Forum Discussion
No Automated Investigation Triggered for High Severity Incident
Hi Community,
I’ve noticed an issue where no Automated Investigation and Response (AIR) was invoked for a high-severity incident and alert on a device that belongs to a device group configured with full AIR. This behavior contradicts the expected principle of AIR, as outlined in the documentation: How Automated Investigation Starts.
Details:
- The device is part of a group with full AIR enabled.
- A high-severity alert/incident occurred but did not trigger any automated investigation.
- Manual actions were required to address the threat, despite AIR being enabled.
Questions:
- Has anyone experienced similar behavior where AIR is not triggered for eligible devices/incidents?
- Are there known scenarios or conditions that might prevent AIR from starting, even in fully configured groups?
- What steps can I take to troubleshoot or escalate this to ensure consistent AIR functionality?
Your insights and suggestions would be greatly appreciated!
Thank you.
Hi, we still notice no AIR triggering for numerous alerts. For example, ' Suspicious command in RunMRU registry ' is solely detected, the device is up-and-running and still no AIR is invoked, although the device is part of a device group with FULL AIR.
