EDR in block mode vs AIR?
By the launch of EDR in blockmode, i'm just wondering how is this different than the "AIR block" with the changed default action to have it fully automatic? I would assume that you could customize the EDR responses, for instance instead of using Flow/Power Automate you would be able to tell the "new active EDR" to isolate high risk assets or so, but seems like nothing like that is available. Links for info: https://docs.microsoft.com/sv-se/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-automation-defaults-are-changing/ba-p/2068744