EDR in block mode vs AIR?

%3CLINGO-SUB%20id%3D%22lingo-sub-2105381%22%20slang%3D%22en-US%22%3EEDR%20in%20block%20mode%20vs%20AIR%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2105381%22%20slang%3D%22en-US%22%3E%3CP%3EBy%20the%20launch%20of%20EDR%20in%20blockmode%2C%20i'm%20just%20wondering%20how%20is%20this%20different%20than%20the%20%22AIR%20block%22%20with%20the%20changed%20default%20action%20to%20have%20it%20fully%20automatic%3F%3C%2FP%3E%3CP%3EI%20would%20assume%20that%20you%20could%20customize%20the%20EDR%20responses%2C%20for%20instance%20instead%20of%20using%20Flow%2FPower%20Automate%20you%20would%20be%20able%20to%20tell%20the%20%22new%20active%20EDR%22%20to%20isolate%20high%20risk%20assets%20or%20so%2C%20but%20seems%20like%20nothing%20like%20that%20is%20available.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELinks%20for%20info%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fsv-se%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fedr-in-block-mode%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fsv-se%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fedr-in-block-mode%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-for-endpoint%2Fmicrosoft-defender-for-endpoint-automation-defaults-are-changing%2Fba-p%2F2068744%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-for-endpoint%2Fmicrosoft-defender-for-endpoint-automation-defaults-are-changing%2Fba-p%2F2068744%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2105381%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDefender%20for%20Endpoint%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EEDR%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2110113%22%20slang%3D%22en-US%22%3ERe%3A%20EDR%20in%20block%20mode%20vs%20AIR%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2110113%22%20slang%3D%22en-US%22%3EEDR%20in%20block%20and%20AIR%20are%20two%20different%20products.%3CBR%20%2F%3E%3CBR%20%2F%3EAIR%20is%20an%20investigation%20that%20will%20launch%20after%20an%20alert%20is%20generated.%20This%20investigation%20will%20check%20the%20evidence%20from%20the%20alert%20and%20(according%20to%20your%20automation%20level)%20remediate%20certain%20threats.%3CBR%20%2F%3E%3CBR%20%2F%3EEDR%20in%20block%20mode%20will%20allow%20EDR%20detections%20to%20be%20blocked.%20EDR%20detections%20are%20detections%20that%20are%20based%20on%20AI%20and%20run%20in%20the%20Microsoft%20Cloud.%20For%20example%2C%20EDR%20might%20notice%20that%20a%20process%20is%20doing%20phishy%20stuff%20and%20after%20analysis%20of%20the%20data%20in%20the%20cloud%2C%20it%20can%20be%20blocked.%3C%2FLINGO-BODY%3E
Occasional Contributor

By the launch of EDR in blockmode, i'm just wondering how is this different than the "AIR block" with the changed default action to have it fully automatic?

I would assume that you could customize the EDR responses, for instance instead of using Flow/Power Automate you would be able to tell the "new active EDR" to isolate high risk assets or so, but seems like nothing like that is available.

 

Links for info: 

https://docs.microsoft.com/sv-se/windows/security/threat-protection/microsoft-defender-atp/edr-in-bl...

https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoi...

 

1 Reply
EDR in block and AIR are two different products.

AIR is an investigation that will launch after an alert is generated. This investigation will check the evidence from the alert and (according to your automation level) remediate certain threats.

EDR in block mode will allow EDR detections to be blocked. EDR detections are detections that are based on AI and run in the Microsoft Cloud. For example, EDR might notice that a process is doing phishy stuff and after analysis of the data in the cloud, it can be blocked.