Manage predictive shielding in Microsoft Defender (Preview)

Microsoft Defender uses predictive shielding (Preview) as a proactive defense strategy designed to anticipate and mitigate threats before they materialize. Learn how predictive shielding works to dynamically infer risk, anticipate attacker progression, and harden your environment.

This article describes how to manage predictive shielding so that you can enrich your prediction data and understand how predictive shielding actions are applied in your environment.

Review predictive shielding details and results

The incident view in Microsoft Defender includes built-in predictive shielding details. Use the incident graph and activity information to assess the predictive shielding impact and status.

Review the incident information

In the Incidents page, filter by the Predictive Shielding tag to find incidents where predictive shielding is applied.

You can then select the relevant incident, and review the incident graph to get the entire attack story and assess the predictive shielding impact and status.

You can also review the alert, and disruption information for predictive shielding details and results:

• In the alert details, view the Predictive shielding label and the specific threat type identified (for example, ransomware). If you subscribe to incident email notifications, these tags also appear in the emails.

  

• In the disruption summary, view the number of predictive shielding policies invoked as part of this incident, and the number of hardened devices across all policies.

  

Review the activity information

Select the incident's Activities tab and filter by the Response category to get a live snapshot of the activities where predictive shielding actions are applied:

• Review the Type column to see the actions triggered by predictive shielding.

  In this example, the Contain User, GPO Hardening, and SafeBoot Hardening actions are applied as part of predictive shielding. Learn more about predictive shielding actions.

  

• Select the Triggering alert column to open the alert details pane, and review the alert that led to the predictive shielding action. For more information, see Review the triggering alert information.

• Review the Policy status column to see which hardening policies are currently applied.

• Select a specific action to open the activity details pane, which describes the activity, and shows the number of devices where the relevant policy is currently applied.

  

Review the triggering alert information

To investigate the alert that led to the predictive shielding action, select the triggering alert either from the incident details pane or from the activity page.

In the alert, you can review:

• Which assets are at risk.
• The triggering malicious activity from the Alert chain.
• The exposure data used to calculate this risk.

Enrich predictive shielding data

We recommend that you use the Microsoft Defender for Identity sensor to improve security insights and expand coverage. This approach adds metadata like usernames, Active Directory details, and group memberships to alerts, making them more actionable.

To add the Defender for Identity sensor, see Deploy Microsoft Defender for Identity.

Enriched data example

In this example scenario:

• Both Microsoft Defender for Endpoint and Microsoft Defender for Identity are enabled in the environment.
• An attacker gained a foothold on a jump box and conducted malicious activities that led to compromising a workstation (WSA).
• The enriched data reveals suspicious PowerShell activities on WSA, indicating the attacker's intent to perform remote credential harvesting on WSB.
• This enrichment adds predictive data on the incident, and indicates intent for further compromise.

Track policy modifications in advanced hunting

You can use specific queries in advanced hunting to track policy modifications in your environment.

Track enabled predictive shielding hardening policies

This sample query retrieves events related to changes in predictive shielding hardening policies, and allows you to monitor when policies are enabled or disabled for specific domains. The query uses the DisruptionAndResponseEvents table.

  DisruptionAndResponseEvents
let hardeningPolicyType = 
let lookBackTime = 
DisruptionAndResponseEvents
| where Timestamp > lookBackTime
| where PolicyName == hardeningPolicyType
| where DomainName == domainName
| summarize arg_max(Timestamp, IsPolicyOn) by DeviceId
| where IsPolicyOn

Track policy modification events in the environment

This sample query retrieves policy modification events in the environment, including application and removal of hardening policies from devices onboarded to Defender for Endpoint. The query uses the DisruptionAndResponseEvents table.

  DisruptionAndResponseEvents
let hardeningPolicyType = dynamic(["GpoPrevention", "SafebootPrevention"]);
let lookBackTime = datetime("");
DisruptionAndResponseEvents
| where PolicyName in (hardeningPolicyType)
| where Timestamp > lookBackTime
| where ReportType == 'PolicyUpdated' and IsPolicyOn == '1'
| summarize arg_max(Timestamp, DeviceName) , PoliciesApplied = make_set(PolicyName)  by DeviceId

Track blocked events related to predictive shielding hardening policies

This sample query retrieves blocked events related to predictive shielding hardening policies, and allows you to monitor when specific actions were blocked on devices. The query uses the DisruptionAndResponseEvents table.

  DisruptionAndResponseEvents
let hardeningPolicyType = dynamic(["GpoPrevention", "SafebootPrevention"]);
DisruptionAndResponseEvents
| where PolicyName in (hardeningPolicyType)
| where ReportType == 'Prevented'

Undo actions triggered by predictive shielding

You can undo an action that was applied as part of predictive shielding.

To undo an action, do one of the following:

• In the Activity tab of the incident, select the specific action you want to undo.
• Undo an action from the Action center.