This chapter covers Automatic Attack Disruption (AAD) in Microsoft Defender XDR, a critical capability for the SC-200 exam. AAD enables near-real-time containment of sophisticated attacks by automatically isolating compromised assets, blocking attacker infrastructure, and suspending malicious sessions—all without human intervention. Expect approximately 10-15% of exam questions to touch on AAD, either directly or as part of broader incident response scenarios. Mastery of its triggers, actions, and configuration is essential for the 'Defender XDR' domain.
Jump to a section
Automatic Attack Disruption (AAD) in Microsoft Defender XDR is like your body's adaptive immune system when it detects a rapidly spreading viral infection. Normally, your immune system patrols for threats, and if it finds a few virus particles, it slowly ramps up antibodies. But if the virus is replicating explosively—like ransomware spreading laterally—your immune system doesn't wait for a full analysis. It immediately triggers a 'cytokine storm' of containment actions: it floods the area with immune cells to wall off infected cells, blocks blood flow to the region, and tags every cell in the vicinity for destruction. This is the analog of AAD's automated containment: it doesn't just alert; it actively isolates compromised accounts, devices, and sessions in real-time using signals from Defender for Endpoint, Defender for Identity, and Defender for Office 365. The 'immune memory' corresponds to the automatic incident response playbooks that learn from each attack. Just as your body might later produce memory B-cells to recognize that virus, AAD updates its detection logic to prevent similar future attacks. The key mechanistic parallel is that both systems trade perfect accuracy for speed—they'd rather overreact and contain a false positive than let a true positive become a pandemic. In AAD, this means suspending a legitimate user account for a few minutes if the risk score crosses a threshold, because the cost of a false negative (ransomware encrypting 10,000 files) is far higher.
What is Automatic Attack Disruption?
Automatic Attack Disruption (AAD) is a capability within Microsoft 365 Defender that automatically contains active attacks in real-time. It is designed to stop the spread of ransomware, advanced persistent threats (APTs), and other fast-moving attacks that would otherwise cause widespread damage before a human analyst can respond. AAD operates at machine speed, using signals from multiple Defender components—Defender for Endpoint (MDE), Defender for Identity (MDI), Defender for Office 365 (MDO), Defender for Cloud Apps (MDA)—to make containment decisions.
AAD is not a standalone product; it is an integrated feature of Microsoft 365 Defender that is enabled by default for all tenants with the appropriate licenses (Microsoft 365 E5, Microsoft 365 E5 Security, or standalone Defender for Endpoint P2). It works by continuously evaluating the risk of ongoing incidents and automatically taking actions when the risk exceeds a predefined threshold.
Why Does AAD Exist?
Before AAD, incident response was largely manual. Security operations center (SOC) analysts would receive alerts, triage them, investigate, and then manually contain threats. This process could take minutes to hours—time during which an attacker could move laterally, escalate privileges, exfiltrate data, or deploy ransomware. The 'mean time to contain' (MTTC) was often too long. AAD reduces MTTC to seconds by automating the containment decisions that analysts would otherwise make, based on high-confidence signals.
How AAD Works Internally
AAD relies on a detection pipeline that processes signals from multiple sensors:
Signal Collection: MDE sensors on endpoints, MDI sensors on domain controllers, MDO sensors in Exchange Online and SharePoint, and MDA sensors in cloud apps all send telemetry to the Microsoft 365 Defender backend. This includes process creation, network connections, authentication events, file modifications, and email activities.
Incident Correlation: The Microsoft 365 Defender correlation engine aggregates related alerts into incidents. AAD triggers only on incidents that meet specific criteria—typically those with a high confidence level (e.g., 'true positive' with high severity) and involving known attack patterns like lateral movement, credential theft, or ransomware behavior.
