Managed security service providers (MSSPs) have 3 multi-tenant options when it comes to managing Microsoft Defender and Microsoft Sentinel: the Microsoft unified security operations platform, Microsoft Azure Lighthouse and ContraForce Security Service Delivery Platform (SSDP):
All three portals have been embraced by Microsoft. For its part, ContraForce won the Microsoft Excellence Award for Security ISV of the year for 2024 and has been nominated as a finalist for 2025. ContraForce was also recently selected for the prestigious Microsoft for Startups Pegasus Program. The two-year program is an exclusive invite-only initiative designed to support growth-stage startups as they scale their businesses.
ContraForce has also been recognized for its innovation with an SC Award from SC Magazine, as a SINET 16 Innovator and as a CRN Stellar Startup. This blog outlines 10 ways that ContraForce has built on that innovation to uniquely automate multi-tenant management of Defender and Sentinel.
The process for an MSSP to onboard a customer to ContraForce takes place entirely within the ContraForce Platform. In contrast, Microsoft requires actions to be taken from within both the service provider's tenant and from the customer's tenant.
Onboarding a customer to the ContraForce Platform typically takes about 30 minutes. Integrations are all API-based, and no agents are required. Also, data stays on the customer’s side, avoiding potential compliance issues. No additional cloud infrastructure is required and there are no added Microsoft Azure costs.
Microsoft multi-tenant portals require analysts to switch between applications to see incident details. For example, when users of Azure Lighthouse want to get details for Defender incidents, they must click on “Investigate in Microsoft Defender XDR” and then login separately to that customer’s tenant. Similarly, in USOP some Sentinel experiences require opening the Azure portal to complete a task.
In contrast, ContraForce allows analysts at MSSPs to see all incident details for both Sentinel and Defender incidents directly in the ContraForce Platform. When an analyst views an incident, they see entity details for relevant users, devices, URLs, email and IP addresses without having to pivot to another application. Defender incidents also include a process tree.
ContraForce also provides enhanced entity information for emails, URLs and IP addresses that is otherwise not available in Defender or Sentinel. For emails, analysts can see email metadata and other users who received the same email. For URLs, ContraForce shows when there are differences between the URL displayed in a phishing email and the actual underlying link. For IP addresses, ContraForce provides a history of sign-in log activity so analysts can identify any unusual sign-ins.
ContraForce provides a menu of pre-built response actions from which incident responders can create a response playbook (Gamebook). Response actions vary by entity: user, device, email, file, URL and IP address. For example, a user-based response action might entail invalidating that user’s existing sessions.
Microsoft, on the other hand, lacks any automation for setting up and running playbooks. With Azure Lighthouse and USOP, MSSPs either need to manually install playbooks one-by-one or use Logic Apps to create new response actions. In addition, they must set up playbooks separately for each customer.
For Sentinel incidents, ContraForce automatically provides a Gamebook recommendation by using AI to map MITRE ATT&CK tactics and MITRE D3FEND actions. ContraForce also provides MSSPs with the option to auto-run recommended Gamebooks. Microsoft does not provide playbook recommendations.
ContraForce provides bi-directional integrations with leading ticketing solutions, including Datto Autotask PSA, ServiceNow ITSM and Jira Service Management. MSSP staff simply choose to create or edit a ticket from a drop-down menu when viewing an incident. In contrast, the Microsoft portals require MSSPs to create playbooks to activate ticketing. With ContraForce, MSSPs can also go to an incident and access any existing associated tickets, a feature not available in the Microsoft portals.
The ContraForce Content Management System (CMS) makes managing Sentinel detection rules easy. ContraForce provides pre-built rules for Sentinel data sources that MSSPs can turn on or off using a toggle switch.
Managing detection rules for Sentinel using Microsoft’s multi-tenant tools is comparatively laborious. For example, to set up a detection rule in Azure Lighthouse users must select a content pack, then install a pack of templates and finally turn a template into a rule.
Using the ContraForce CMS, detection rules can also be set to automatically update with a single click. By comparison, in a Microsoft portal, updating a rule entails a manual multi-step process.
Microsoft USOP, Azure Lighthouse and the ContraForce Platform all allow MSSPs to manage incidents for Defender and Sentinel. However, ContraForce uniquely allows MSSPs to also manage incidents for other leading XDR and SIEM tools, including: SentinelOne Singularity XDR, CrowdStrike Falcon Insight XDR, Splunk Enterprise Security, IBM QRadar SIEM and IBM QRadar on Cloud. MSSPs can see incidents from all these tools, for all their customers, unified in the ContraForce console.
Microsoft USOP, Azure Lighthouse and ContraForce all allow service providers to access customer workspaces. Uniquely, ContraForce also allows service providers to grant permission for a third-party to access a customer’s workspace. For example, this could occur when an MSP outsources service delivery to a MSSP. In this case, all 3 parties – the MSP, MSSP and customer – can access the client’s workspace. Users, roles, groups and privileges can then be managed for the workspace.
If you are interested to learn more about how ContraForce uniquely automates multi-tenant management of Defender and Sentinel, meet us at the RSA Conference in San Francisco. Stan Golubchik, ContraForce’s CEO and Co-Founder, will be presenting in the Microsoft booth (booth #5744 in Moscone North) on Tuesday April 29th, 2025 from 3:30-3:50pm.
You can also book a demo to learn more.
