ContraForce Release Notes

With each product release, we document changes to the ContraForce Portal. Product releases can include bug fixes, new features, and performance related improvements. We will send an email each time indicating a new release has occurred.

Version 2.0.1

March 11th, 2024

This release includes several new features, including: the IBM QRadar Workspace module; consolidation of our SIEM incident sources into its own page and XDR incident sources into its own page; and a new workspace onboarding flow.

If you have any questions about version 2.0.1 please feel free to contact us at


  • General availability of the IBM QRadar Workspace Module. Connecting this module to a workspace allows for IBM QRadar offenses to be managed as incidents in ContraForce.

  • General availability of the SIEM Incidents page for management of aggregated incidents across all SIEM incident sources

  • General availability of the XDR Incidents page for management of aggregated incidents across all XDR incident sources

  • General availability of the workspace onboarding flow to support pre-configuring which modules additional workspaces can configure during onboarding


  • Updated workspaces page that enables a user to manage the configuration of their workspace modules and enterprise application permissions

  • Updated interface for the Endpoints page

  • Graceful handling of unsupported incident management flows

  • Automated comments on Defender XDR Incident management actions

  • Microsoft Defender XDR Account Gamebook coverage enhancements

Version 2.0.0

December 4th, 2023

This release includes several new features, as well as significant improvements to the architecture of the ContraForce applications. These include Portal support for the Microsoft Defender incident source, Advanced Hunting for both Microsoft Sentinel and Microsoft Defender, and a distributed service principal application deployment.


  • General availability of the Microsoft Defender Incidents page in both global and single-tenant contexts. This page provides a dedicated Portal interface for managing Microsoft Defender incidents, including their ownership, status, and comments.
  • General availability of the Microsoft Sentinel Incidents page in both global and single-tenant contexts. This page provides a dedicated Portal interface for managing a connected workspace’s Microsoft Sentinel incidents.
  • General availability of the Microsoft Defender Advanced Hunting page in both global and single-tenant contexts. This page empowers users to hunt for deeper event context by directly querying Defender's raw data with KQL. Query editor interface provides real-time IntelliSense autosuggest and workspace schema tree visibility for accelerating query writing.
  • General availability of the Microsoft Sentinel Advanced Hunting page in both global and single-tenant contexts. This Portal page empowers users to hunt for deeper event context by directly querying their Microsoft Sentinel workspace(s) with KQL. Query editor interface provides real-time IntelliSense autosuggest and workspace schema tree visibility for accelerated query writing.


  • Automated post-onboarding downgrade of subscription-scoped Azure RBAC Owner Role for ContraForce API service principal
  • Distributed application permissions across multiple service principals designed for least-privilege access

Version 1.5.0

August 5th, 2023

This release includes major features for the ContraForce portal, including the "Bring your own Sentinel" deployment model and support for multi-tenant management. Additionally, the ContraForce API has been made available for use by service providers. 


  • General availability of the Gamebooks History page into the Portal. This page provides users the ability to manage Gamebook requests, as well as view any gamebook actions that have been run by the organization in the ContraForce portal. The status of each gamebook, the associated incident, and the entity each Action operates on are shown. Only users with the appropriate ContraForce permissions can grant approval for Gamebook Actions that require it.
  • General availability of the ContraForce API. The ContraForce API empowers service providers to leverage ContraForce functionality in their own incident automation and service workflows. Users can list and query for their organization's incidents, as well as retrieve the evidence, entities, and detail data associated with any specific incident.
  • General availability of the Bring Your Own Sentinel deployment method. This capability enables organizations to augment and optimize an existing Sentinel environment with the Gamebooks, Data Connectors, and Security Engineering on Demand that ContraForce's hyperautomated security platform provides.
  • General availability of the Managed Tenants Settings page. This capability gives service providers a self-service method to onboard additional customer Azure tenants into ContraForce. When a user with the appropriate RBAC permissions uses the service provider's ContraForce onboarding link, the customer’s Azure environment will automatically be linked to the service provider’s, allowing a service provider to manage delivery of security outcomes rapidly and effectively.
  • General availability of related incidents per entity. When viewing an incident entity in ContraForce, all incidents related to that entity are shown to help the user understand where that entity may also demonstrate suspicious activity in their environment.
  • General availability of threat intelligence into ContraForce using Virus Total. For entities associated with an incident, any flags of the entity on Virus Total are shown to help the user validate the reputation of a selected entity. 
  • General availability of the Global Command page. The Global Command page empowers service providers to monitor and respond to incidents for all their customers through a single pane of glass. The Global Command page features:
    • An Incident Tracker table that displays aggregate and per-workspace incident metrics
    • A Data Connector Anomalies card that provides visibility when a workspace's data connector has an anomalous ingestion gap
    • A Workspaces dropdown that enables users to dynamically select which of their onboarded workspaces to include in the Global Command page
    • An aggregate incident table showing all open or active incidents to enable collaborative incident response and case management at scale


