Automatic attack disruption in Microsoft Defender - Microsoft Defender XDR (original) (raw)

Microsoft Defender correlates millions of individual signals to identify active ransomware campaigns or other sophisticated attacks in the environment with high confidence. While an attack is in progress, Defender disrupts the attack by automatically containing compromised assets that the attacker is using through automatic attack disruption.

Automatic attack disruption limits lateral movement early on and reduces the overall impact of an attack, from associated costs to loss of productivity. At the same time, it leaves security operations teams in complete control of investigating, remediating, and bringing assets back online.

This overview explains automated attack disruption and links to next steps and related resources.

Attack disruption supports response actions in Microsoft Defender services and integrated identity services. This support includes actions in Microsoft Entra ID and Active Directory, and preview support for Okta and AWS integrated scenarios.

How automatic attack disruption works

Automatic attack disruption is designed to contain attacks in progress, limit the impact on an organization's assets, and provide more time for security teams to remediate the attack fully. Attack disruption uses the full breadth of our extended detection and response (XDR) signals, taking the entire attack into account to act at the incident level. This capability is unlike known protection methods such as prevention and blocking based on a single indicator of compromise.

While many XDR and security orchestration, automation, and response (SOAR) platforms allow you to create your automatic response actions, automatic attack disruption is built in and uses insights from Microsoft security researchers and advanced AI models to counteract the complexities of advanced attacks. Automatic attack disruption considers the entire context of signals from different sources to determine compromised assets.

Automatic attack disruption operates in three key stages:

• It uses Microsoft Defender's ability to correlate signals from many different sources into a single, high-confidence incident through insights from endpoints, identities, email and collaboration tools, and SaaS apps.
• It identifies assets controlled by the attacker and used to spread the attack.
• It automatically takes response actions in relevant Microsoft Defender products to contain the attack in real-time by containing and disabling affected assets.

This game-changing capability limits a threat actor's progress early on and dramatically reduces the overall impact of an attack, from associated costs to loss of productivity.

How Defender establishes confidence for automatic action

Security teams might hesitate when systems take automatic action because response actions can affect business operations. Automatic attack disruption addresses this concern by using high-fidelity signals and incident-level correlation from real data from email, identity, applications, documents, devices, networks, and files.

Confidence in automatic attack disruption refers to detector precision, measured by signal-to-noise ratio (SNR). For containment actions, Defender maintains a confidence level of 99% or higher based on real production data. Defender evaluates each detector hit against a broad set of indicators to classify true positives and false positives by combining machine learning outputs, cross-workload correlation, and expert-led incident classification.

Defender validates detectors in audit mode before broad release and gradually deploys only detectors that meet strict quality requirements. This process aims to keep false positives low while maintaining effective disruption of active attacks. Disruption detectors are continuously and dynamically evaluated to maintain detection quality and confidence.

Microsoft security experts continuously review disruption activity, monitor anomalies, and assess impact to preserve high detection quality over time.

In addition, all automatic actions can be undone by your security team, so you maintain full control over your environment. For more information, see Details and results of an automatic attack disruption action.

Automatic attack disruption enables the exclusion of specific user accounts, devices, and IP addresses from automated containment actions. Excluding assets from automated responses isn't recommended because it can reduce the effectiveness of automatic attack disruption in protecting your environment from sophisticated, high-impact attacks. To learn more, see Exclude assets from automated responses in automatic attack disruption.

How attack disruption uses AI

Attack disruption AI uses an ensemble of purpose-built models and detectors developed throughout the Microsoft Defender suite. These capabilities are trained and tuned using multiple data sources, including:

• Correlated Defender workload telemetry
• Microsoft threat intelligence
• Past incidents and post-incident analysis learnings from Microsoft customers

The platform uses multiple machine learning approaches, including graph models, boosted decision trees, neural networks, and dedicated small language models (SLMs), to improve detection quality and action precision.

Model and detector quality is maintained through continuous engineering and validation cycles rather than a single static release point. Before broad rollout, new detectors go through rigorous pre-release validation and staged deployment. Ongoing quality is supported by expert review of AI decisions and 24x7 operational response coverage for anomalous behavior.

