Forum Discussion
MicrosoftNinja Cat Giveaway: Episode 9 | Attack disruption
Hey HeikeRitter!
Attack disruption is there to "hit the pause button" on an active attack detected by M365D, buying time for responders or hopefully even stopping damage entirely. The types of automation you we expect are device isolation (potentially stopping a device with ransomware from connecting to other devices) and account suspension (potentially stopping an attacker logging into a BEC-impacted identity).
The confidence it's not a false positive - and therefore why it can be automated - is driven by the correlation of signals across the different M365D pillars. For example, MDE alone raising an alert raises your interest; but correlation to other alerts (in the form of an incident) from MDI, MDO, etc is what really confirms the need to disrupt the chain of events.
The compelling thing about attack disruption in M365D is it's out-the-box nature. Organizations with greater resources may already have SIEM/SOAR with custom developed response playbooks, but this lowers the cost (resources, knowledge, staffing) for defenders by acting on their behalf.