Query Details
MDXDR Attack Disruption And Response
Query
# Defender XDR - Attack Disruption & Response ## Query Information ### Description The ***DisruptionAndResponseEvents*** table in the advanced hunting contains information about automatic attack disruption events in Microsoft Defender XDR. These events include both block and policy application events related to triggered attack disruption policies, and automatic actions that were taken across related workloads. #### References - [DisruptionAndResponseEvents](https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-disruptionandresponseevents-table) - [Defender XDR - What's new July 2025](https://learn.microsoft.com/en-us/defender-xdr/whats-new#july-2025) ### Author - **Alex Verboon** ## Defender XDR List compromised Accounts ```kql DisruptionAndResponseEvents | where isnotempty( CompromisedAccountCount) ``` Show Policies applied ```kql DisruptionAndResponseEvents | distinct PolicyName ``` Show unique ActionTypes ```kql DisruptionAndResponseEvents | distinct ActionType ```
Explanation
This query is designed to analyze data from the DisruptionAndResponseEvents table in Microsoft Defender XDR, which logs events related to automatic attack disruptions. Here's a simple breakdown of what each part of the query does:
-
List Compromised Accounts:
- This part of the query filters the table to show only the events where there is a count of compromised accounts. It helps identify incidents where accounts were potentially compromised.
DisruptionAndResponseEvents | where isnotempty( CompromisedAccountCount) -
Show Policies Applied:
- This query extracts a list of distinct policy names that have been applied during these disruption events. It helps understand which policies are actively being used to counter threats.
DisruptionAndResponseEvents | distinct PolicyName -
Show Unique ActionTypes:
- This part of the query retrieves a list of unique action types that were taken during the disruption events. It provides insight into the different types of actions that the system can automatically execute in response to threats.
DisruptionAndResponseEvents | distinct ActionType
Overall, these queries help in understanding the nature of disruptions, the policies involved, and the actions taken by Microsoft Defender XDR to mitigate threats.
Details
Alex Verboon
Released: August 22, 2025
Tables
DisruptionAndResponseEvents
Keywords
DisruptionAndResponseEventsCompromisedAccountCountPolicyNameActionType
Operators
isnotemptywheredistinct