Event banner
Event details
18 Comments
- Trevor_Rusher
Community Manager
Thank you all for joining our AMA today! I'll be locking this event to new questions but you should always be able to see all the questions and answers here on this page in perpetuity, so feel free to bookmark. We will also be following up on any existing threads for follow-up questions. If you have more questions related to Attack Disruption feel free to check out the Microsoft 365 Defender Discussion Space here on Tech Community.
Also please stay tuned for our next AMA here on the SCI Tech Community Event Space!
- is there anything Microsoft or the threat protection team can do about third-party product vendors posting misleading and mostly completely false information about defender services on their 'product comparison' pages? is there someone we can forward false information published by other vendors to? since the writhdrawal of getting into feature comparison by Microsoft it seems a lot of third-party vendors have leaned heavily into it and falsify information about defender which non technical decision makers (and often technical decision makers) believe.
Peter,
I'm not a Microsoft person (obviously) so not speaking for them.
I'm not sure what Microsoft or anyone else can do to prevent others from posting inaccurate or misleading information in a blog or other online source.
Only defense is for Microsoft to publish clear information for their capabilities. Trying to keep up with comparison sheets between MS and others is really hard - things change so much faster now that it would be a massive and thankless task to try.
I sometimes think that others are not intentionally trying to mislead. They may simply not understand what Defender is or their understanding is 18 months old and woefully inadequate now.
My two cents worth.
- HeikeRitter
Microsoft
Please feel free to contact me hritter@microsoft.com
- From the links provided, I can see the various license options that enable M365 Defender. It's unclear whether the typical SMB customer who has Microsoft 365 Business Premium has the required license level(s) for attack disruption. They clearly can use Defender for Business and deploy/manage it via Intune. But will attack disruption protect these customers?
- That's unfortunate. These are precisely the customers who need automated response. They often don't have dedicated IT and most certainly don't have the SOC skills to react to an attack. Is there a license add-on that would enable it for them?
- Trevor_RusherWelcome to the Attack disruption in Microsoft 365 Defender AMA! This live hour gives you the opportunity to ask questions directly to the Microsoft team. Please post any questions in a separate, new comment thread on this event. Microsoft team- please introduce yourself on this thread to let the customers know who you are and what you do!
- mchiboHey Everyone! I'm Michael, I'm a Security Researcher in Microsoft Defender for Endpoint. I've been working with the team for about 2 years, my focus being high-fidelity detection of human operated ransomware attacks. Let's talk 😄
- eyalhHello everyone, I am Eyal Haik and am a Senior Product Manager in the Microsoft 365 Defender team!
Hadar FeldmanHi everyone, I'm Hadar Feldman, A PM lead in Microsoft 365 Defender! I'm a part of the defender journey for the past 7 years now, mostly focused on protection (disruption, AIR) and security investigation experiences (incident, threat analytics and more).
- It seems really unclear as to when and where attack disruption is enabled. is there a way to difinitively confirm that it is enabled for the organisation, specific users, specific systems? lots of automated remediation (AIR) seems to get stuck in an investigation state of "queued" if there is a part of the incident involving mailboxes. As far a I can tell everything is set correctly according to the guidance. is this intended and will attack disruption be hampered by this? How will the disrupted attacks be reported or appear in the alerts or incidents view of the defender portal?
- eyalh
Thanks for the question Peter. Automatic attack disruption is enabled by default for Microsoft 365 Defender customers (in public preview, at present). The feature is not affected by the queue you described. Disrupt actions are taken automatically in attack disruption scenarios and do not have a pending state. You can learn more about related configuration options (e.g., to exclude specific assets from automation), and prerequisites here.
- is there any way to confirm activation? in an organisation with mixed E3 and E5 licensing, or just some users with +E5 security. is it just - got E5 and its on - assume you are good unless you have added daft exclusion?
- HeikeRitterThose are great questions, and I am sure we can / will cover them during the AMA! In the meantime, I also created a post that contains various additional resources around attack disruption - have a look! https://techcommunity.microsoft.com/t5/microsoft-365-defender/resources-for-automatic-attack-disruption/m-p/3797672#M1145
- Trevor_RusherI'm excited to share this upcoming AMA with the attack disruption team! Remember to please ask your questions down here in a new comment thread. You can ask them at any time leading up to or during the event but the team won't be answering questions until the live hour. Thanks!
