Estimated Time: A typical onboarding takes 30-60 minutes depending on module selection and environment complexity.
Before You Begin
Prerequisites Checklist
Ensure you have the following before starting:Microsoft Credentials
Global Administrator or Security Administrator access to the customer’s Microsoft 365 tenant
Licensing
Active Microsoft 365 license (Business Premium, E3, or E5) with Defender capabilities
ContraForce Access
Organization Admin or Admin role in ContraForce to create workspaces
Azure Access
Subscription Owner access to deploy Azure resources
Information to Gather
Collect this information from your customer before the onboarding call:| Information | Required For | Example |
|---|---|---|
| Microsoft 365 tenant domain | All deployments | acmecorp.onmicrosoft.com |
| Global Admin credentials | Consent flow | [email protected] |
| Microsoft 365 license tier | Capability planning | E5, E3, Business Premium |
| Azure subscription ID | SIEM module only | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
| Sentinel workspace name | SIEM module only | acme-sentinel-workspace |
| Notification email | All deployments | [email protected] |
Choose Your Module
ContraForce offers two detection and response modules. Select based on your customer’s environment and your service offering.- Detection Modules
- Response Modules
Microsoft Defender XDR Module
Best for: Customers with Microsoft 365 Business Premium, E3, or E5 who want centralized incident management without Sentinel.What’s Included:- Incident ingestion from Microsoft Defender XDR
- Entity enrichment (users, devices, IPs, files, emails)
- Gamebook response actions
- Multi-tenant management
- Microsoft Sentinel integration
- Content Management System (CMS)
- Microsoft Sentinel incident notifications
- Log search capabilities (KQL)
Module Comparison
| Capability | Defender XDR | Sentinel |
|---|---|---|
| Defender XDR incidents | ✓ | ✓ |
| Entity enrichment | ✓ | ✓ |
| Gamebook response actions | ✓ | ✓ |
| Multi-tenant management | ✓ | ✓ |
| Sentinel incidents | — | ✓ |
| Detection rules (CMS) | — | ✓ |
| Email notifications | — | ✓ |
| Log search | — | ✓ |
| Azure Lighthouse | — | ✓ |
Onboarding Process
High-Level Steps
Step-by-Step Overview
Create Customer Workspace
Create a new workspace in ContraForce for the customer. This establishes their isolated environment.Where: Workspaces → Create Workspace
Launch Onboarding Wizard
Open the onboarding wizard from the workspace settings to begin the guided setup.Where: Workspace → Settings → Onboarding Wizard
Consent Customer's Enterprise Applications
Sign in with customer Global Admin credentials to consent the ContraForce API and Portal applications.Applications:
- ContraForce API
- ContraForce Portal
Consent Module Enterprise Applications
Consent additional enterprise applications required for the selected module.Defender XDR Module:
- ContraForce for Microsoft Defender for Endpoint (MDE)
- ContraForce Gamebooks for Microsoft Defender for Endpoint
- ContraForce Gamebooks for Identity
- ContraForce Gamebooks for Email
- ContraForce Sentinel Hunting
Configure Azure Resources (Sentinel Only)
For the Microsoft Sentinel module, deploy Azure resources including Lighthouse delegation and ContraForce’s Apollo (notification and queue engine) infrastructure.Resources Deployed:
- Azure Lighthouse delegation
- Apollo resource group
- Logic Apps for incident streaming
Add Users and Groups
Assign your team members to the workspace with appropriate roles.Recommended:
- Assign organization groups (SOC Tier 1, Tier 2, etc.)
