Forum Discussion

mtcsb's avatar
mtcsb
Copper Contributor
Jun 26, 2024

Disable Defender for Identity Automation

Hello everyone. I am looking to rollout Defender for Identity in my environment. I am running into concerns regarding the automatic attack disruption feature. Ideally I would want to deploy the solution in a detect only format. However I am not seeing anyway to disable all automated response, or to exclude users in a bulk format. Currently all I was able to find is this exclusion list in within the Defender portal: https://learn.microsoft.com/en-us/defender-for-identity/automated-response-exclusions#how-to-add-automated-response-exclusions

 

However this list appears to only allow selecting of individual users. Is anyone aware of a way to fully disable all automated actions for Defender for Identity, or of a way to bulk exclude users?

 

Thanks

1 Reply

  • DylanInfosec's avatar
    DylanInfosec
    Iron Contributor

    Hi mtcsb,

    I’ll start off by saying I get the apprehension to allowing an automatic response being taken without understanding exactly what signals are being used to make the decision. Nevertheless, I personally have not heard any horror stories with Automatic Attack Disruption nor experienced any myself. Any time it did trigger which was seldom, it was 100% justified. Furthermore, to reverse the remediation there is an Undo button: Undo completed action  

     

    Now as far as how you can turn off automated responses I believe the setting is tied to all automated actions so there are implications in doing this such as having to approve any automated remediation actions even for the commodity malware removal depending on your settings. see here on how to configure these settings per device group: Automation setting for your organizations devices 

     

    And please read and understand what each automation level means and how it could affect your overall security posture and workload: Automation levels in automated investigation and remediation capabilities 

     

    Best,

    Dylan