Risk Scoring: Each incident is assigned a risk score based on factors such as:
- Number of affected devices - Presence of known malicious indicators (e.g., IOCs from Microsoft Threat Intelligence) - Attack type (e.g., ransomware, hands-on-keyboard) - Proximity to critical assets (e.g., domain controllers) - Confidence level of detection
Automated Action Selection: When the risk score exceeds a configurable threshold (default: high), AAD selects one or more containment actions. These actions are pre-defined in the Microsoft 365 Defender security playbooks. The system chooses the most effective actions based on the attack vector:
If lateral movement via RDP or SMB is detected, it isolates the compromised device.
If a user account is used for suspicious authentication, it suspends the account.
If an attacker is using a command-and-control (C2) channel, it blocks the IP/URL.
Action Execution: The actions are executed via the respective Defender components:
Device isolation: MDE sends a command to the endpoint agent to isolate the device from the network (except for the Defender service communication).
User suspension: MDI forces a password reset and blocks sign-ins via Azure AD Conditional Access or by disabling the account.
Session termination: MDO revokes access to Exchange Online and SharePoint for the compromised user.
IP/URL blocking: MDE updates the network protection list to block the malicious endpoint.
Feedback Loop: After actions are taken, the system monitors the incident for new signals. If the attack continues (e.g., a different account is used), AAD may escalate to a higher-level action or notify the SOC. If the actions successfully contain the attack, the incident is automatically resolved after a period of no new activity (default: 72 hours).
Key Components, Values, Defaults, and Timers
- AAD Policies: Configured in Microsoft 365 Defender > Settings > Endpoints > Advanced features > Automatic attack disruption. You can enable/disable AAD and configure the risk threshold (Low, Medium, High). Default: Enabled with High threshold. - Risk Threshold: The level of confidence required to trigger automatic actions. High means only incidents with very high confidence (e.g., confirmed ransomware behavior) will trigger. Medium and Low are more sensitive but may cause more false positives. Default: High. - Actions: The specific actions are not customizable per policy; Microsoft defines them based on attack type. However, you can exclude certain devices or users from AAD actions via device groups or user scoping. - Timers: - Detection to action: Typically within 1-2 minutes after the incident is created. - Device isolation: Immediate; the endpoint agent applies the isolation within seconds. - Account suspension: Takes effect within 5-10 minutes due to replication delays in Azure AD. - Automatic incident resolution: 72 hours after the last related alert, if no new activity. - Exclusions: You can create device groups that are excluded from automatic isolation. For example, critical production servers that must not be isolated automatically. These are configured in Microsoft 365 Defender > Settings > Endpoints > Device groups.
Configuration and Verification
To verify AAD is enabled:
Navigate to Microsoft 365 Defender > Settings > Endpoints > Advanced features.
Ensure 'Automatic attack disruption' is toggled On.
Check the risk threshold setting.
To review AAD actions taken:
Go to Incidents & alerts > Incidents.
Select an incident that was automatically disrupted. Look for the 'Automatic disruption' tag.
In the incident timeline, you will see entries like 'Device isolation initiated automatically' or 'User account suspended automatically'.
Using PowerShell:
# Check AAD status via Microsoft Graph PowerShell (requires appropriate permissions)
Get-MgSecurityIncident | Where-Object {$_.AdditionalProperties.automaticDisruption -eq $true}Interaction with Related Technologies
Microsoft Defender for Endpoint (MDE): AAD uses MDE's device isolation capability. MDE must be fully onboarded and in active mode for isolation to work.
Microsoft Defender for Identity (MDI): AAD uses MDI to detect lateral movement and credential theft. MDI sensors must be installed on domain controllers.
Microsoft Defender for Office 365 (MDO): AAD can suspend user access to Exchange Online and SharePoint. MDO must be licensed.
Microsoft Defender for Cloud Apps (MDA): AAD can block access to cloud apps. MDA must be configured with app connectors.
Azure Active Directory (Azure AD): AAD uses Azure AD Conditional Access policies to block sign-ins. The 'Microsoft 365 Defender' Conditional Access app must be enabled.
Microsoft Sentinel: While not directly part of AAD, Sentinel can ingest AAD actions via the Microsoft 365 Defender connector and trigger additional automated responses.
