Forum Discussion
No Automated Investigation Triggered for High Severity Incident
Hi Community,
I’ve noticed an issue where no Automated Investigation and Response (AIR) was invoked for a high-severity incident and alert on a device that belongs to a device group configured with full AIR. This behavior contradicts the expected principle of AIR, as outlined in the documentation: https://learn.microsoft.com/en-us/defender-endpoint/automated-investigations#how-the-automated-investigation-starts.
Details:
- The device is part of a group with full AIR enabled.
- A high-severity alert/incident occurred but did not trigger any automated investigation.
- Manual actions were required to address the threat, despite AIR being enabled.
Questions:
- Has anyone experienced similar behavior where AIR is not triggered for eligible devices/incidents?
- Are there known scenarios or conditions that might prevent AIR from starting, even in fully configured groups?
- What steps can I take to troubleshoot or escalate this to ensure consistent AIR functionality?
Your insights and suggestions would be greatly appreciated!
Thank you.
3 Replies
We've observed the same behavior for a few months. Any idea what's going on?
Samething for us. No blocking of registry changes or c2 blocking after running malicious script with win + R
Hi, we still notice no AIR triggering for numerous alerts. For example, ' Suspicious command in RunMRU registry ' is solely detected, the device is up-and-running and still no AIR is invoked, although the device is part of a device group with FULL AIR.
