Forum Discussion
Aar123
Microsoft
MicrosoftObserved Automation Discrepancies
Hi Team ... I want to know the logic behind the Defender XDR Automation Engine . How it works ?
I have observed Defender XDR Automation Engine Behavior contrary to expectations of identical inc...
ckyaloMicrosoft
MicrosoftHi
Question 1: AIR Actions/decisions and Partial remediation
- Signals (Defender Suite)
- Correlation Engine classifying into incidents (grouped alerts)
- AIR Automation Engine (virtual analyst playbooks)
- Remediation Engine - Action Center (approve/reject/undo) - based on configuration
- Attack Disruption - instant containment (high-confidence)
A partial outcome occurs when some remediation actions are completed while others remain pending approval, or when required endpoint protection components e.g Microsoft Defender Antivirus are not fully enabled.
Question 2:
To review Go to the Microsoft Defender portal (https://security.microsoft.com/airinvestigation) → Investigations. You'll see every active and completed investigation with status, evidence analyzed, and actions taken/recommended.
Additional information on this Question: Use automated investigations to investigate and remediate threats - Microsoft Defender for Endpoint | Microsoft Learn