Important Exam Notes
AAD is automatically enabled for all eligible tenants. You do not need to configure it manually, but you can disable it or change the threshold.
AAD does not require Microsoft Sentinel. It is a native Defender capability.
The default risk threshold is High. Lowering it increases false positives.
AAD actions are reversible by an analyst. For example, a device can be un-isolated, and a user account can be re-enabled.
AAD only triggers on incidents that are high confidence and high severity. Not all incidents trigger AAD.
The exam will test whether you know that AAD can suspend accounts, isolate devices, and block IPs/URLs—but not, for example, delete files or roll back changes.
Step-by-Step: AAD in Action
Let's walk through a typical ransomware attack:
Initial compromise: A user on a Windows 10 device downloads a malicious macro-enabled document from a phishing email.
C2 communication: The macro executes a PowerShell script that establishes a C2 channel to a known malicious IP.
Lateral movement: The attacker uses stolen credentials to move laterally via SMB to a file server.
Ransomware deployment: The attacker runs ransomware on the file server, encrypting files.
Detection: MDE detects the ransomware behavior (file encryption events, process creation) and MDI detects the lateral movement (unusual SMB connections). These alerts are correlated into a single incident with high severity.
AAD trigger: The incident risk score exceeds the threshold. AAD automatically:
- Isolates the original Windows 10 device from the network. - Isolates the file server. - Suspends the compromised user account. - Blocks the C2 IP in network protection. 7. Outcome: The attack is contained within seconds. The ransomware cannot spread further. The SOC receives an alert with details of the automatic actions.
Signal Collection and Correlation
Defender sensors on endpoints, domain controllers, Exchange Online, and cloud apps continuously send telemetry to the Microsoft 365 Defender backend. The correlation engine aggregates related alerts into incidents based on common entities (e.g., same user, same device, same IP). For AAD to trigger, the incident must have a high confidence level (typically >90% confidence) and high severity. This step typically completes within 30 seconds of the first alert.
Risk Scoring and Threshold Check
Each incident is assigned a dynamic risk score based on factors like attack type (e.g., ransomware, lateral movement), number of affected assets, presence of known IOCs, and proximity to critical assets. The score is compared to the configured threshold (default: High). If the score exceeds the threshold, AAD proceeds to action selection. The threshold is not a single number but a composite measure; 'High' means only the most confident attacks trigger.
Automated Action Selection
Based on the attack pattern, AAD selects one or more containment actions from a predefined playbook. For example, if lateral movement via RDP is detected, the action is device isolation. If credential theft is detected, the action is user account suspension. The system may combine multiple actions (e.g., isolate device AND suspend user). The selection is deterministic based on the highest-confidence signals.
Action Execution via Defender Components
The selected actions are executed through the respective Defender services. Device isolation is sent as a command to the MDE agent on the endpoint, which immediately cuts off all network traffic except to the Defender service. User suspension is performed via Azure AD, disabling the account and forcing a password reset. IP/URL blocking updates the network protection list on all endpoints. Execution typically completes within 1-2 minutes.
Monitoring and Incident Resolution
After actions are taken, Microsoft 365 Defender continues to monitor the incident for new alerts. If no new related alerts appear within 72 hours (default), the incident is automatically resolved. If new alerts indicate the attack is still active, AAD may escalate to additional actions or notify the SOC. The SOC can also manually override actions (e.g., un-isolate a device if it was a false positive).
Scenario 1: Contoso's Ransomware Outbreak
Contoso, a mid-sized enterprise with 5,000 endpoints, suffered a ransomware attack that began with a phishing email. Before AAD was enabled, the SOC took 45 minutes to manually isolate the first infected device—by which time the ransomware had encrypted 200 servers. After enabling AAD with the default High threshold, a similar attack was contained in under 2 minutes. The automatic device isolation and account suspension stopped lateral movement before it reached the file servers. Contoso configured device groups to exclude critical domain controllers and SQL servers from automatic isolation, ensuring these systems would not be disrupted unless absolutely necessary. They also set the risk threshold to 'Medium' to catch more attacks, accepting a slightly higher false positive rate. The SOC now reviews AAD actions daily to ensure no legitimate users were suspended in error.
