ContraForce Makes Incident Investigation Even Easier for Microsoft Sentinel and Microsoft Defender XDR Incidents

Today, we are announcing three additional feature sets that improve the incident investigation experience in the ContraForce platform:

• Device Timeline and Process Tree visibility

• Embedded log search capabilities

• Enhanced entity information

Each incident now includes these new features, further streamlining analyst investigations, and allowing Managed Security Service Providers (MSSPs) to manage more customers per analyst.

Introduction

One of the biggest time sinks for security analysts at MSSPs is having to pull together the information they need about a security incident to determine if it requires a response, and what that response should be. Swiveling between data sources is a big reason why analyst firm Forrester found that “the majority of an analyst’s time, almost 70%, is spent on investigating, triaging or responding to alerts”.¹

Collating incident data is notably onerous for security analysts managing Microsoft Security apps. This remains true despite the changes that Microsoft has made to unite different security applications, such as Microsoft Sentinel and Microsoft Defender XDR, in portals like Azure Lighthouse and the Microsoft Unified Security Operations Platform.

ContraForce has already made incident investigations easier. ContraForce unifies incident data from different sources into a single platform, for both Microsoft Sentinel and Microsoft Defender XDR incidents. When an analyst views an incident, they see entity details for relevant users, devices, URLs, email and IP addresses without having to pivot to another application.

According to Juliette Hudson, CTO at CybaVerse, “ContraForce pulls everything together. Having the information you need; you can start pushing and pulling it wherever you want to make decisions.”

Device Timeline and Process Tree Visibility

For incidents originating in Microsoft Defender and ingested directly into the ContraForce platform, analysts now have access to both a Device Timeline and a Process Tree.  

And while analysts may be familiar with similar tools in Microsoft Defender, accessing them is much more convenient in ContraForce as they are included as part of the incident itself. Analysts also stay within the incident as they review timeline details, unlike the native Microsoft experience, where they must constantly navigate between pages.

The overview of an incident now includes a summary tab which highlights the incident's source (Microsoft Defender for Endpoint, etc.) and a preliminary view of alert attack activity, showing the activity 15 minutes before and after an alert.

Further information is available within the incident details. In the Device Timeline, both the activity underlying the primary alert and any other activity leading to related alerts are highlighted in red. The new Device Timeline also shows all activity for a device, whether it is known to be related to an alert or not. The comprehensive list of activity allows analysts to look for suspicious activity. There is also a search feature.

Each alert related to a device is also accompanied by a Process Tree with its own chronology of events. For example, the Process Tree will often show a device running a process and show the parent-child relationship.  

Embedded Log Search Capabilities

With this release, ContraForce has also embedded two new log search capabilities within incidents: the capability to run queries and the ability to view the query itself along with associated entities. Neither of these features are available in native Microsoft applications. Instead, analysts must click on Open and Advanced Hunting to run the query in a new tab.

By running queries directly within incidents, analysts can simultaneously see their search results while viewing the rest of the incident details. Seeing all the information together improves their ability to make a determination. If needed, they can download the query results as a CSV file. They can also pivot to the log search page, with their query prefilled, to see the workspace schema.

A second new feature is the addition of a rule tab. The rule tab shows the KQL query in its entirety. The tab also includes a table mapping entities involved in the incident, for example the device IP address and the associated Azure Active Directory user ID. Analysts can execute the query and then refine the query as needed, for example, by removing fields to narrow the results and remove unnecessary noise.

Enhanced Entity Information

ContraForce now also provides enhanced entity information for users, emails, URLs and IP addresses that are not natively available in Microsoft Defender or Microsoft Sentinel incidents. As with all of the new features, this information is provided to analysts without them having to leave the incident itself. If they were using Microsoft apps, they would instead have to use advanced hunting or look for that information elsewhere.

The list of enhanced entity information includes:

Entity

• Enhanced Information

Users

• user insights

• user metadata

• Entra ID sign-in logs  

• Entra ID audit logs

Emails

• email metadata

• other users who received the same email

URLs

• discrepancies between the URL displayed in a phishing email and the actual underlying link

IP addresses

• a history of sign-in log activity so analysts can identify any unusual sign-ins

To learn more, request a demo.  

Footnotes

1. 2020 State of Security Operations, Forrester Consulting.

‍

‍

‍

‍