I knew that Attack Disruption existed but I had never invested time in understanding exactly how it works.
In a nutshell, if you have DefenderXDR and some requirements related to licenses and specific settings (which are usually enabled by default) it means that DefenderXDR can take actions automatically over your devices and your users when there are a high percentage of a possible attack.
At first, I was a bit surprised to realise that this feature was already enabled in my organisations. However, after hearing how the service works and reading how it correlates millions of individual signals to identify active ransomware campaigns or other sophisticated attacks in the environment with high confidence, I was happy with this ‘default’ configuration.
Therefore, I am starting to verify that attack disruption is able to take actions over all devices and users. The following query checks if the devices have the minimum sense agent version(v10.8470) required for the Contain User action.
DeviceRegistryEvents
| where Timestamp > ago(30d)
| where RegistryKey contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Advanced Threat Protection"
| extend version_s = replace(@"[.]", "", InitiatingProcessVersionInfoProductVersion)
| extend FirstFiveChars = substring(version_s, 0, 6)
| extend FirstFiveChars = toint(FirstFiveChars)
| where FirstFiveChars < 108470
| summarize by DeviceId, DeviceName, InitiatingProcessFileName, InitiatingProcessVersionInfoProductVersion