Scenario 2: Northwind Traders' Hands-on-Keyboard Attack
Northwind Traders, a global retail company, experienced a hands-on-keyboard attack where an attacker used stolen VPN credentials to access the corporate network. The attacker moved laterally using PowerShell remoting to reach a domain controller. MDI detected the anomalous authentication and lateral movement, triggering AAD. Within seconds, the attacker's device was isolated, the compromised VPN account was suspended, and the attacker's IP was blocked. The SOC received a detailed incident report showing exactly which actions were taken. Because the attack was contained early, no data was exfiltrated. Northwind later used the incident data to refine their Conditional Access policies and block legacy authentication.
Common Pitfalls in Production
False positives: Lowering the risk threshold to 'Low' can cause legitimate administrative actions to be mistaken for attacks, leading to user suspensions. Always start with 'High' and lower only after monitoring false positive rates.
Exclusion misconfiguration: Forgetting to exclude critical systems like domain controllers can result in them being isolated, causing widespread disruption. Regularly audit device groups.
License gaps: AAD requires Microsoft 365 E5 or equivalent. If a tenant has mixed licenses, only licensed users/devices are covered. The exam tests this: AAD actions only apply to assets with the appropriate license.
Performance: AAD itself has negligible performance impact because it operates on already-collected telemetry. However, if many incidents trigger simultaneously (e.g., during a widespread malware campaign), the system may queue actions. This is rare but can cause delays of up to 5 minutes.
Exam Focus: What SC-200 Tests on AAD
Objective code: Defender XDR (Domain 1) – Objective 1.1: 'Manage incidents in Microsoft 365 Defender'. Specifically, the ability to 'Describe automatic attack disruption' and 'Configure and manage automatic attack disruption'.
The exam tests three main areas: 1. Conceptual understanding: What AAD is, when it triggers, and what actions it can take. 2. Configuration: How to enable/disable, set risk threshold, and manage exclusions. 3. Troubleshooting: Why AAD did not trigger, or why an action was not taken.
Common Wrong Answers and Why Candidates Choose Them
'AAD requires Microsoft Sentinel to be deployed.' – Wrong. AAD is a native Defender capability that does not require Sentinel. Candidates confuse automated response with Sentinel's automation rules.
'AAD can delete malicious files or roll back registry changes.' – Wrong. AAD only contains (isolate, suspend, block), not remediate. Remediation is done by other features like Microsoft Defender for Endpoint's automated investigation and remediation.
'AAD triggers on all high-severity alerts.' – Wrong. AAD triggers only on high-confidence incidents, not individual alerts. An incident must be formed with correlated alerts.
'AAD is disabled by default.' – Wrong. AAD is enabled by default for all eligible tenants. Candidates confuse this with other features that require manual enablement.
'Lowering the risk threshold reduces false positives.' – Wrong. Lowering the threshold (e.g., from High to Low) increases sensitivity, which increases false positives.
Specific Numbers and Terms on the Exam
Default risk threshold: High
Default incident resolution timer: 72 hours
AAD actions: Device isolation, user account suspension, IP/URL blocking, session revocation
Required license: Microsoft 365 E5, Microsoft 365 E5 Security, or Defender for Endpoint P2
AAD is part of Microsoft 365 Defender, not Microsoft Sentinel.
Edge Cases and Exceptions
User accounts without Azure AD P1/P2: AAD can still suspend the account via Azure AD, but password reset may not be forced if the tenant lacks the required license.
Devices not onboarded to MDE: AAD cannot isolate devices that are not managed by MDE. The exam may present a scenario where a device is not isolated because it lacks the MDE agent.
Cross-tenant attacks: AAD only operates within the tenant. It cannot contain assets in other tenants.
Manual override: If an analyst manually resolves an incident before AAD acts, AAD will not trigger. The exam tests that AAD acts only on active, unresolved incidents.
