User containment automatically (or manually) isolates users when they are associated with malicious detections. If a detection matches one of the following settings, but the setting is disabled, the detection will be escalated to your team.
Containment is always enabled manually when reviewing a case and selecting Actions > Contain.
Containment Actions
Wirespeed takes the following actions to contain a user:
- rotate the user’s password
- kill all active sessions
- lock the account
Microsoft does not support rotating passwords.
VIPs
When a detection is considered actionable and is associated with a VIP, enabling this setting will automatically contain that user. VIPs in your organization are commonly high-ranking individuals that may not respond well to lockouts. It is best to disable this setting until you have a good amount of data to verify how VIPs are represented in your environment.
NHIs
When a detection is considered actionable and is associated with a non-human identity (NHI), enabling this setting will automatically contain that identity. NHIs in your organization are typically service accounts, API keys, bots, and other automated identities that are not associated with actual humans. Containing these identities could have significant impact on critical business operations and integrations. It is best to disable this setting until you have a good amount of data to verify how NHIs are represented in your environment. 
