Event banner
Event details
It seems really unclear as to when and where attack disruption is enabled. is there a way to difinitively confirm that it is enabled for the organisation, specific users, specific systems?
lots of automated remediation (AIR) seems to get stuck in an investigation state of "queued" if there is a part of the incident involving mailboxes. As far a I can tell everything is set correctly according to the guidance. is this intended and will attack disruption be hampered by this?
How will the disrupted attacks be reported or appear in the alerts or incidents view of the defender portal?
- eyalh
Microsoft
Thanks for the question Peter. Automatic attack disruption is enabled by default for Microsoft 365 Defender customers (in public preview, at present). The feature is not affected by the queue you described. Disrupt actions are taken automatically in attack disruption scenarios and do not have a pending state. You can learn more about related configuration options (e.g., to exclude specific assets from automation), and prerequisites here.
- is there any way to confirm activation? in an organisation with mixed E3 and E5 licensing, or just some users with +E5 security. is it just - got E5 and its on - assume you are good unless you have added daft exclusion?
Hadar FeldmanThe simplest answer is - your environment is at the safest setup, when E5 is fully deployed and all sensors are well configured. The reason is that attack disruption is XDR capability - it requires multiple signals from multiple sources to gain confidence and to act on the compromised assets (MDE, MDI, MDA...). That said, we can double click together on your specific setup and see what capabilities are applicable and where, as you may have some partial coverage provided by disruption,
- HeikeRitterThose are great questions, and I am sure we can / will cover them during the AMA! In the meantime, I also created a post that contains various additional resources around attack disruption - have a look! https://techcommunity.microsoft.com/t5/microsoft-365-defender/resources-for-automatic-attack-disruption/m-p/3797672#M1145
