Automatic attack disruption can now isolate compromised devices from the network when high-confidence incident analysis indicates the device is being used as an active foothold.

Why it matters: In preview

Automatic attack disruption can now isolate compromised devices from the network when high-confidence incident analysis indicates the device is being used as an active foothold. Isolation blocks attacker communication and lateral movement while keeping the device connected to security services. The action is time-limited, scoped to devices involved in the incident, and can be released by security operators at any time. Learn more

Affected: Microsoft Defender XDR

View at Microsoft → Copy summary