🔥 3-day streak
Microsoft Security Operations Analyst57 / 190
Question 57 of 190

Your SOC wants Microsoft Defender XDR automatic attack disruption to contain compromised devices and suspend risky user accounts during a human-operated ransomware attack, without waiting for analyst intervention. During testing, the disruption actions never trigger even though high-confidence incidents are being generated. Which configuration change is required to enable automatic attack disruption to act on these entities?

Reviewed for accuracy · Report an issueNext question