This matrix shows which ContraForce features are available for each supported security integration. Use it to understand what your team can do based on the tools deployed in your customer environments.
Legend
| Symbol | Meaning |
|---|
| ✓ | Capability fully available |
| ✓(1) | Requires Microsoft Entra ID connection |
| ✓(2) | Requires Microsoft Defender for Endpoint |
| ✓(3) | Requires Microsoft 365 Exchange license |
| — | Not available |
Supported Integrations
| Category | Integration |
|---|
| SIEM | Microsoft Sentinel |
| XDR / EDR | Microsoft Defender XDR, CrowdStrike Falcon, SentinelOne |
| Identity | Microsoft Entra ID |
| Email | Microsoft 365 Exchange |
Incident Management
Unified incident queue with cross-workspace handling, bidirectional sync, and analyst assignment.
| Capability | Microsoft Sentinel | Defender XDR | CrowdStrike Falcon | SentinelOne |
|---|
| Bidirectional incident sync | ✓ | ✓ | ✓ | ✓ |
| Fetch incident entities | ✓ | ✓ | ✓ | ✓ |
| Fetch incident evidence (logs) | ✓ | ✓ | — | — |
| Alert timelines | ✓ | ✓ | ✓ | — |
| Investigation audit trail | ✓ | ✓ | ✓ | ✓ |
Entity Enrichment & Triage
Contextual intelligence for users, devices, IPs, files, emails, and URLs during investigations.
User Insights
| Capability | Microsoft Sentinel | Defender XDR | CrowdStrike Falcon | SentinelOne |
|---|
| Related incident search | ✓ | ✓ | — | — |
| Sign-in logs | ✓ | ✓(1) | — | — |
| Audit logs | ✓ | ✓(1) | — | — |
| Entra ID profile | ✓ | ✓(1) | — | — |
Device Insights
| Capability | Microsoft Sentinel | Defender XDR | CrowdStrike Falcon | SentinelOne |
|---|
| Device info | ✓ | ✓ | — | — |
| Device timeline | ✓ | ✓(2) | — | — |
| Related incidents | ✓ | ✓(2) | — | — |
IP Address Insights
| Capability | Microsoft Sentinel | Defender XDR | CrowdStrike Falcon | SentinelOne |
|---|
| Sign-in activity | ✓ | — | — | — |
| Related incidents | ✓ | ✓(2) | — | — |
Email, File & URL Insights
| Capability | Microsoft Sentinel | Defender XDR | CrowdStrike Falcon | SentinelOne |
|---|
| Email info | ✓ | ✓(2) | — | — |
| File info | ✓ | ✓ | — | — |
| URL info | ✓ | ✓(2) | — | — |
(1) Requires Microsoft Entra ID connection.(2) Requires Defender for Endpoint — included with E5 or available as an add-on for Business Premium and E3.
Log Search
Direct query access to log data for deep investigation and threat hunting.
| Capability | Microsoft Sentinel | Defender XDR | CrowdStrike Falcon | SentinelOne |
|---|
| Log search (Advanced Hunting) | ✓ | ✓(2) | — | — |
Gamebook Response Actions
Automated response playbooks for endpoint, file, identity, and email threats.
Endpoint Actions
| Action | Microsoft Sentinel | Defender XDR | CrowdStrike Falcon | SentinelOne |
|---|
| Isolate device | ✓(2) | ✓ | — | ✓ |
| Anti-virus scan | ✓(2) | ✓ | — | ✓ |
| Release from isolation | ✓(2) | ✓ | — | ✓ |
File Actions
| Action | Microsoft Sentinel | Defender XDR | CrowdStrike Falcon | SentinelOne |
|---|
| Quarantine file | ✓(2) | ✓ | — | — |
User Actions
| Action | Microsoft Sentinel | Defender XDR | CrowdStrike Falcon | SentinelOne |
|---|
| Invalidate sessions | ✓(1) | ✓(1) | — | — |
| Reset password | ✓(1) | ✓(1) | — | — |
| Lock user | ✓(1) | ✓(1) | — | — |
| Unlock user | ✓(1) | ✓(1) | — | — |
Email Actions
| Action | Microsoft Sentinel | Defender XDR | CrowdStrike Falcon | SentinelOne |
|---|
| Soft delete email | ✓(3) | ✓(3) | — | — |
(1) Requires Microsoft Entra ID connection and the Gamebooks for Identity enterprise application.(2) Requires Defender for Endpoint — Sentinel gamebook actions execute through Defender for Endpoint.(3) Requires Microsoft 365 Exchange license and the Microsoft 365 Response enterprise application.
Endpoint Management
View and manage devices across your customer environments.
| Capability | Microsoft Sentinel | Defender XDR | CrowdStrike Falcon | SentinelOne |
|---|
| View device list | — | ✓ | — | — |
| View device details | — | ✓ | — | — |
Content Management System (CMS)
Deploy and manage detection rules across workspaces.
| Capability | Microsoft Sentinel | Defender XDR | CrowdStrike Falcon | SentinelOne |
|---|
| Deploy detection rules | ✓ | — | — | — |
| Remove detection rules | ✓ | — | — | — |
| Auto-update subscription | ✓ | — | — | — |
CMS requires the XDR + SIEM module. Microsoft Sentinel must be connected to use CMS.
Incident Notifications
Email notifications when new incidents arrive.
| Integration | Email Notification |
|---|
| Microsoft Sentinel | ✓ |
| Microsoft Defender XDR | — |
| CrowdStrike Falcon | — |
| SentinelOne | — |
Incident email notifications require the XDR + SIEM module. Email notifications for Gamebook activity are available across all modules.
