Has anyone ever seen this actually happen? I am working with multiple companies which have their MDE configured in a way that should allow this behavior and have never observed such an automated action or even heard about it.
The automation level configuration option was only used to configure "automated investigation and response" before.
One additional question:
Is there an option to exclude devices from automatic attack disruption (like there is for users) but without also disabling automated investigation and response which would happen when changing the automation level? I am thinking about the usecase of system that should be protected in terms of quarantine, process killing and similar actions but under no circumstances should it be isolated from the network automatically.