Share via

defender for endpoint EDR vs AIR

eg1995 1,156 Reputation points
2023-02-14T15:49:00.07+00:00

Hi team,

i need your help in differentiating between EDR and AIR in defender for endpoint.

As AIR currently is not available for MacOs and i have a requirement for Macos. I need to understand what EDR can do in this case in terms of blocking and remediation options

Microsoft 365 and Office | Install, redeem, activate | For business | Windows
Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
Microsoft Security | Intune | Microsoft Intune MacOs
Accepted answer
  1. Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator
    2023-02-22T06:24:54.9666667+00:00

    @eg1995 Apologies for the delay in reviewing this post, As I understand you are looking for difference between EDR & AIR in defender for endpoint.

    EDR in block mode will allow EDR detections to be blocked. EDR detections are detections that are based on AI and run in the Microsoft Cloud. For example, EDR might notice that a process is doing phishy stuff and after analysis of the data in the cloud, it can be blocked.

    AIR is an investigation that will launch after an alert is generated. This investigation will check the evidence from the alert and (according to your automation level) remediate certain threats.

    Reference:

    https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide

    https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide

    Let me know if you have any further questions, feel free to post back.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.