Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Ninja Cat Giveaway: Episode 9 | Attack disruption


For this episode, your opportunity to win a plush ninja cat is the following –

Explain what attack disruption means and one reason why it is critical to any organization.


This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14th, 2023, or until supplies are exhausted and is not redeemable for cash. Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.

9 Replies
Attack disruption means an automated response actions aimed to identify and contain an attack in progress and reduce it's impact. The one reason why it is crucial to an org as it is fully automated and an XDR level of protection.

@Heike Ritter Really helpful to buy some time to investigate if attack has already started, as most of company dont have 24*7 SOC capability.

Hey @Heike Ritter , Hello!

Attack disruption to me is a mean to buy more time during an ongoing attack in order to:

1) Reach to the root cause and/or point of entrance of the attacker &/or

2) Prevent (& hopefully stop) the attacker from creating more havoc by breaking their series of attacks


Although the above points may have explained why it is crucial to any organization, the most important aspect of attack disruption is that it should be automated and in near-real time. It is critical for an organization to be prepared with a attack disruption playbook at all times and much better to employ tools like Defender which will know when to run the attack disruption playbook!


I hope the ninja cat is impressed by my answer and will come to me!! :beaming_face_with_smiling_eyes:

It is a fully automated feature in M365 Defender. It provides a XDR level of protection to organizations. It helps to stop progress and reduce the impact of business email compromise and human operated ransomware attacks. It will buy time for SOC team to handle the incident and remediate attacks.

Hey @Heike Ritter : Attack disruption helps in  containing a progressive attack from further expanding, this helps the analysts to have more time for taking remediation steps. Rather than blocking the IOC's - preventing or containing the limits of an adversary's expansion, - reduces the overall impact of an attack, both financially and in terms of production.

Praveen A 


Hey @Heike Ritter!


Attack disruption is there to "hit the pause button" on an active attack detected by M365D, buying time for responders or hopefully even stopping damage entirely. The types of automation you we expect are device isolation (potentially stopping a device with ransomware from connecting to other devices) and account suspension (potentially stopping an attacker logging into a BEC-impacted identity).


The confidence it's not a false positive - and therefore why it can be automated - is driven by the correlation of signals across the different M365D pillars. For example, MDE alone raising an alert raises your interest; but correlation to other alerts (in the form of an incident) from MDI, MDO, etc is what really confirms the need to disrupt the chain of events.


The compelling thing about attack disruption in M365D is it's out-the-box nature. Organizations with greater resources may already have SIEM/SOAR with custom developed response playbooks, but this lowers the cost (resources, knowledge, staffing) for defenders by acting on their behalf.

Attack disruption means making the attackers` job a little bit more difficult, slowing down their operation and obstructing their spread throughout the orgs` network. It is critical because it will give us more time to react and respond, to find the facts and to remove the attacker.
Attack disruption is a mean to stop the attack as early as possible and with as little damage as possible. Even better if the disruption has happened automatically before the human eye has noticed that something is going on.

Can't think of a more important feat from the security operations than to disrupt the attack before the whole domain has been compromized.
A fully automated response capability of Microsoft 365 Defender, which will quickly & effectively contain an attack in progress. This involves identifying and acting fast so that it is contained.
It is critical to organisations

It is essential for organisations to prevent BEC or Human Operated Ransomware attacks which are two of the most popular techniques for attackers an can have signals across alerts.