Observed Automation Discrepancies

I’ve noticed similar behavior. According to me, Defender XDR’s automation engine can apply built-in automated actions for certain high-severity alerts, even if your custom rules don’t trigger them. It seems designed to reduce alert fatigue, but it can be confusing since these actions aren’t always fully visible in the activity log. Worth reaching out to Microsoft support or checking the detailed automation docs to understand exactly which alert types and conditions trigger these automated closures.