Key Takeaways:
- Microsoft Defender XDR now uses AI to automatically detect cyberattacks.
- Device role-based containment allows administrators to protect critical systems.
- A new IP containment feature enables IT admins to identify and block malicious IPs.
Microsoft has announced new automatic attack disruption features for its Defender XDR solution. These enhancements are designed to quickly detect and contain compromised devices before attackers can spread across the enterprise network.
The automatic attack disruption feature uses AI and threat intelligence to quickly identify and contain ongoing cyberattacks. It isolates compromised devices and blocks malicious activities to minimize the impact of the cyberattack. This automated response helps organizations maintain control over critical assets and ensure business continuity during an attack.
What is the problem?
Microsoft explained that attackers often target critical assets like Domain Controllers, DNS, and DHCP servers because they can use them to gain a foothold, escalate privileges, and access more resources. However, isolating these essential systems can be difficult, as it may disrupt important business operations.
How does AI-powered automatic attack disruption work?
With this update, Microsoft Defender for Endpoint enables administrators to apply device role-based, granular containment to target only the parts of the network involved in malicious activity. This helps stop attackers from escalating their attacks while keeping essential network functions running smoothly. It also ensures that even compromised critical assets remain operational and protected from further damage.
Microsoft Defender for Endpoint has introduced a new IP address containment feature that lets IT admins identify and block malicious IP addresses connected to unmanaged or undiscovered devices. This containment prevents the attackers from abusing these IP addresses to gain unauthorized access to the enterprise network.
Best practices for configuring Microsoft Defender XDR
Microsoft recommends that administrators avoid excluding assets from automatic attack disruption, as doing so can weaken the security defenses against advanced cyberattacks. However, if exclusions are necessary, administrators can manage specific IP subnets or multiple IP addresses through the Microsoft Defender XDR portal by following these steps:
- Navigate to the Automated responses section and click Devices.
- Select the IPs tab and click the “Exclude IP” option to exclude an IP address.
- Finally, enter the IP address/IP range/IP subnet for exclusion in the flyout pane.
Last month, Microsoft announced new AI-powered capabilities coming to its Defender XDR solution. The company introduced a new Microsoft Security Copilot Phishing Triage Agent in the Defender Portal. This new agent enables administrators to manage and prioritize user-reported phishing emails.