Skip to main content

No Incidents Appearing

Cause: Most commonly, there are no active incidents in the source system (Defender XDR or Sentinel). Fix:
  1. Check your Microsoft Defender XDR portal or Sentinel workspace for active incidents
  2. If incidents exist in the source, allow 15–30 minutes for initial sync after onboarding
  3. Verify the module shows as Configured in Settings → Module Configuration
  4. If the module shows “Not Configured,” re-run the consent flow

Incidents Appearing in Defender But Not ContraForce

Cause: Consent may be incomplete, or the integration is only syncing specific incident types. Fix:
  1. Go to Settings → Workspace Settings → Module Configuration
  2. Verify all consent steps are complete (green checkmarks)
  3. If any step is incomplete, re-run consent with Global Admin credentials
  4. Wait 15 minutes and check again

Delayed Incident Sync

Cause: Normal sync latency varies, but significant delays may indicate a backend issue. Expected timing:
  • XDR module: Incidents typically appear within 5–15 minutes
  • XDR + SIEM module: Sentinel incidents may take slightly longer depending on log ingestion
If delays exceed 30 minutes: Contact support@contraforce.com with your workspace name and the incident IDs from the source system.

Workspace Shows No Data

Cause: Consent not completed for this workspace. Fix:
  1. Open the workspace in the Workspace Manager
  2. Go to Settings → Module Configuration
  3. Re-run the consent flow with the customer’s Global Admin credentials