Defender XDR - Attack Disruption & Response
MDXDR Attack Disruption And Response
Query
DisruptionAndResponseEvents
| where isnotempty( CompromisedAccountCount)About this query
Defender XDR - Attack Disruption & Response
Query Information
Description
The DisruptionAndResponseEvents table in the advanced hunting contains information about automatic attack disruption events in Microsoft Defender XDR. These events include both block and policy application events related to triggered attack disruption policies, and automatic actions that were taken across related workloads.
References
Author
- Alex Verboon
Defender XDR
List compromised Accounts
Show Policies applied
DisruptionAndResponseEvents
| distinct PolicyName
Show unique ActionTypes
DisruptionAndResponseEvents
| distinct ActionType
Explanation
This query is designed to analyze data from the DisruptionAndResponseEvents table in Microsoft Defender XDR, which logs events related to automatic attack disruptions. Here's a simple breakdown of what each part of the query does:
-
List Compromised Accounts:
- This part of the query filters the table to show only the events where there is a count of compromised accounts. It helps identify incidents where accounts were potentially compromised.
DisruptionAndResponseEvents | where isnotempty( CompromisedAccountCount) -
Show Policies Applied:
- This query extracts a list of distinct policy names that have been applied during these disruption events. It helps understand which policies are actively being used to counter threats.
DisruptionAndResponseEvents | distinct PolicyName -
Show Unique ActionTypes:
- This part of the query retrieves a list of unique action types that were taken during the disruption events. It provides insight into the different types of actions that the system can automatically execute in response to threats.
DisruptionAndResponseEvents | distinct ActionType
Overall, these queries help in understanding the nature of disruptions, the policies involved, and the actions taken by Microsoft Defender XDR to mitigate threats.
Details

Alex Verboon
Released: August 22, 2025
Tables
Keywords
Operators