  • Workbench Actions that require administrative approval display a red padlock

  • Gamebook Workbench navigation and display enhancements
  • Ability to switch between multiple incidents using tabs on the incident summary page

Bug Fixes

  • Ensure sufficient permissions for successful deployment of resources with Azure RBAC Subscription 'Owner' onboarding check

Version 1.4.0

April 17, 2023

This release included backend infrastructure improvements, and updates to the Command page in ContraForce. 


  • Email notifications can be customized by incident severity.
  • Permissions can now be enabled for Gamebook actions from the Settings page. Consenting gamebooks permissions allows ContraForce to deploy remediation actions to affected incident entities. 
  • On the Command page, multiple incidents can be selected and the incident status can be managed in bulk.   


  • The backend deployment infrastructure of ContraForce onboarding has been optimized to decrease deployment time.
  • The Incidents page was removed a data cards from the Incidents page was integrated into the Command page. Various data cards on the Command page were also removed resulting in a more-streamlined incident management dashboard.  

Bug Fixes

  • Spelling corrections for various elements throughout the ContraForce portal 

Version 1.3.0

September 1st, 2022

This release includes the launch of One-Click Response and Gamebooks. With One-Click Response and Gamebooks, IT professionals can manage full-lifecycle security operations from a single interface with a single click. The addition of this capability further advances ContraForce's mission to make cybersecurity easy, affordable, and accessible. 


  • One-Click Response is available for medium and high severity incidents. 
    • 8 Playbooks are available for One-Click Response. The playbooks can be combined together to create a Gamebook. Gamebooks allow users to respond to incidents with multiple actions using just a single click. 
      • Lockout User
        • This playbook disables a user’s account and prevents them from signing in. 
      • Reset User Password
        • This playbook prevents a user from generating new sign ins without first resetting their password during their next sign in attempt.
      • Invalidate Existing Sessions
        • This playbook ends a user’s signed in sessions, preventing the authorization of additional actions associated with those sessions
      • Isolate Endpoint
        • This playbook disables an endpoint's external networking capabilities.
      • Scan Endpoint
        • This playbook triggers an anti-virus scan on an endpoint.
      • Acknowledge Response
        • This playbook updates an incident, adding a comment containing a timestamp and the username of the user who executed the playbook.
      • Quarantine File
        • This playbook stops a file from being used by other programs and deletes it.
      • Block IP
        • This playbook updates a firewall’s rules to block network traffic from a specific IP address.
  • On the Command Page, the Needs Attention table has an Action column. When an incident with One-Click response is available, a Respond button is shown. 
    • Clicking Add to Gamebook or Go to Gamebook will direct the user to the Investigate page. This is where different playbooks can be combined to create Gamebooks.
    • Playbooks are added to a Gamebook by clicking the green plus (+) sign button. They are removed by clicking red minus (-) sign. 
  • For Medium and High severity incidents, email notifications will include a Respond and a Launch Portal button.
  • Once a One-Click response has been performed, the user receives a confirmation message and are returned to the incident detail page.
  • If a One-Click Response fails, a Run Again message will be shown or you will have the option to contact the ContraForce team.


  • Onboarding Welcome page fields have been streamlined to require less input from the user to start the onboarding process.
  • Error messaging and handling has been improved throughout the onboarding flow.  

Bug Fixes

  • Fixes to the security infrastructure deployment during the onboarding process.   

Version 1.2.0

April 12th, 2022

Today, we are thrilled to announce the general availability of Self-Service Onboarding, Subscription Plans, Billing Management, and the Data Sources management page.  We have seen tremendous growth and interest after 12-months of early access in the market. With today’s release, ContraForce has the ability to bring enterprise-scale cybersecurity to small and medium businesses.


  • Self-Service Onboarding

    • Customers can register, subscribe, and connect security supported data sources completely on their own using a self-service flow.

If you wish to connect a data source but do not see it listed please submit a request to the ContraForce Support Team. We are more than happy to assist with any more detailed connections.

