Configure automatic attack disruption capabilities in Microsoft Defender XDR

Microsoft Defender XDR includes powerful automated attack disruption capabilities that can protect your environment from sophisticated, high-impact attacks.

This article describes how to configure automatic attack disruption capabilities in Microsoft Defender XDR with these steps:

  1. Review the prerequisites.
  2. Review or change the automated response exclusions for users.

Then, after you're all set up, you can view and manage containment actions in Incidents and the Action center. And, if necessary, you can make changes to settings.

Prerequisites for automatic attack disruption in Microsoft Defender XDR

Requirement Details
Subscription requirements One of these subscriptions:
  • Microsoft 365 E5 or A5
  • Microsoft 365 E3 with the Microsoft 365 E5 Security add-on
  • Microsoft 365 E3 with the Enterprise Mobility + Security E5 add-on
  • Microsoft 365 A3 with the Microsoft 365 A5 Security add-on
  • Windows 10 Enterprise E5 or A5
  • Windows 11 Enterprise E5 or A5
  • Enterprise Mobility + Security (EMS) E5 or A5
  • Office 365 E5 or A5
  • Microsoft Defender for Endpoint (Plan 2)
  • Microsoft Defender for Identity
  • Microsoft Defender for Cloud Apps
  • Defender for Office 365 (Plan 2)
  • Microsoft Defender for Business

See Microsoft Defender XDR licensing requirements.

Deployment requirements
  • Deployment across Defender products (e.g., Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps)
    • The wider the deployment, the greater the protection coverage is. For example, if a Microsoft Defender for Cloud Apps signal is used in a certain detection, then this product is required to detect the relevant specific attack scenario.
    • Similarly, the relevant product should be deployed to execute an automated response action. For example, Microsoft Defender for Endpoint is required to automatically contain a device.
  • Microsoft Defender for Endpoint's device discovery is set to 'standard discovery'
Permissions To configure automatic attack disruption capabilities, you must have one of the following roles assigned in either Microsoft Entra ID (https://portal.azure.com) or in the Microsoft 365 admin center (https://admin.microsoft.com):
  • Global Administrator
  • Security Administrator
To work with automated investigation and response capabilities, such as by reviewing, approving, or rejecting pending actions, see Required permissions for Action center tasks.

Microsoft Defender for Endpoint Prerequisites

Minimum Sense Client version (MDE client)

The Minimum Sense Agent version required for the Contain User action to work is v10.8470. You can identify the Sense Agent version on a device by running the following PowerShell command:

Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection' -Name "InstallLocation"

Automation setting for your organizations devices

Review the configured automation level for your device group policies, wWhether automated investigations run, and whether remediation actions are taken automatically or only upon approval for your devices depend on certain settings. You must be a global administrator or security administrator to perform the following procedure:

  1. Go to the Microsoft Defender portal (https://security.microsoft.com) and sign in.

  2. Go to Settings > Endpoints > Device groups under Permissions.

  3. Review your device group policies. Look at the Automation level column. We recommend using Full - remediate threats automatically. You might need to create or edit your device groups to get the level of automation you want. To exclude a device group from automated containment, set its automation level to no automated response. Note that this is not highly recommended and should only be done for a limited number of devices.

Device discovery configuration

Device discovery settings must be activated to "Standard Discovery" at a minimum. Learn how to configure device discovery in Set up device discovery.

Note

Attack disruption can act on devices independent of a device's Microsoft Defender Antivirus operating state. The operating state can be in Active, Passive, or EDR Block Mode.

Microsoft Defender for Identity Prerequisites

Set up auditing in domain controllers

Learn how to set up auditing in domain controllers in Configure audit policies for Windows event logs to ensure that required audit events are configured on the domain controllers where the Defender for Identity sensor is deployed.

Validate action accounts

Defender for Identity allows you to take remediation actions targeting on-premises Active Directory accounts in the event that an identity is compromised. To take these actions, Defender for Identity needs to have the required permissions to do so. By default, the Defender for Identity sensor impersonates the LocalSystem account of the domain controller and performs the actions. Since the default can be changed, validate that Defender for Identity has the required permissions or uses the default LocalSystem account.

You can find more information on the action accounts in Configure Microsoft Defender for Identity action accounts

The Defender for Identity sensor needs to be deployed on the domain controller where the Active Directory account is to be turned off.

Note

If you have automations in place to activate or block a user, check if the automations can interfere with Disruption. For example, if there is an automation in place to regularly check and enforce that all active employees have enabled accounts, this could unintentionally activate accounts that were deactivated by attack disruption while an attack is detected.

Microsoft Defender for Cloud Apps prerequisites

Microsoft Office 365 Connector

Microsoft Defender for Cloud Apps must be connected to Microsoft Office 365 through the connector. To connect Defender for Cloud Apps, see Connect Microsoft 365 to Microsoft Defender for Cloud Apps.

App Governance

App Governance must be turned on. Refer to the app governance documentation to turn it on.

Microsoft Defender for Office 365 prerequisites

Mailboxes location

Mailboxes are required to be hosted in Exchange Online.

Mailbox audit logging

The following mailbox events need to be audited by minimum:

  • MailItemsAccessed
  • UpdateInboxRules
  • MoveToDeletedItems
  • SoftDelete
  • HardDelete

Review manage mailbox auditing to learn about managing mailbox auditing.

Review or change automated response exclusions for users

Automatic attack disruption enables the exclusion of specific user accounts from automated containment actions. Excluded users won't be affected by automated actions triggered by attack disruption. You must be a global administrator or security administrator to perform the following procedure:

  1. Go to the Microsoft Defender portal (https://security.microsoft.com) and sign in.

  2. Go to Settings > Microsoft Defender XDR > Identity automated response. Check the user list to exclude accounts. Selecting user accounts for automated response exclusion

  3. To exclude a new user account, select Add user exclusion.

Excluding user accounts is not recommended, and accounts added to this list won't be suspended in all supported attack types like business email compromise (BEC) and human-operated ransomware.

Next steps

See also

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.