How do you automate incident response in Microsoft Defender XDR?

ContraForce automates Defender XDR incident response using Security Delivery Agents that perform triage, investigation, evidence collection, and response execution. This achieves 60x faster response compared to manual analyst workflows.

Is ContraForce better than SOAR for Defender XDR automation?

ContraForce Security Delivery Agents go beyond SOAR by making investigation decisions, not just executing predefined playbooks. SOAR requires exact match conditions. ContraForce agents adapt to incident context.

Automated Incident Response for Microsoft Defender XDR

Automated incident response for Microsoft Defender XDR eliminates the manual triage, investigation, and containment steps that consume 80% of SOC analyst time. ContraForce Security Delivery Agents process Defender XDR incidents end-to-end -- from alert correlation to response execution -- achieving 60x faster resolution at $0.15 per incident in AI agent compute, compared to $15-25 per incident with manual SOC operations or $5-10 with traditional SOAR platforms.

The Problem with Manual Defender XDR Response

Microsoft Defender XDR generates high-fidelity alerts across endpoints, identities, email, and cloud apps. But without automation, each incident still requires an analyst to:

Open the incident and read the alert details (2-5 minutes)
Correlate related alerts across Defender products (5-10 minutes)
Investigate affected entities -- users, devices, IPs (10-20 minutes)
Determine response actions (5-10 minutes)
Execute containment -- isolate device, disable account, block sender (5-15 minutes)
Document actions and notify the customer (10-20 minutes)

A single medium-severity incident consumes 40-80 minutes of analyst time. At 50+ incidents per day across multiple tenants, this workload is unsustainable.

Automation Approaches Compared

Approach	Triage Speed	Cross-Tenant Support	Adaptability	Cost per Incident	Setup Effort
Manual SOC	40-80 min	Limited (analyst switching)	High (human judgment)	$15-25	None
Logic Apps / Power Automate	1-5 min	Per-tenant configuration	Low (rigid if/then logic)	$2-5	High (per workflow)
Traditional SOAR (Splunk SOAR, Cortex XSOAR)	1-5 min	Requires connectors per tenant	Medium (playbook-based)	$5-10	Very high
ContraForce Security Delivery Agents	Under 30 sec	Native multi-tenant	High (AI-driven decisions)	$0.15	30-minute setup

How ContraForce Automates Defender XDR Response

Step 1: Real-Time Incident Ingestion

ContraForce connects to Defender XDR via Microsoft Graph Security API, ingesting incidents and alerts in real time across all connected tenants. No polling delays, no missed alerts.

Step 2: AI-Powered Alert Correlation

Security Delivery Agents automatically correlate related alerts within each incident and across incidents. A phishing email in Defender for Office 365, a suspicious sign-in in Defender for Identity, and a malware detection in Defender for Endpoint are linked into a single attack narrative -- in seconds, not the 15+ minutes it takes an analyst.

Step 3: Automated Investigation

The agent investigates affected entities: user sign-in history, device risk score, file reputation, IP geolocation, and prior incident history across all tenants. This builds a complete investigation timeline without analyst intervention.

Step 4: Gamebook-Driven Response

Based on the investigation results, the matching Gamebook executes response actions:

Endpoint compromise: Isolate device via Defender for Endpoint, initiate AV scan, collect investigation package
Identity compromise: Disable account via Entra ID, revoke sessions, reset MFA
Phishing: Purge email from all mailboxes, block sender domain, submit to Microsoft for analysis
Lateral movement: Isolate affected devices, disable compromised accounts, trigger full tenant sweep

Step 5: Documentation and Customer Notification

ContraForce auto-generates an incident report with timeline, affected entities, actions taken, and recommendations. Reports are formatted for customer delivery -- no analyst writing required.

Key Automation Metrics

60x faster incident resolution compared to manual SOC operations
93% lower cost per incident ($0.15 vs. $15-25 manual)
Under 30 seconds from alert to initial response action
Zero-touch resolution for 80-90% of common incident types
Full audit trail for every automated action, supporting SOC 2 Type II compliance

What Cannot Be Automated

ContraForce does not attempt to automate everything. The following scenarios always escalate to human analysts:

Novel attack techniques not matching existing Gamebook patterns
Incidents involving executive or VIP accounts (configurable)
Business-context decisions (should we shut down this server during business hours?)
Customer communication requiring personalized judgment
Threat hunting based on emerging intelligence

This hybrid model ensures AI handles volume while humans handle nuance.

Frequently Asked Questions

Does ContraForce work with Defender XDR standalone, or does it require Sentinel?

ContraForce works with both Defender XDR standalone and Defender XDR integrated with Microsoft Sentinel. For MSSPs managing multi-tenant environments, the Sentinel integration provides additional log sources and custom detection capabilities, but Defender XDR incidents are processed regardless of Sentinel deployment.

How does ContraForce handle false positives from Defender XDR?

Security Delivery Agents learn from analyst feedback on false positives. When an analyst marks an incident as a false positive, the agent records the pattern and applies suppression logic to future matching incidents across all tenants. This continuously reduces false positive volume over time.

Can I customize which response actions are automated?

Yes. Gamebooks are fully configurable. You control which actions execute automatically (e.g., AV scan, email purge) and which require human approval (e.g., device isolation, account disablement). Approval gates can be set per-action, per-severity, or per-customer.

What permissions does ContraForce need in my Defender XDR tenants?

ContraForce requires application permissions for Microsoft Graph Security API (read/write incidents, alerts, and actions) and Defender for Endpoint API (machine isolation, AV scan, investigation package). Permissions are granted via standard Azure AD app registration with admin consent.

How does this compare to Microsoft's built-in automatic attack disruption?

Microsoft's automatic attack disruption in Defender XDR handles a narrow set of high-confidence scenarios (ransomware, BEC, adversary-in-the-middle). ContraForce extends automation to the full spectrum of incident types, adds multi-tenant orchestration, enforces MSSP-specific SOPs via Gamebooks, and provides customer-facing reporting -- capabilities Microsoft's native automation does not offer.

What is the deployment process for automating Defender XDR response?

Deployment takes approximately 30 minutes per tenant: connect via app registration, configure Gamebook mappings, set approval gates, and activate. ContraForce provides pre-built Gamebooks for common Defender XDR incident types (phishing, endpoint malware, identity compromise, etc.) that can be customized to your SOPs.