Forum Discussion
EDR in block mode vs AIR?
By the launch of EDR in blockmode, i'm just wondering how is this different than the "AIR block" with the changed default action to have it fully automatic? I would assume that you could customize t...
EDR in block and AIR are two different products.
AIR is an investigation that will launch after an alert is generated. This investigation will check the evidence from the alert and (according to your automation level) remediate certain threats.
EDR in block mode will allow EDR detections to be blocked. EDR detections are detections that are based on AI and run in the Microsoft Cloud. For example, EDR might notice that a process is doing phishy stuff and after analysis of the data in the cloud, it can be blocked.
AIR is an investigation that will launch after an alert is generated. This investigation will check the evidence from the alert and (according to your automation level) remediate certain threats.
EDR in block mode will allow EDR detections to be blocked. EDR detections are detections that are based on AI and run in the Microsoft Cloud. For example, EDR might notice that a process is doing phishy stuff and after analysis of the data in the cloud, it can be blocked.