in ContraForce. 

New

• Email notifications can be customized by incident severity.
• Permissions can now be enabled for Gamebook actions from the Settings page. Consenting gamebooks permissions allows ContraForce to deploy remediation actions to affected incident entities. 
• On the Command page, multiple incidents can be selected and the incident status can be managed in bulk.   

Improvements

• The backend deployment infrastructure of ContraForce onboarding has been optimized to decrease deployment time.
• The Incidents page was removed a data cards from the Incidents page was integrated into the Command page. Various data cards on the Command page were also removed resulting in a more-streamlined incident management dashboard.  

Bug Fixes

• Spelling corrections for various elements throughout the ContraForce portal 

September 1st, 2022

This release includes the launch of One-Click Response and Gamebooks. With One-Click Response and Gamebooks, IT professionals can manage full-lifecycle security operations from a single interface with a single click. The addition of this capability further advances ContraForce's mission to make cybersecurity easy, affordable, and accessible. 

New

• One-Click Response is available for medium and high severity incidents. 
  • 8 Playbooks are available for One-Click Response. The playbooks can be combined together to create a Gamebook. Gamebooks allow users to respond to incidents with multiple actions using just a single click. 
    • Lockout User
      • This playbook disables a user’s account and prevents them from signing in. 
    • Reset User Password
      • This playbook prevents a user from generating new sign ins without first resetting their password during their next sign in attempt.
    • Invalidate Existing Sessions
      • This playbook ends a user’s signed in sessions, preventing the authorization of additional actions associated with those sessions
    • Isolate Endpoint
      • This playbook disables an endpoint's external networking capabilities.
    • Scan Endpoint
      • This playbook triggers an anti-virus scan on an endpoint.
    • Acknowledge Response
      • This playbook updates an incident, adding a comment containing a timestamp and the username of the user who executed the playbook.
    • Quarantine File
      • This playbook stops a file from being used by other programs and deletes it.
    • Block IP
      • This playbook updates a firewall’s rules to block network traffic from a specific IP address.

• On the Command Page, the Needs Attention table has an Action column. When an incident with One-Click response is available, a Respond button is shown. 
  
  • Clicking Add to Gamebook or Go to Gamebook will direct the user to the Investigate page. This is where different playbooks can be combined to create Gamebooks.
  • Playbooks are added to a Gamebook by clicking the green plus (+) sign button. They are removed by clicking red minus (-) sign. 
• For Medium and High severity incidents, email notifications will include a Respond and a Launch Portal button.
• Once a One-Click response has been performed, the user receives a confirmation message and are returned to the incident detail page.
• If a One-Click Response fails, a Run Again message will be shown or you will have the option to contact the ContraForce team.

Improvements

• Onboarding Welcome page fields have been streamlined to require less input from the user to start the onboarding process.
• Error messaging and handling has been improved throughout the onboarding flow.  

Bug Fixes

• Fixes to the security infrastructure deployment during the onboarding process.  

April 12th, 2022

Today, we are thrilled to announce the general availability of Self-Service Onboarding, Subscription Plans, Billing Management, and the Data Sources management page.  We have seen tremendous growth and interest after 12-months of early access in the market. With today’s release, ContraForce has the ability to bring enterprise-scale cybersecurity to small and medium businesses.

• Self-Service Onboarding

  • Customers can register, subscribe, and connect security supported data sources completely on their own using a self-service flow.

• New Subscription Plans and Billing Management
  • We now support 4 new subscriptions plans that can be reviewed in the Subscription tab of the Settings page.
    • Freemium Forever, Priority Zero, Priority Cloud, and Priority Network
    • Existing customers will be automatically grandfathered into their current corresponding subscription plan.
• Billing Management
  • New customers can now manage their subscription payment method in the Billing tab of the Settings page.
• Data Sources Management
  • Users can now add, edit, and remove data sources connected to ContraForce.

Improvements

• Time Filter selection is now persistent across all pages in ContraForce.
  • Time filter updates will now trigger an automatic data refresh on the selected page without needing to click the data refresh icon.
  • The data refresh icon can still be used to refresh fetched data at any time or as needed.
• Users can now search for ContraForce users in the User Management tab of the Settings page.

• Updated Missing Investigation Graph Icons.
• Improved client side error handling.
• Browser card sizing issues addressed.

• • Minor bug fixes throughout the ContraForce Portal.

February 2nd, 2022

This release focused on UI improvements and performance optimization for the ContraForce Portal. A new sorting feature was added to the Endpoint page.

• On the Endpoints page, the Endpoint Inventory table can now be sorted by “Device Name.”

• Performance optimization for back-end servers.

• Minor UI improvements throughout the ContraForce Portal.

• Minor bug fixes throughout the ContraForce Portal.

October 29th, 2021

This release focused on implementing support request functionality into the ContraForce Portal. Additional performance improvements were also made.

• From any page within the ContraForce Portal, users can now submit a ticket directly to our Support Team. On the bottom right of a page within the ContraForce Portal, there is a “Contact Support” widget. It will prompt the user to ask what type of assistance is needed. From here any relevant support documentation will populate. Alternatively, there will be a support option where details about the issue can be added and submitted for review by our Support Team.

• On the Incidents page the response time of the Incidents table when viewing a large amount of incidents has improved. This is common when using the 14 or 28 day time period. At the bottom of the table there is now a “Load More” button. By clicking “Load More” an additional 50 incidents will be loaded per click resulting in a much quicker review experience.

• Minor UI improvements to cards on various portal pages.

October 1st, 2021

This release was focused on bug fixes related to the last product release (1.1).

• The Incident Response card on the Command page now shows correct incident values when the “Last 28 Days” timeframe has been selected.

• When hovering over the Cloud icon within the Incident Response card on the Command page, the total amount of incidents shown is correct.

• The count of incidents shown on the Incidents page will match the data shown on the Command page.

September 21st, 2021

Our team is very excited about the 1.1 release! This release was heavily driven by customer feedback. First, you will notice the portal has a new look! Second, you will notice that some pages have been removed. Don’t fret, these pages are not gone forever. Our Development Team will be heavily focusing on these pages to improve the functionality over the coming months. Our goal is to provide our users with effective fully functional tools, and we look forward to showing the new versions of these pages when they are ready.

• The portal has a new look!

  • Now following industry standard by implementing material design for all portal pages.

• On the Navigation bar, the tabs for the Compliance, Profiles, Training and Marketplace pages have been removed.

• Command Page

  • The labeling and layout of cards on the Command page has been simplified to provide a better overview from the Command page. For an overview on the functionality of each of these cards, please visit the Command Page Overview documentation.

    • Open Incidents has changed to Incident Response

    • Critical and High Severity Incidents has changed to High Severity Incidents

    • Incidents Severity has changed to Open Incidents

    • Alerts has changed to Current Alerts

    • MITRE ATT&CK Alert Map has changed to MITRE ATT&CK Threat Detectors

    • Security Events By Source is unchanged

  • Ticketing, Data Source Misconfigurations, and Open Versus Closed Tickets have all been removed from the Command Page.

• Incidents Page

  • The Investigate page has been renamed to Incidents. For an overview on the functionality of each of the cards on the Incidents page, please visit the Incidents Page Overview documentation. The new cards on this page provide the user with data to assist with investigations and incident management.

• Endpoints Page

  • This page is largely the same.

• Settings Page

  • We have removed all functionality except the ability to add and remove Roles assigned to users within the portal.

• The load times of the portal are twice as fast as the previous version.