![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 26%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
4,207 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@eg1995 Apologies for the delay in reviewing this post, As I understand you are looking for difference between EDR & AIR in defender for endpoint.
EDR in block mode will allow EDR detections to be blocked. EDR detections are detections that are based on AI and run in the Microsoft Cloud. For example, EDR might notice that a process is doing phishy stuff and after analysis of the data in the cloud, it can be blocked.
AIR is an investigation that will launch after an alert is generated. This investigation will check the evidence from the alert and (according to your automation level) remediate certain threats.
Reference:
Let me know if you have any further questions, feel free to post back.