Edit

Configure automatic attack disruption capabilities in Microsoft Defender XDR

  • Article

Note

Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.

Microsoft Defender XDR includes powerful automated attack disruption capabilities that can protect your environment from sophisticated, high-impact attacks.

This article describes how to configure automatic attack disruption capabilities in Microsoft Defender XDR with these steps:

  1. Review the prerequisites.
  2. Review or change the automation level for device groups.
  3. Review or change the automated response exclusions for users.

Then, after you're all set up, you can view and manage containment actions in Incidents and the Action center. And, if necessary, you can make changes to settings.

Prerequisites for automatic attack disruption in Microsoft Defender XDR

Requirement Details
Subscription requirements One of these subscriptions:
  • Microsoft 365 E5 or A5
  • Microsoft 365 E3 with the Microsoft 365 E5 Security add-on
  • Microsoft 365 E3 with the Enterprise Mobility + Security E5 add-on
  • Microsoft 365 A3 with the Microsoft 365 A5 Security add-on
  • Windows 10 Enterprise E5 or A5
  • Windows 11 Enterprise E5 or A5
  • Enterprise Mobility + Security (EMS) E5 or A5
  • Office 365 E5 or A5
  • Microsoft Defender for Endpoint
  • Microsoft Defender for Identity
  • Microsoft Defender for Cloud Apps
  • Defender for Office 365 (Plan 2)
  • Microsoft Defender for Business

See Microsoft Defender XDR licensing requirements.
Deployment requirements
  • Deployment across Defender products (e.g., Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps)
    • The wider the deployment, the greater the protection coverage is. For example, if a Microsoft Defender for Cloud Apps signal is used in a certain detection, then this product is required to detect the relevant specific attack scenario.
    • Similarly, the relevant product should be deployed to execute an automated response action. For example, Microsoft Defender for Endpoint is required to automatically contain a device.
  • Microsoft Defender for Endpoint's device discovery is set to 'standard discovery'
Permissions To configure automatic attack disruption capabilities, you must have one of the following roles assigned in either Microsoft Entra ID (https://portal.azure.com) or in the Microsoft 365 admin center (https://admin.microsoft.com):
  • Global Administrator
  • Security Administrator
To work with automated investigation and response capabilities, such as by reviewing, approving, or rejecting pending actions, see Required permissions for Action center tasks.

Review or change the automation level for device groups

Whether automated investigations run, and whether remediation actions are taken automatically or only upon approval for your devices depend on certain settings, like your organization's device group policies. Review the configured automation level for your device group policies. You must be a global administrator or security administrator to perform the following procedure:

  1. Go to the Microsoft Defender portal (https://security.microsoft.com) and sign in.

  2. Go to Settings > Endpoints > Device groups under Permissions.

  3. Review your device group policies. Look at the Automation level column. We recommend using Full - remediate threats automatically. You might need to create or edit your device groups to get the level of automation you want. To exclude a device group from automated containment, set its automation level to no automated response. Note that this is not highly recommended and should only be done for a limited number of devices.

Review or change automated response exclusions for users

Automatic attack disruption enables the exclusion of specific user accounts from automated containment actions. Excluded users won't be affected by automated actions triggered by attack disruption. You must be a global administrator or security administrator to perform the following procedure:

  1. Go to the Microsoft Defender portal (https://security.microsoft.com) and sign in.

  2. Go to Settings > Identities > Automated response exclusions. Check the user list to exclude accounts. Selecting user accounts for automated response exclusion

Excluding user accounts is not recommended, and accounts added to this list won't be suspended in all supported attack types like business email compromise (BEC) and human-operated ransomware.

Next steps

See also

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.