This matrix shows which ContraForce features are available for each supported security integration. Use it to understand what your team can do based on the tools deployed in your customer environments.
Legend Symbol Meaning ✓ Capability fully available ✓(1) Requires Microsoft Entra ID connection ✓(2) Requires Microsoft Defender for Endpoint ✓(3) Requires Microsoft 365 Exchange license — Not available
Supported Integrations Category Integration SIEM Microsoft Sentinel XDR / EDR Microsoft Defender for Endpoint, CrowdStrike Falcon, SentinelOne Identity Microsoft Entra ID Email Microsoft 365 Exchange
Incident Management Unified incident queue with cross-workspace handling, bidirectional sync, and analyst assignment.
Capability Microsoft Sentinel Defender for Endpoint CrowdStrike Falcon SentinelOne Bidirectional incident sync ✓ ✓ ✓ ✓ Fetch incident entities ✓ ✓ ✓ ✓ Fetch incident evidence (logs) ✓ ✓ — — Alert timelines ✓ ✓ ✓ — Investigation audit trail ✓ ✓ ✓ ✓
Entity Enrichment & Triage Contextual intelligence for users, devices, IPs, files, emails, and URLs during investigations.
User Insights Capability Microsoft Sentinel Defender for Endpoint CrowdStrike Falcon SentinelOne Related incident search ✓ ✓ — — Sign-in logs ✓ ✓(1) — — Audit logs ✓ ✓(1) — — Entra ID profile ✓ ✓(1) — —
Device Insights Capability Microsoft Sentinel Defender for Endpoint CrowdStrike Falcon SentinelOne Device info ✓ ✓ — — Device timeline ✓ ✓(2) — — Related incidents ✓ ✓(2) — —
IP Address Insights Capability Microsoft Sentinel Defender for Endpoint CrowdStrike Falcon SentinelOne Sign-in activity ✓ — — — Related incidents ✓ ✓(2) — —
Email, File & URL Insights Capability Microsoft Sentinel Defender for Endpoint CrowdStrike Falcon SentinelOne Email info ✓ ✓(2) — — File info ✓ ✓ — — URL info ✓ ✓(2) — —
(1) Requires Microsoft Entra ID connection.(2) Requires Defender for Endpoint — included with E5 or available as an add-on for Business Premium and E3.
Log Search Direct query access to log data for deep investigation and threat hunting.
Capability Microsoft Sentinel Defender for Endpoint CrowdStrike Falcon SentinelOne Log search (Advanced Hunting) ✓ ✓(2) — —
Gamebook Response Actions Automated response playbooks for endpoint, file, identity, and email threats.
Endpoint Actions Action Microsoft Sentinel Defender for Endpoint CrowdStrike Falcon SentinelOne Isolate device ✓(2) ✓ — ✓ Anti-virus scan ✓(2) ✓ — ✓ Release from isolation ✓(2) ✓ — ✓
File Actions Action Microsoft Sentinel Defender for Endpoint CrowdStrike Falcon SentinelOne Quarantine file ✓(2) ✓ — —
User Actions Action Microsoft Sentinel Defender for Endpoint CrowdStrike Falcon SentinelOne Invalidate sessions ✓(1) ✓(1) — — Reset password ✓(1) ✓(1) — — Lock user ✓(1) ✓(1) — — Unlock user ✓(1) ✓(1) — —
Email Actions Action Microsoft Sentinel Defender for Endpoint CrowdStrike Falcon SentinelOne Soft delete email ✓(3) ✓(3) — —
(1) Requires Microsoft Entra ID connection and the Gamebooks for Identity enterprise application.(2) Requires Defender for Endpoint — Sentinel gamebook actions execute through Defender for Endpoint.(3) Requires Microsoft 365 Exchange license and the Microsoft 365 Response enterprise application.
Endpoint Management View and manage devices across your customer environments.
Capability Microsoft Sentinel Defender for Endpoint CrowdStrike Falcon SentinelOne View device list — ✓ — — View device details — ✓ — —
Content Management System (CMS) Deploy and manage detection rules across workspaces.
Capability Microsoft Sentinel Defender for Endpoint CrowdStrike Falcon SentinelOne Deploy detection rules ✓ — — — Remove detection rules ✓ — — — Auto-update subscription ✓ — — —
CMS requires the XDR + SIEM module . Microsoft Sentinel must be connected to use CMS.
Incident Notifications Email notifications when new incidents arrive.
Integration Email Notification Microsoft Sentinel ✓ Microsoft Defender for Endpoint — CrowdStrike Falcon — SentinelOne —
Incident email notifications require the XDR + SIEM module . Email notifications for Gamebook activity are available across all modules.
Microsoft Defender Capability Matrix XDR capabilities by Microsoft 365 license tier
Defender Module Deployment Deploy the Defender for Endpoint module
Sentinel Module Deployment Deploy the XDR + SIEM module
Enterprise Applications Service principal permissions reference
