What’s New?

Granular Containment of Critical Assets

Scope:

Applies to Domain Controllers, DNS servers, DHCP servers, and other critical systems.

How it works:

Instead of full isolation, Defender for Endpoint intelligently restricts only the network functionalities and communication channels typically abused during attacks.

Impact:

• Attackers lose the ability to move laterally or escalate privileges.

• Essential network services remain operational.

• Business continuity is preserved even during active incidents.

Containment of IP addresses from Unmanaged Devices

Scope:

Targets shadow IT, BYOD, and any unmanaged devices that could be leveraged in lateral movement.

How it works:

When malicious activity from an unknown or unmanaged device is detected, its associated IP address is automatically contained, blocking it from interacting with managed assets.

Impact:

• Reduces risks associated with devices outside your management scope.

• Prevents early-stage attacks from escalating through weak points in the network.

Important Technical Considerations

Prerequisites

• Licensing:

  Requires M365 E5, Defender for Endpoint Plan 2, or equivalent security licensing (full list available here).

• Deployment:

  Defender for Endpoint device discovery must be set to Standard Discovery to enable device-level containment.

• Automation settings:

  Devices should be assigned to groups with Full automation enabled under Defender portal settings to allow automatic response without manual approval.

• Minimum client version:

  Endpoint devices must have Sense Agent version v10.8470 or later for user containment actions.

• Permissions:

  Configuration changes require either Global Administrator or Security Administrator role in Entra ID or M365 Admin Center.

Managing Containment Actions

Containment actions are fully visible and manageable:

• Incident Graph:

  Contained devices and suspended user accounts are labeled clearly. Release actions can be performed manually after risk mitigation.

• Action Center:

  All disruption actions are tracked centrally at Action Center.

• Advanced Hunting:

  You can track containment events via KQL queries, e.g.,

DeviceEvents
| where ActionType contains "ContainedDevice"

Tracking Disabled Accounts After Attack Disruption:

• Attack disruption in Microsoft Defender XDR uses the remediation actions from Defender for Identity to disable compromised accounts.

• By default, the Defender for Identity sensor runs these actions under the LocalSystem account on the domain controller.

• The following query finds user accounts that were disabled, either manually or by automatic attack disruption:

let AllDomainControllers =
DeviceNetworkEvents
| where TimeGenerated > ago(7d)
| where LocalPort == 88
| where LocalIPType == "FourToSixMapping"
| extend DCDevicename = tostring(split(DeviceName,".")[0])
| distinct DCDevicename;
IdentityDirectoryEvents
| where TimeGenerated > ago(90d)
| where ActionType == "Account disabled"
| where Application == "Active Directory"
| extend ACTOR_DEVICE = tolower(tostring(AdditionalFields.["ACTOR.DEVICE"]))
| where isnotempty( ACTOR_DEVICE)
| where ACTOR_DEVICE in (AllDomainControllers)
| project TimeGenerated, TargetAccountUpn, ACTOR_DEVICE

Manual Exclusions:

• IPs or subnets can be manually excluded via Defender XDR portal if needed — but this should be used cautiously.

Summary:

This update strengthens Defender XDR’s ability to:

• Contain attacks earlier in the kill chain.

• Minimize disruption to critical infrastructure.

• Cover unmanaged assets automatically.

Proper deployment, correct licensing, and full automation policies are key to making the most out of this capability.

Full documentation and setup instructions:

https://techcommunity.microsoft.com/blog/MicrosoftThreatProtectionBlog/automatic-attack-disruption-enhanced-containment-for-critical-assets-and-shadow-/4402157

https://learn.microsoft.com/en-gb/defender-xdr/automatic-attack-disruption-exclusions