Forum Discussion

AxelHellstrom's avatar
AxelHellstrom
Copper Contributor
Jan 28, 2021

EDR in block mode vs AIR?

By the launch of EDR in blockmode, i'm just wondering how is this different than the "AIR block" with the changed default action to have it fully automatic?

I would assume that you could customize the EDR responses, for instance instead of using Flow/Power Automate you would be able to tell the "new active EDR" to isolate high risk assets or so, but seems like nothing like that is available.

 

Links for info: 

https://docs.microsoft.com/sv-se/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode

https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-automation-defaults-are-changing/ba-p/2068744

 

  • Thijs Lecomte's avatar
    Thijs Lecomte
    Bronze Contributor
    EDR in block and AIR are two different products.

    AIR is an investigation that will launch after an alert is generated. This investigation will check the evidence from the alert and (according to your automation level) remediate certain threats.

    EDR in block mode will allow EDR detections to be blocked. EDR detections are detections that are based on AI and run in the Microsoft Cloud. For example, EDR might notice that a process is doing phishy stuff and after analysis of the data in the cloud, it can be blocked.

Resources