Configure automatic attack disruption in Defender XDR
5 minutes
5 Questions
Automatic attack disruption in Microsoft Defender XDR is a powerful capability that helps security operations teams contain active threats by automatically taking action against compromised assets and malicious entities during an ongoing attack.
To configure automatic attack disruption, navigate t…Automatic attack disruption in Microsoft Defender XDR is a powerful capability that helps security operations teams contain active threats by automatically taking action against compromised assets and malicious entities during an ongoing attack.
To configure automatic attack disruption, navigate to the Microsoft Defender portal (security.microsoft.com) and access Settings > Microsoft Defender XDR > Automatic attack disruption. This feature leverages high-confidence signals from multiple sources including Defender for Endpoint, Defender for Identity, Defender for Office 365, and Defender for Cloud Apps.
The configuration process involves several key steps. First, ensure that automatic investigation and response capabilities are enabled across your Defender workloads. This requires appropriate licensing and that devices are properly onboarded to the respective Defender services.
Within the attack disruption settings, you can configure the scope of automatic actions. The system can automatically contain compromised user accounts by suspending them in Azure Active Directory, and it can isolate compromised devices from the network. These containment actions are designed to limit lateral movement and prevent attackers from achieving their objectives.
You should review the prerequisites including ensuring devices have the appropriate sensor versions and that cloud connectivity is properly configured. For identity-related disruption, integration with Defender for Identity and proper Azure AD permissions are required.
The feature operates by analyzing correlated incidents and identifying high-impact threats such as ransomware campaigns or business email compromise attacks. When the system has high confidence in the threat assessment, it executes containment actions automatically while providing full visibility to the SOC team.
Security analysts can monitor disruption actions through the incident queue, where affected assets are clearly marked. The Actions Center provides a complete audit trail of all automated responses, allowing teams to review, approve, or reverse actions if needed. This balance of automation and oversight enables rapid response while maintaining operational control.
Configure Automatic Attack Disruption in Defender XDR
Why is Automatic Attack Disruption Important?
Automatic attack disruption is a critical capability in Microsoft Defender XDR that helps organizations respond to sophisticated attacks in real-time. When adversaries launch attacks like ransomware or business email compromise, every second counts. Manual investigation and response can take hours or days, giving attackers time to cause significant damage. Automatic attack disruption reduces this response time to minutes by taking immediate containment actions.
What is Automatic Attack Disruption?
Automatic attack disruption is a feature in Microsoft Defender XDR that uses AI and machine learning to detect high-confidence attacks in progress and automatically contain compromised assets. It correlates signals across endpoints, identities, email, and cloud apps to identify attack patterns and then takes protective actions to limit the attack's impact.
Key characteristics include: - High-fidelity detection: Only triggers on high-confidence attack scenarios - Automated containment: Takes actions like disabling user accounts or isolating devices - Attack types covered: Human-operated ransomware, business email compromise, and adversary-in-the-middle attacks
How Does It Work?
The process follows these steps:
1. Signal Collection: Defender XDR collects signals from Microsoft Defender for Endpoint, Defender for Identity, Defender for Office 365, and Defender for Cloud Apps
2. Correlation and Analysis: The system correlates these signals to identify attack patterns matching known sophisticated attack techniques
3. Attack Identification: When a high-confidence attack is detected, an incident is created with the attack story
4. Automatic Action: The system contains compromised assets by: - Containing devices (network isolation) - Disabling compromised user accounts - Suspending malicious OAuth apps
5. SOC Notification: Security teams are alerted and can review actions taken in the incident timeline
Configuration Requirements
To enable automatic attack disruption: - Navigate to Settings > Microsoft Defender XDR > Automatic attack disruption - Ensure proper licensing (Microsoft 365 E5 or equivalent) - Devices must be onboarded to Defender for Endpoint - Defender for Identity must be configured for identity-based actions - Appropriate permissions are required (Security Administrator role)
Exam Tips: Answering Questions on Automatic Attack Disruption
Key Concepts to Remember: - Automatic attack disruption works at the incident level, not individual alerts - It requires signals from multiple Defender workloads to function effectively - Actions are reversible - SOC analysts can release contained devices or re-enable accounts - The feature targets high-confidence, high-impact attack scenarios only
Common Exam Scenarios: - Questions about prerequisites: Remember licensing (E5) and workload requirements - Questions about what actions are taken: Focus on containment (device isolation, account disabling) - Questions about where to configure: Settings in Microsoft Defender XDR portal - Questions about attack types: Ransomware, BEC, and adversary-in-the-middle
Watch Out For: - Answers suggesting manual intervention is required for disruption to occur - it is automatic - Answers implying this feature works with a single Defender product - it requires XDR correlation - Confusion between automatic attack disruption and automated investigation and response (AIR) - they are related but distinct features
Remember: The exam may test your understanding of the difference between containing assets (what disruption does) versus remediating threats (what AIR does). Attack disruption focuses on stopping the attack spread, while remediation focuses on cleaning up after the attack.