-
Hi Valentin,
Thanks for sharing your feedback. We completely understand the confusion here.
The correct answer is isolating the device because Microsoft Defender for Endpoint treats this as a manual action. Based on official Microsoft documentation, device isolation is considered a high-impact response since it disconnects the machine from the network and can disrupt operations.
Reference: https://learn.microsoft.com/en-us/defender-endpoint/respond-machine-alerts
Because of this, even with Automated Investigation and Response (AIR) enabled, Microsoft requires security analysts to trigger isolation manually instead of allowing it to run automatically.
In contrast, actions like quarantining emails, deleting messages, and running scans are low-impact and can be handled automatically.
We hope this clarifies your question. Please let us know if you have any follow-up questions.
Regards,
Lois @ Tutorials Dojo
