User Containment
Automatically contain compromised users
User containment automatically (or manually) isolates users when they are associated with malicious detections. If a detection matches one of the following settings, but the setting is disabled, the detection will be escalated to your team.
Containment is always enabled manually when reviewing a case and selecting Actions > Contain.
Containment Actions
Wirespeed takes the following actions to contain a user:
- rotate the user’s password
- kill all active sessions
- lock the account
VIPs
When a detection is considered actionable and is associated with a VIP, enabling this setting will automatically contain that user. VIPs in your organization are commonly high-ranking individuals that may not respond well to lockouts. It is best to disable this setting until you have a good amount of data to verify how VIPs are represented in your environment.