Endpoint containment automatically (or manually) isolates endpoints when they are associated with malicious detections. If a detection matches one of the following settings, but the setting is disabled, the detection will be escalated to your team.
Auto-containment is not performed for detections from beta integrations. If the detection is generated by a beta integration, Wirespeed will skip automatic containment and escalate the case to your team instead. Manual containment remains available.
Critical Assets
Automatically isolates Critical Assets when detections are discovered. Critical Assets are endpoints associated with VIPs in your organization or critical infrastructure. This setting should be enabled with caution and discussions with the Wirespeed team before enabling. Once this setting is enabled, Critical Assets will only be contained when one of the other settings (e.g LST or unmitigated malware) are present on the detection and enabled.
Servers
Automatically isolates servers when detections are discovered. Servers are endpoints that are identified as servers in your environment.
When a detection is discovered to be using late stage tools it is almost guaranteed an active breach is in progress. Enabling this setting is one of our secure default options and should always be enabled.
Unmitigated Malware
When a detection is discovered to be using malware (but is not a late stage tool). Many things may be considered malware in an environment, but are not malicious. It is best to disable this setting until you have a good amount of data to verify how unmitigated malware is represented in your environment. 