- Add customer users if they need portal access
Configure Notifications
Set up email notifications for incident alerts (Sentinel module only).Options:
- Configure severity filters
- Set up distribution group notifications
Detailed Guides by Module
Defender XDR Module Onboarding
XDR Deployment Guide
Complete step-by-step guide for Defender XDR module deployment
Defender XDR Enterprise Application
Permissions and consent details for Defender XDR module
Sentinel Module Onboarding
Sentinel Deployment Guide
Complete step-by-step guide for Sentinel module deployment
Azure Resources Reference
What gets deployed in Azure during onboarding
Post-Onboarding Configuration
CMS Onboarding
Deploy detection rules after Sentinel onboarding is complete
Notifications Setup
Configure email notifications for based on incident severity for Sentinel
User and Access Setup
Adding Your Team
After onboarding the workspace, assign your team members:| Step | Action | Details |
|---|---|---|
| 1 | Navigate to workspace | Select the newly onboarded workspace |
| 2 | Open settings | Click the gear equalizer icon |
| 3 | Go to Users & Groups | Select the Users & Groups tab |
| 4 | Add organization groups | Assign groups like “SOC Tier 1” with appropriate roles |
| 5 | Verify access | Confirm team members can see the workspace |
Recommended Role Assignments
| Team Member | Workspace Role | Capabilities |
|---|---|---|
| SOC Manager | Admin | Full control including user management |
| Tier 2 Analyst | Incident Responder | Investigate and respond to incidents |
| Tier 1 Analyst | Incident Analyst | View and triage incidents |
| Integration Engineer | Data Source Admin | Configure modules and connectors |
User & Group Management Guide
Complete guide to setting up users and groups
Post-Onboarding Checklist
Use this checklist to verify a successful deployment:Immediate Verification
- Workspace appears in your workspace list
- Enterprise applications show “Consented” status
- Module shows “Active” in workspace settings
- Your team can access the workspace
- Incidents are appearing (may take 5-15 minutes)
Defender XDR Module Verification
- Defender XDR incidents syncing to Command Page
- Entity enrichment working (click an incident to verify)
- Gamebook actions available on entities
- Endpoints visible in Endpoints page (if applicable)
Sentinel Module Verification (Additional)
- Sentinel incidents syncing to Command Dashboard
- Azure Lighthouse delegation active
- Apollo Logic App is enabled and running
- CMS shows available detection rules
- Notifications being received (test with severity filter)
User Access Verification
- Organization groups assigned to workspace
- Team members can view incidents
- Roles are appropriate for each user
- Customer users added (if applicable)
Timeline Expectations
Typical Onboarding Timeline
| Phase | Duration | Activities |
|---|---|---|
| Pre-call preparation | 15-30 min | Gather credentials, verify prerequisites |
| Defender XDR onboarding | 15-20 min | Consent apps, configure module |
| Sentinel onboarding | 30-45 min | Above + Azure deployment, Lighthouse setup |
| User setup | 10-15 min | Assign groups, configure roles |
| CMS deployment | 15-30 min | Deploy initial detection rules |
| Verification | 10-15 min | Confirm incidents flowing, test actions |
First Incidents
| Module | Expected Time to First Incident |
|---|---|
| Defender XDR | 5-15 minutes (depends on Defender activity) |
| Sentinel | 5-15 minutes (depends on Sentinel activity) |
If no incidents appear within 30 minutes, verify the customer has active incidents in their Defender/Sentinel console. ContraForce syncs existing incidents, so if there are none in the source system, none will appear in ContraForce.
Common Onboarding Issues
Troubleshooting Quick Reference
| Issue | Likely Cause | Solution |
|---|---|---|
| Consent popup doesn’t appear | Pop-up blocker | Disable pop-up blocker for ContraForce |
| Consent fails with permissions error | Not Global Admin | Use Global Admin or Security Admin credentials |
| Azure deployment fails | Insufficient permissions | Verify Subscription Owner access |
| No incidents appearing | No incidents in source system | Check Defender/Sentinel for active incidents |
| Module shows “Not Configured” | Consent incomplete | Re-run consent flow from workspace settings |
| User can’t see workspace | No workspace role assigned | Add user/group to workspace with a role |
| Lighthouse delegation failed | Subscription restrictions | Check for Azure Policy restrictions |
Getting Help
If you encounter issues during onboarding:- Check the troubleshooting guide for your specific module
- Review Azure deployment logs (Sentinel module) in the Azure Portal
- Contact ContraForce support at [email protected]
Onboarding Multiple Customers
Scaling Best Practices
Create organization groups before onboarding
Create organization groups before onboarding
Set up your standard groups (SOC Tier 1, Tier 2, Managers) at the organization level first. Then you can quickly assign them to each new workspace with consistent roles.
Document your standard configuration
Document your standard configuration
Create a template documenting your standard module selection, notification settings, and user assignments. This ensures consistency across all customer deployments.
Batch similar customers together
Batch similar customers together
If you’re onboarding multiple customers with the same module, batch them together. You’ll get faster as you repeat the same steps.
Use a pre-onboarding checklist
Use a pre-onboarding checklist
Send customers a pre-onboarding checklist to gather credentials and verify prerequisites before the call. This reduces onboarding time significantly.
Consider CMS deployment strategy
Consider CMS deployment strategy
For SIEM customers, decide upfront which detection rules to deploy. A standard “starter pack” of rules saves decision time during onboarding.
Onboarding Checklist Template
Use this checklist for each customer onboarding: Pre-Onboarding:- Customer domain confirmed
- Global Admin credentials available
- License tier verified
- Azure subscription ID (SIEM only)
- Sentinel workspace name (SIEM only)
- Notification email confirmed
- Workspace created
- Core apps consented
- Module selected and configured
- Azure resources deployed (SIEM only)
- Users/groups assigned
- Incidents syncing verified
- Gamebooks tested
- Notifications configured (SIEM only)
- CMS rules deployed (SIEM only)
- Customer notified of go-live
Next Steps After Onboarding
Incident Management
Learn how to triage and manage incidents
Gamebooks
Automate response actions with Gamebooks
Command Dashboard
Monitor security posture across workspaces
Content Management System
Manage detection rules through your multi-tenant CI/CD pipeline
Related Guides
Defender Onboarding
XDR module deployment
Sentinel Onboarding
SIEM module deployment
User Management
Configure users and groups setup
Questions about onboarding? Contact us at [email protected] or request hands-on support for your first deployments.