  • New Subscription Plans and Billing Management
    • We now support 4 new subscriptions plans that can be reviewed in the Subscription tab of the Settings page.
      • Freemium Forever, Priority Zero, Priority Cloud, and Priority Network
      • Existing customers will be automatically grandfathered into their current corresponding subscription plan.
  • Billing Management
    • New customers can now manage their subscription payment method in the Billing tab of the Settings page.
  • Data Sources Management
    • Users can now add, edit, and remove data sources connected to ContraForce.


  • Time Filter selection is now persistent across all pages in ContraForce.
    • Time filter updates will now trigger an automatic data refresh on the selected page without needing to click the data refresh icon.
    • The data refresh icon can still be used to refresh fetched data at any time or as needed.
  • Users can now search for ContraForce users in the User Management tab of the Settings page.

Bug Fixes

  • Updated Missing Investigation Graph Icons.
  • Improved client side error handling.
  • Browser card sizing issues addressed.
    • Minor bug fixes throughout the ContraForce Portal.

Version 1.1.3

February 2nd, 2022

This release focused on UI improvements and performance optimization for the ContraForce Portal. A new sorting feature was added to the Endpoint page.


  • On the Endpoints page, the Endpoint Inventory table can now be sorted by “Device Name.”


  • Performance optimization for back-end servers.

  • Minor UI improvements throughout the ContraForce Portal.

Bug Fixes

  • Minor bug fixes throughout the ContraForce Portal.

Version 1.1.2

October 29th, 2021

This release focused on implementing support request functionality into the ContraForce Portal. Additional performance improvements were also made.


  • From any page within the ContraForce Portal, users can now submit a ticket directly to our Support Team. On the bottom right of a page within the ContraForce Portal, there is a “Contact Support” widget. It will prompt the user to ask what type of assistance is needed. From here any relevant support documentation will populate. Alternatively, there will be a support option where details about the issue can be added and submitted for review by our Support Team.


  • On the Incidents page the response time of the Incidents table when viewing a large amount of incidents has improved. This is common when using the 14 or 28 day time period. At the bottom of the table there is now a “Load More” button. By clicking “Load More” an additional 50 incidents will be loaded per click resulting in a much quicker review experience.

  • Minor UI improvements to cards on various portal pages.

Version 1.1.1

October 1st, 2021

This release was focused on bug fixes related to the last product release (1.1).

Bug Fixes

  • The Incident Response card on the Command page now shows correct incident values when the “Last 28 Days” timeframe has been selected.

  • When hovering over the Cloud icon within the Incident Response card on the Command page, the total amount of incidents shown is correct.

  • The count of incidents shown on the Incidents page will match the data shown on the Command page.

Version 1.1.0

September 21st, 2021

Our team is very excited about the 1.1 release! This release was heavily driven by customer feedback. First, you will notice the portal has a new look! Second, you will notice that some pages have been removed. Don’t fret, these pages are not gone forever. Our Development Team will be heavily focusing on these pages to improve the functionality over the coming months. Our goal is to provide our users with effective fully functional tools, and we look forward to showing the new versions of these pages when they are ready.


  • The portal has a new look!

    • Now following industry standard by implementing material design for all portal pages.

  • On the Navigation bar, the tabs for the Compliance, Profiles, Training and Marketplace pages have been removed.

  • Command Page

    • The labeling and layout of cards on the Command page has been simplified to provide a better overview from the Command page. For an overview on the functionality of each of these cards, please visit the Command Page Overview documentation.

      • Open Incidents has changed to Incident Response

      • Critical and High Severity Incidents has changed to High Severity Incidents

      • Incidents Severity has changed to Open Incidents

      • Alerts has changed to Current Alerts

      • MITRE ATT&CK Alert Map has changed to MITRE ATT&CK Threat Detectors

      • Security Events By Source is unchanged

    • Ticketing, Data Source Misconfigurations, and Open Versus Closed Tickets have all been removed from the Command Page.

  • Incidents Page

    • The Investigate page has been renamed to Incidents. For an overview on the functionality of each of the cards on the Incidents page, please visit the Incidents Page Overview documentation. The new cards on this page provide the user with data to assist with investigations and incident management.

  • Endpoints Page

    • This page is largely the same.

  • Settings Page

    • We have removed all functionality except the ability to add and remove Roles assigned to users within the portal.


  • The load times of the portal are twice as fast as the previous version.