How to Eliminate Wrong Answers
Use the underlying mechanism: AAD is a containment tool, not a remediation tool. It stops the attack from spreading. Any answer suggesting file deletion, registry changes, or rollback is wrong. Also, AAD operates on incidents, not alerts. If the question says 'AAD triggered on a single alert', it is incorrect. Finally, remember that AAD is automatic and enabled by default—any answer implying manual configuration is required for basic operation is wrong.
AAD is enabled by default for tenants with Microsoft 365 E5 or equivalent.
Default risk threshold is 'High'; lowering it increases false positives.
AAD can isolate devices, suspend user accounts, block IPs/URLs, and revoke sessions.
AAD triggers only on high-confidence incidents, not individual alerts.
Incidents are automatically resolved after 72 hours of no new activity.
AAD does not require Microsoft Sentinel.
AAD actions are containment only, not remediation.
These come up on the exam all the time. Here's how to tell them apart.
Automatic Attack Disruption (AAD)
Focuses on containment: isolate devices, suspend users, block IPs/URLs.
Triggers on high-confidence incidents automatically.
Actions are irreversible by default but can be manually reversed.
Operates at machine speed (seconds to minutes).
Requires Microsoft 365 E5 or equivalent license.
Automated Investigation and Remediation (AIR)
Focuses on investigation and remediation: run scans, delete files, roll back changes.
Triggers on individual alerts or incidents based on playbooks.
Actions are reversible (e.g., can restore quarantined files).
Takes longer (minutes to hours) due to investigation steps.
Available with Defender for Endpoint P2 (included in E5).
Mistake
AAD requires Microsoft Sentinel to be deployed.
Correct
AAD is a native Microsoft 365 Defender capability and does not require Sentinel. Sentinel can ingest AAD actions but is not a prerequisite.
Mistake
AAD can delete malicious files or roll back changes.
Correct
AAD only contains attacks through isolation, suspension, and blocking. Remediation (e.g., file deletion, registry rollback) is handled separately by automated investigation and remediation in Defender for Endpoint.
Mistake
AAD triggers on every high-severity alert.
Correct
AAD triggers only on high-confidence incidents (correlated alerts). A single high-severity alert may not form an incident that meets the threshold.
Mistake
AAD is disabled by default and must be manually enabled.
Correct
AAD is enabled by default for all eligible tenants. You can disable it, but it is not required to enable it.
Mistake
Lowering the risk threshold reduces false positives.
Correct
Lowering the threshold increases sensitivity, which increases the likelihood of false positives. The default High threshold is the most conservative.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
AAD is enabled by default. To verify or change settings, go to Microsoft 365 Defender > Settings > Endpoints > Advanced features. Toggle 'Automatic attack disruption' on or off, and adjust the risk threshold (Low, Medium, High). No additional configuration is required for basic operation.
AAD requires Microsoft 365 E5, Microsoft 365 E5 Security, or standalone Defender for Endpoint P2. Without these licenses, AAD will not be available. The exam tests that AAD is part of the E5 security stack.
Yes. You can create device groups in Microsoft 365 Defender > Settings > Endpoints > Device groups and exclude them from automatic isolation. This is useful for critical servers that should not be isolated automatically.
AAD typically isolates the compromised device(s), suspends the compromised user account(s), and blocks any malicious IPs or URLs associated with the attack. It may also revoke access to Exchange Online and SharePoint for the affected user.
AAD typically acts within 1-2 minutes of incident creation. Device isolation is applied within seconds, while account suspension may take 5-10 minutes due to Azure AD replication.
Yes, as long as the attack involves assets managed by Microsoft 365 Defender (e.g., cloud apps, Azure AD identities). For example, if an attacker compromises a user's cloud account, AAD can suspend that account even if the attacker never touches an on-premises device.
Yes. An analyst can manually un-isolate a device, re-enable a user account, or unblock an IP/URL from the incident details page. The exam may test that AAD actions are reversible.
You've just covered Defender XDR Automatic Attack Disruption — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?