Forum Discussion
Automated Attack Disruption Testing
Hi Danny,
You’re absolutely right — the older MDE simulation/tutorial links used to be very useful, but many of them were retired or redirected after the move into the unified Microsoft Defender XDR portal, so today they often land only on the homepage.
For showcasing Automated Attack Disruption safely to customers, the best current resources are:
Official Microsoft walkthrough / explanation
Microsoft published a dedicated session that explains the feature and includes demo context:
Answering Your Questions: Attack Disruption Explained
https://learn.microsoft.com/en-us/shows/microsoft-sentinel-defender-xdr-virtual-ninja-training/answering-your-questions-attack-disruption-explained
Official documentation
Current reference documentation with supported scenarios, containment actions, and prerequisites:
Automatic attack disruption in Microsoft Defender XDR
https://learn.microsoft.com/en-us/defender-xdr/automatic-attack-disruption
This is especially useful for explaining scenarios like:
- Ransomware disruption
- Compromised users
- Device isolation
- Lateral movement interruption
- Critical asset containment
Best safe demo approach
For customer demos, instead of using real malware, I normally recommend a storyboarded simulation:
- Suspicious user compromise detected
- Lateral movement indicators triggered
- Defender XDR correlates signals into one incident
- Attack Disruption automatically contains user/device
- Analyst reviews actions in Action Center
That usually demonstrates the value very effectively without risking demo machines.
My suggestion to Microsoft
It would be great to bring back a dedicated interactive Attack Simulation / Attack Disruption demo lab directly inside Defender XDR, because it was a strong enablement tool for partners and customers.
Hope this helps.