Disable user account prevents further propagation of an attack by disabling a compromised user account by their username/email address. As part of automating this within Workbench, we also log out the compromised user from their existing session. Both of these actions are immediate in the target vendor system, such as Okta.
Some vendors refer to this feature as block user, suspend user, change user status, remove user from org, or lock user account instead.
We rely on customer contexts for setting up auto-remediation settings. You specify which user to never disable (deny list) or only ever disable (allow list).
We automate the remediation action itself and not the decision to remediate. Our analysts are making the call on when and what to remediate, based on the settings you specify. You can also undo any remediation by clicking the Undo button, easily available in Workbench. This gives you control over your environment.