Exercise 07: Automatic attack disruption and Conditional Access response tuning
Exercise learning objectives
- Examine the behavior and requirements of Automatic Attack Disruption (AAD).
- Optimize automated isolation and containment responses while aligning communication procedures for affected users.
- Establish native, built-in response workflows that minimize mean time to respond (MTTR) without relying on custom playbooks.
Estimated time: 40 minutes
CISO Overview - Scenario and goals
Zava Oil & Resources is piloting Microsoft Defender XDR’s Automatic Attack Disruption (AAD) to reduce response times from minutes to seconds when ransomware or business email compromise style credential abuse is detected.
Today’s drill validates prerequisites and scope, automated device and user containment behavior, a built-in, product-native fallback leveraging Conditional Access for high sign-in risk, and evidence collection for root cause analysis and executive reporting on MTTR and actions taken. The target outcome is a measurable reduction in MTTR and clear accountability for response owners without relying on custom runbooks.