Attacks move faster than security teams can react. They spread across identities, endpoints, and SaaS apps in minutes, overwhelming analysts with signals and leaving little time to act. By the time an incident is investigated, the attacker has often already moved on escalating impact and business continuity. Organizations need a way to respond and get ahead of these attacks.
That’s why we built automatic attack disruption, Microsoft’s AI‑driven self‑defense that stops in‑progress, multi‑domain attacks like ransomware in minutes before they can cause damage. At Ignite, we expanded attack disruption to support critical data sources ingested through Microsoft Sentinel: Amazon Web Services (AWS) and Proofpoint. This enables real-time detection and automatic containment of threats like phishing and identity compromise on top of your log data, fundamentally turning your SIEM into a threat protection solution.
Built on the industry’s most comprehensive XDR, Microsoft Defender applies Microsoft’s vast threat intelligence, deep security research, and powerful threat protection capabilities across any security signal so every log source in a customer’s environment benefits from the same high-fidelity detection, investigation, and response.
AWS: From Initial Access to real‑time containment
As organizations increasingly build and run critical workloads on AWS, the cloud has become one of the most attractive and frequently targeted attack surfaces for modern threat actors. With 45% of all data breaches in 2025 involving cloud‑based assets and 81% of organizations experiencing at least one cloud security incident in the past year, attackers are capitalizing on exposed identities at unprecedented scale.
To safeguard customers, attack disruption now disrupts two identity scenarios that most often drive attacker progression.
1. Compromised AWS federated user
In this scenario, a compromised Entra ID account is used to access AWS resources by assuming a federated AWS role. Automatic attack disruption will automatically disable the Entra ID user account and revoke the session, preventing the attacker from performing any further actions. Additionally, the federated AWS session will be revoked (via a deny policy) to immediately cut off the attacker’s activity in AWS.
2. Compromised AWS IAM user
In this scenario, an AWS IAM account is compromised by the attacker. Attack disruption contains the account by applying a deny policy, which restricts any further activity from the compromised account in AWS.
Let’s look at a real-world scenario where attack disruption stops an attack on AWS.
Figure 1. Attack disruption on an AWS account
In this incident, we can see the activity leading up to the attack in AWS and that it was automatically contained by attack disruption. Replaying the sequence:
- The first indication is a phishing campaign where emails were deleted after delivery.
- Following this, a suspicious sign‑in from the compromised user account appears, along with a new network connection, signaling potential account takeover.
- The attacker then uses the victim’s Entra ID credentials to federate into a privileged AWS account.
- With signals from Sentinel correlated with XDR, Defender reaches high‑confidence confirmation of compromise.
- Attack disruption automatically revokes the session token and disables both the compromised Entra ID account and the AWSAdminRole used by the attacker.
But the attacker attempts to pivot by leveraging a secondary backdoor AWS account they had created earlier. Defender immediately detects this attempt and disables the backdoor account as well, preventing further lateral movement and neutralizing the intrusion completely.
Coming back to the incident, an additional reconnaissance alert appears based on AI‑generated signal from the Security Copilot Dynamic Threat Detection Agent. This agent investigates incidents to reveal hidden or correlated attacker activity, uncovering more alerts, assets, and indicators. It enriches the attack story and accelerates response by providing a dynamically generated “What Happened” explanation that clarifies the suspicious behavior and why the alert was raised.
Figure 2. Dynamic Threat Detection agent generated alert
Together, Defender’s AI-powered capabilities combined with Security Copilot agents demonstrate how modern SOC operations evolve from reactive triage to proactive, high‑impact defense.
Summary
By bringing your AWS data into Sentinel, you not only gain deep visibility and detection coverage, but you also unlock powerful AI-driven capabilities like automatic attack disruption through Microsoft Defender. These signals fuel protection, helping you stay ahead of attackers by accelerating response and reducing impact.
Getting started
- Attack disruption uses telemetry ingested via the AWS S3 connector. See the documentation for setup requirements
- Read the Ignite 2025 news
- Discover and deploy content from the Content Hub
Microsoft