Automatic attack disruption in Microsoft Defender XDR
Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.
- Microsoft Defender XDR
Using the power of XDR, Microsoft Defender XDR correlates millions of individual signals to identify active ransomware campaigns or other sophisticated attacks in the environment with high confidence. While an attack is in progress, Microsoft Defender XDR disrupts the attack by automatically containing compromised assets that the attacker is using through automatic attack disruption.
Automatic attack disruption limits lateral movement early on and reduces the overall impact of an attack, from associated costs to loss of productivity. At the same time, it leaves the SOC team in complete control of investigating, remediating, and bringing assets back online.
This article provides an overview of automated attack disruption and includes links to the next steps and additional resources.
Automatic attack disruption is currently not available for US Government customers using GCC and GCC High.
How automatic attack disruption works
Automatic attack disruption is designed to contain attacks in progress, limit the impact on an organization's assets, and provide more time for the SOC to remediate the attack fully. Unlike known protection methods such as prevention and blocking based on a single indicator of compromise, the attack disruption in Microsoft Defender XDR leverages the full breadth of our XDR signal to act at the incident level, taking the entire attack into account.
While many XDR and SOAR solutions allow you to create your automatic response actions, the key difference to Microsoft Defender XDR's automatic attack disruption is that it is built-in and uses insights from our security researchers and advanced AI models to counteract the complexities of advanced attacks. It considers the entire context of signals from different sources to determine compromised assets.
Automatic attack disruption operates in three key stages:
- It uses Microsoft Defender XDR's XDR ability to correlate signals from many different sources into a single, high-confidence incident through insights from endpoints, identities, email and collaboration tools, as well as SaaS apps.
- It identifies assets controlled by the attacker and used to spread the attack.
- It automatically takes response actions across relevant Microsoft Defender products to contain the attack in real-time by isolating affected assets.
This game-changing capability limits a threat actor's progress early on and dramatically reduces the overall impact of an attack, from associated costs to loss of productivity.
Establishing high confidence when taking automatic action
We understand that taking automatic action sometimes comes with hesitation from security teams, given the potential impact it can have on an organization. Therefore, the automatic attack disruption capabilities in Microsoft Defender XDR are designed to rely on high-fidelity signals. In addition to XDR capabilities that correlate incidents with millions of Defender product signals across email, identity, applications, documents, devices, networks, and files. Insights from the continuous investigation of thousands of incidents by Microsoft's security research team ensure that automatic attack disruption maintains a high signal-to-noise ratio (SNR).
Investigations are integral to monitoring our signals and the attack threat landscape to ensure high quality and accurate protection.
This article describes how attack disruption works. To configure these capabilities, see Configure attack disruption capabilities in Microsoft Defender XDR.
Automated response actions
In automatic attack disruption, we leverage Microsoft-based XDR response actions. Examples of these actions are:
- Device contain - based on Microsoft Defender for Endpoint's capability, this action is an automatic containment of a suspicious device to block any incoming/outgoing communication with the said device.
- Disable user - based on Microsoft Defender for Identity's capability, this action is an automatic suspension of a compromised account to prevent additional damage like lateral movement, malicious mailbox use, or malware execution.
- Contain user - This response action automatically contains suspicious identities temporarily. This helps to block any lateral movement and remote encryption related to incoming communication with Microsoft Defender for Endpoint’s onboarded devices.
For more information, see remediation actions in Microsoft Defender XDR.
Identify when an attack disruption happens in your environment
The Microsoft Defender XDR incident page will reflect the automatic attack disruption actions through the attack story and the status indicated by a yellow bar (Figure 1). The incident will show a dedicated disruption tag, highlight the status of the assets contained in the incident graph, and add an action to the Action Center.
The Microsoft Defender XDR user experience now includes additional visual cues to ensure visibility of these automatic actions. You will find them across the following experiences:
In the incident queue:
- A tag titled Attack Disruption appears next to affected incidents
On the incident page:
- A tag titled Attack Disruption
- A yellow banner at the top of the page that highlights the automatic action taken
- The current asset status is shown in the incident graph if an action is done on an asset, e.g., account disabled or device contained
An (attack disruption) string is added to the end of the titles of incidents with high confidence likely to be automatically disrupted. For example:
BEC financial fraud attack launched from a compromised account (attack disruption)
For more information, see view attack disruption details and results.
- Configuring automatic attack disruption in Microsoft Defender XDR
- View details and results
- Get email notifications for response actions
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.