User containment automatically (or manually) isolates users when they are associated with malicious detections. If a detection matches one of the following settings, but the setting is disabled, the detection will be escalated to your team.

Containment is always enabled manually when reviewing a case and selecting Actions > Contain.

VIPs

When a detection is considered actionable and is associated with a VIP, enabling this setting will automatically contain that user. VIPs in your organization are commonly high-ranking individuals that may not respond well to lockouts. It is best to disable this setting until you have a good amount of data to verify how VIPs are represented in your environment.​