Configure automatic attack disruption capabilities in Microsoft Defender XDR
Microsoft Defender XDR includes powerful automated attack disruption capabilities that can protect your environment from sophisticated, high-impact attacks.
This article describes how to configure automatic attack disruption capabilities in Microsoft Defender XDR with these steps:
Then, after you're all set up, you can view and manage containment actions in Incidents and the Action center. And, if necessary, you can make changes to settings.
Prerequisites for automatic attack disruption in Microsoft Defender XDR
| Requirement | Details |
|---|---|
| Subscription requirements | One of these subscriptions:
|
| Deployment requirements |
|
| Permissions | To configure automatic attack disruption capabilities, you must have one of the following roles assigned in either Microsoft Entra ID (https://portal.azure.com) or in the Microsoft 365 admin center (https://admin.microsoft.com):
|
Microsoft Defender for Endpoint Prerequisites
Minimum Sense Client version (MDE client)
The Minimum Sense Agent version required for the Contain User action to work is v10.8470. You can identify the Sense Agent version on a device by running the following PowerShell command:
Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection' -Name "InstallLocation"
Automation setting for your organizations devices
Review the configured automation level for your device group policies, wWhether automated investigations run, and whether remediation actions are taken automatically or only upon approval for your devices depend on certain settings. You must be a global administrator or security administrator to perform the following procedure:
Go to the Microsoft Defender portal (https://security.microsoft.com) and sign in.
Go to Settings > Endpoints > Device groups under Permissions.
Review your device group policies. Look at the Automation level column. We recommend using Full - remediate threats automatically. You might need to create or edit your device groups to get the level of automation you want. To exclude a device group from automated containment, set its automation level to no automated response. Note that this is not highly recommended and should only be done for a limited number of devices.
Device discovery configuration
Device discovery settings must be activated to "Standard Discovery" at a minimum. Learn how to configure device discovery in Set up device discovery.
Note
Attack disruption can act on devices independent of a device's Microsoft Defender Antivirus operating state. The operating state can be in Active, Passive, or EDR Block Mode.
Microsoft Defender for Identity Prerequisites
Set up auditing in domain controllers
Learn how to set up auditing in domain controllers in Configure audit policies for Windows event logs to ensure that required audit events are configured on the domain controllers where the Defender for Identity sensor is deployed.
Validate action accounts
Defender for Identity allows you to take remediation actions targeting on-premises Active Directory accounts in the event that an identity is compromised. To take these actions, Defender for Identity needs to have the required permissions to do so. By default, the Defender for Identity sensor impersonates the LocalSystem account of the domain controller and performs the actions. Since the default can be changed, validate that Defender for Identity has the required permissions or uses the default LocalSystem account.
You can find more information on the action accounts in Configure Microsoft Defender for Identity action accounts
The Defender for Identity sensor needs to be deployed on the domain controller where the Active Directory account is to be turned off.
Note
If you have automations in place to activate or block a user, check if the automations can interfere with Disruption. For example, if there is an automation in place to regularly check and enforce that all active employees have enabled accounts, this could unintentionally activate accounts that were deactivated by attack disruption while an attack is detected.
Microsoft Defender for Cloud Apps prerequisites
Microsoft Office 365 Connector
Microsoft Defender for Cloud Apps must be connected to Microsoft Office 365 through the connector. To connect Defender for Cloud Apps, see Connect Microsoft 365 to Microsoft Defender for Cloud Apps.
App Governance
App Governance must be turned on. Refer to the app governance documentation to turn it on.
Microsoft Defender for Office 365 prerequisites
Mailboxes location
Mailboxes are required to be hosted in Exchange Online.
Mailbox audit logging
The following mailbox events need to be audited by minimum:
- MailItemsAccessed
- UpdateInboxRules
- MoveToDeletedItems
- SoftDelete
- HardDelete
Review manage mailbox auditing to learn about managing mailbox auditing.
Safelinks policy needs to be present.
Review or change automated response exclusions for users
Automatic attack disruption enables the exclusion of specific user accounts from automated containment actions. Excluded users won't be affected by automated actions triggered by attack disruption. You must be a global administrator or security administrator to perform the following procedure:
Go to the Microsoft Defender portal (https://security.microsoft.com) and sign in.
Go to Settings > Microsoft Defender XDR > Identity automated response. Check the user list to exclude accounts.
To exclude a new user account, select Add user exclusion.
Excluding user accounts is not recommended, and accounts added to this list won't be suspended in all supported attack types like business email compromise (BEC) and human-operated ransomware.
Next steps
See also
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.