Until today I thought that the automation level that is configured per device group did not have anything to do with automated device isolation or user disabling. Today I read about a feature that seems to exist since March 2023 named "automatic attack disruption": https://learn.microsoft.com/en-us/microsoft-365/security/defender/automatic-attack-disruption?view=o...

This docs page describes that Defender for Endpoint will isolate devices and disable users automatically if the prerequisites are fulfilled and the device group automation level is set to "Full - remediate threats automatically". Prerequisites: https://learn.microsoft.com/en-us/microsoft-365/security/defender/configure-attack-disruption?view=o... 

Has anyone ever seen this actually happen? I am working with multiple companies which have their MDE configured in a way that should allow this behavior and have never observed such an automated action or even heard about it.

The automation level configuration option was only used to configure "automated investigation and response" before.

One additional question:

Is there an option to exclude devices from automatic attack disruption (like there is for users) but without also disabling automated investigation and response which would happen when changing the automation level? I am thinking about the usecase of system that should be protected in terms of quarantine, process killing and similar actions but under no circumstances should it be isolated from the network automatically.