Disable Defender for Identity Automation

Hi mtcsb,

I’ll start off by saying I get the apprehension to allowing an automatic response being taken without understanding exactly what signals are being used to make the decision. Nevertheless, I personally have not heard any horror stories with Automatic Attack Disruption nor experienced any myself. Any time it did trigger which was seldom, it was 100% justified. Furthermore, to reverse the remediation there is an Undo button: Undo completed action  

Now as far as how you can turn off automated responses I believe the setting is tied to all automated actions so there are implications in doing this such as having to approve any automated remediation actions even for the commodity malware removal depending on your settings. see here on how to configure these settings per device group: Automation setting for your organizations devices 

And please read and understand what each automation level means and how it could affect your overall security posture and workload: Automation levels in automated investigation and remediation capabilities 

Best,

Dylan