Details and results of an automatic attack disruption action


Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.

Applies to:

  • Microsoft Defender XDR

With Microsoft Defender XDR, when an automatic attack disruption triggers, details about the risk and the containment status of compromised assets are available during and after the process. You can view these on the Incident page, which provides the full details of the attack and the up-to-date status of associated assets.

Review the incident graph

Microsoft Defender XDR automatic attack disruption is built-in in the Incident view. Reviewing the incident graph enables you to get the entire attack story and assess the attack disruption impact and status.

Here are some examples of what it looks like:

  • Disrupted incidents include a tag for 'Attack Disruption' and the specific threat type identified (i.e., ransomware). If you subscribe to incident email notifications, these tags also appear in the emails.
  • A highlighted notification below the incident title indicating that the incident was disrupted.
  • Suspended users and contained devices appear with a label indicating their status.

To release a user account or a device from containment, click on the contained asset and click release from containment for a device or enable user for a user account.

Track the actions in the Action center

The Action center ( brings together remediation and response actions across your devices, email & collaboration content, and identities. Actions listed include remediation actions that were taken automatically or manually. You can view automatic attack disruption actions in the Action center.

After you mitigate the risk and complete the investigation of an incident, you can release the contained assets from the action details pane (e.g., enable a disabled user account or release a device from containment). For more information about the action center, see Action center.


Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.

Next step