Automated response actions

Automatic attack disruption uses Microsoft-based XDR response actions. Examples of these actions are:

• Device contain - based on Microsoft Defender for Endpoint's capability, this action is an automatic containment of a suspicious device to block any incoming/outgoing communication with the said device.
  • In addition, Defender for Endpoint automatically contains malicious IP addresses associated with undiscovered/not onboarded devices to block any lateral movement and encryption activity to other Defender for Endpoint-onboarded/discovered devices. It does this through its Contain IP (Preview) policy. Moreover, compromised critical assets' IP addresses are also automatically contained with specific blocking mechanisms to stop the spread of an attack while avoiding productivity loss.
• Isolate device (Preview) - based on Microsoft Defender for Endpoint's capability, this action automatically isolates a compromised device from the network when the incident analysis indicates with high confidence that the device is being used as an active foothold. Most network traffic is blocked while the device remains connected to required security services for investigation and remediation. Isolation is time-limited and scoped only to devices involved in the incident. Security operators can release isolation at any time after completing investigation.
• Disable user - based on Microsoft Defender for Identity’s capability, this action is an automatic suspension of a compromised account to prevent additional damage, such as lateral movement, malicious mailbox use, or malware execution.
  Defender for Identity enables remediation actions for users from Active Directory, Microsoft Entra ID, and integrated identity providers. The Disable user action behaves differently depending on how the user is hosted in your environment.
  • When the user account is hosted in Active Directory: Defender for Identity triggers the disable user action on domain controllers running the Defender for Identity sensor.
  • When the user account is hosted in Active Directory and is synced to Microsoft Entra ID: Defender for Identity triggers the disable user action via onboarded domain controllers. Attack disruption also disables the user account in Microsoft Entra ID.
  • When the user account is hosted in Microsoft Entra ID only (cloud‑native account): Defender for Identity executes the disable user action in Microsoft Entra ID by using a Microsoft‑managed enterprise application. This application validates the signed‑in user’s assigned roles and permissions through role‑based access control (RBAC) before the account is disabled.
    The enterprise application is named Microsoft Defender for Identity and uses application ID 60ca1954‑583c‑4d1f‑86de‑39d835f3e452. In older tenants, this application might appear as Radius Aad Syncer.
    Note
    Disabling the user account in Microsoft Entra ID is not dependent on the deployment of Microsoft Defender for Identity.
• Contain user - based on Microsoft Defender for Endpoint's capability, this response action automatically contains suspicious identities temporarily to help block any lateral movement and remote encryption related to incoming communication with Defender for Endpoint's onboarded devices.
  Defender for Endpoint enforces user containment at the endpoint layer and doesn't disable the account in the identity provider. Defender for Endpoint blocks attacker use of compromised identities on protected devices and limits authentication-based access, file system access, and network communication paths.
  This action applies controls at a granular level, so Microsoft can target attack-related activity and preserve normal business communication where possible.

For more information, see remediation actions in Microsoft Defender.

Supported identity services for disruption actions

Use the following table to find where each supported identity service is configured:

Identify when an attack disruption happens in your environment

The Microsoft Defender incident page will reflect the automatic attack disruption actions through the attack story and the status indicated by a yellow bar (Figure 1). The incident shows a dedicated disruption tag, highlights the status of the assets contained in the incident graph, and adds an action to the Action Center.

Figure 1. Incident view showing the yellow bar where automatic attack disruption took action

The Microsoft Defender user experience includes visual cues to ensure visibility of these automatic actions. You can find them in the following experiences:

1. In the incident queue:
   • A tag titled Attack Disruption appears next to affected incidents
2. On the incident page:
   • A tag titled Attack Disruption
   • A yellow banner at the top of the page that highlights the automatic action taken
   • The current asset status is shown in the incident graph if an action is done on an asset, for example, account disabled or device contained
   • The Policy status column (Preview) in the Activities tab shows the current status of all actions and policies relevant to the incident. Filter by Provider: Attack disruption and Policy status: Active, Inactive, No status to view disruption policy statuses.
3. Via API:
   An (attack disruption) string is added to the end of the titles of incidents with high confidence likely to be automatically disrupted. For example:
   BEC financial fraud attack launched from a compromised account (attack disruption)

For more information, see view attack disruption details and results.

Next steps

• Configure automatic attack disruption
• View details and results
• Exclude assets from automated responses
• Get email notifications for response actions