Microsoft Defender Capability Matrix

This Knowledge Base article describes the features and capabilities of the ContraForce Security Service Delivery Platform for Microsoft Defender Products.

✓ Capability exists

✓(#) Capability exists but has dependencies

	Business Premium	Enterprise E3	Enterprise E5
Incident Investigation
Incident Management
Bi-directional streaming of incidents	✓	✓	✓
Fetching incident entities	✓	✓	✓
Fetching incident evidence (logs)	✓	✓	✓
Incident alert timelines	✓	✓	✓
Incident investigation audit	✓	✓	✓
Entity Enrichment and Triage
Related incident search	✓	✓	✓
User insights
Sign-in logs	✓(1)	✓(1)	✓(1)
Audit logs	✓(1)	✓(1)	✓(1)
Entra ID profile	✓(1)	✓(1)	✓(1)
IP address insights
Sign-in log activity	✓(2)	✓(2)	✓(2)
Related incidents	✓(3)	✓(3)	✓
Device Insights
Timeline	✓(3)	✓(3)	✓
Related incidents	✓(3)	✓(3)	✓
Device info	✓	✓	✓
Email insights
Related incidents	✓	✓	✓
Email info	✓(3)	✓(3)	✓
File insights
Related incidents	✓	✓	✓
File info	✓	✓	✓
URL insights
Related incidents	✓	✓	✓
URL info	✓(3)	✓(3)	✓
Log Search
Log search	✓(3)	✓(3)	✓
Endpoint Management
View device list	✓	✓	✓
View device info	✓	✓	✓
Response and Case Management
Gamebooks
Endpoint
Isolate endpoint	✓	✓	✓
Anti-virus scan of endpoint	✓	✓	✓
Remove from isolation	✓	✓	✓
File
Quarantine file	✓	✓	✓
User
Invalidate existing sessions	✓(1)	✓(1)	✓(1)
Reset user password	✓(1)	✓(1)	✓(1)
Lock out user	✓(1)	✓(1)	✓(1)
Unlock user	✓(1)	✓(1)	✓(1)
IP Address
Block IP (from Azure Network Security Group)	-	-	-
Email
Soft delete email	✓(4)	✓(4)	✓(4)

Requires that Microsoft Entra ID is connected to the ContraForce Platform.
Requires that Microsoft Sentinel is enabled and connected to the ContraForce Platform.
Requires Microsoft Defender for Endpoint Plan 2 add-on.
Requires Microsoft 365 Exchange license.