3.4 Response Actions and Automation

50 minutes · Module 3 · Free

Response Actions

When an investigation confirms a threat, you need to act. The Defender portal provides response actions across every product — device isolation, account containment, email remediation, and file quarantine — all accessible from the incident page without switching between portals.

Actions by product

Figure 3.4: Response actions available in the Defender portal, grouped by product.

Choosing the right action

Not every response action is appropriate in every situation. The decision depends on confidence level and blast radius.

Blast radius matters

Disabling a user account stops the attacker — but it also stops the user. Isolating a device prevents lateral movement — but it takes the device offline for the user. Every containment action has a cost. The investigation modules in Phase 3 teach you to weigh these trade-offs for specific scenarios. The principle here: act on evidence, not assumption. Confirm the scope of compromise before taking actions that disrupt business operations.

High-confidence compromise (evidence of active attacker): Revoke all sessions, disable the account, isolate affected devices. Inform the user separately. Speed matters more than convenience when an attacker is actively operating in your environment.

Medium-confidence (suspicious activity, not confirmed): Revoke sessions and force re-authentication with MFA. Monitor the account closely. Do not disable — the activity may be legitimate (VPN, travel, new device).

Email-only threat (phishing delivered, no credential compromise confirmed): Soft delete the email from all recipient mailboxes. Block the sender. Check UrlClickEvents to see if anyone clicked. If clicks occurred, escalate to sign-in log investigation.

Automatic Attack Disruption

Attack disruption is the most aggressive automated response capability in Defender XDR. When the system detects a high-confidence attack in progress — active ransomware deployment, credential harvesting at scale, or automated lateral movement — it can take containment actions without waiting for analyst approval.

Specifically, attack disruption can disable the compromised user account and isolate affected devices simultaneously. This happens at machine speed, typically within minutes of detection, while a human analyst might take 30-60 minutes to triage, investigate, and act.

When machine speed matters

Ransomware can encrypt an entire file server in under 10 minutes. An analyst triaging the alert, investigating the scope, and approving containment takes 30-60 minutes. Attack disruption closes that gap by acting on high-confidence detections immediately. It is not a replacement for analyst judgment — it is a safety net for the scenarios where human response time is too slow.

Attack disruption only fires for high-confidence, high-severity scenarios. It will not disable an account over a single suspicious sign-in. The threshold is deliberately high to avoid false positive disruption.

Check your understanding

1. A user's account shows signs of compromise but you are not yet certain. Which response action is most appropriate?

Disable the account immediately

Revoke sessions and force re-authentication with MFA, then monitor closely

Do nothing until you have full confirmation

Revoking sessions and forcing MFA re-authentication is proportionate to medium-confidence situations. It stops any stolen tokens from working (the attacker must re-authenticate, which they cannot do with MFA) without disrupting the legitimate user's access — they just need to sign in again and complete MFA.

2. Why does attack disruption only activate for high-confidence detections?

Microsoft has not finished building it for other scenarios

Lower-severity attacks do not need response

Automatic account disabling and device isolation disrupt business operations — false positive disruption is worse than a delayed manual response for lower-confidence scenarios

The blast radius of automatic disruption is high — disabling accounts and isolating devices affects the user and anyone who depends on that device or account. For high-confidence attacks like active ransomware, the cost of disruption is far less than the cost of the attack continuing. For ambiguous situations, a human analyst making a judgment call is more appropriate.

← 3.5 Notifications, RBAC, and Exam Relevance 3.3 Advanced Hunting →