ContraForce Incident Response Actions

ContraForce provides the user the ability to perform incident response actions directly in the ContraForce Portal through the use of Gamebooks. A description of each action is provided below.

In ContraForce, 8 different response actions are available to be used. The actions available depend on the selected entity type. Then entity types are: 

• User
• Endpoint
• Network

A description of each incident response action is below: 

• Lockout User
  • This playbook disables a user’s account and prevents them from signing in. 
• Reset User Password
  • This playbook prevents a user from generating new sign ins without first resetting their password during their next sign in attempt. The temporary password for the selected user/entity will be in the Comments section of the incident. 
    • A Reset Password playbook cannot be executed on a locked out/disabled user. The Reset Password playbook should be run before the Lockout User playbook.

• Invalidate Existing Sessions
  • This playbook ends a user’s signed in sessions, preventing the authorization of additional actions associated with those sessions
• Isolate Endpoint
  • This playbook disables an endpoint's external networking capabilities.
• Scan Endpoint
  • This playbook triggers an anti-virus scan on an endpoint.
• Acknowledge Response
  • This playbook updates an incident, adding a comment containing a timestamp and the username of the user who executed the playbook.
• Quarantine File
  • This playbook stops a file from being used by other programs and deletes it.
• Block IP
  • This playbook updates a firewall’s rules to block network traffic from a specific IP address.

By default, a Gamebook will include one incident response action. If you wish to edit a Gamebook, click "Edit." This will open the ContraForce Security Workbench where Gamebooks can be customized.