ContraForce Incident Response Actions

ContraForce provides the user the ability to perform incident response actions directly in the ContraForce Portal through the use of Gamebooks. A description of each action is provided below.

In ContraForce, 8 different response actions are available to be used. The actions available depend on the selected entity type. Then entity types are: 

  • User
  • Endpoint
  • Network

A description of each incident response action is below: 

  • Lockout User
    • This playbook disables a user’s account and prevents them from signing in. 
  • Reset User Password
    • This playbook prevents a user from generating new sign ins without first resetting their password during their next sign in attempt. The temporary password for the selected user/entity will be in the Comments section of the incident. 
      • A Reset Password playbook cannot be executed on a locked out/disabled user. The Reset Password playbook should be run before the Lockout User playbook.
  • Invalidate Existing Sessions
    • This playbook ends a user’s signed in sessions, preventing the authorization of additional actions associated with those sessions
  • Isolate Endpoint
    • This playbook disables an endpoint's external networking capabilities.
  • Scan Endpoint
    • This playbook triggers an anti-virus scan on an endpoint.
  • Acknowledge Response
    • This playbook updates an incident, adding a comment containing a timestamp and the username of the user who executed the playbook.
  • Quarantine File
    • This playbook stops a file from being used by other programs and deletes it.
  • Block IP
    • This playbook updates a firewall’s rules to block network traffic from a specific IP address.

By default, a Gamebook will include one incident response action. If you wish to edit a Gamebook, click "Edit." This will open the ContraForce Security Workbench where Gamebooks can be customized.