Auto pull and auto restore are valuable features. Auto restore isn't quite what it should be, but it's a lot better than someone having to manually release mail back to everyone. If something's pulled and then it's later declared a false positive, it will automatically restore. They also take automatic feeds from their advanced threat detection modules. Anytime Advanced Threat Protection finds something that was allowed to go through, either a URL or attachment, it will send out a signal, and Threat Response will automatically pull all of that out of the mail files. The automation is the big thing for us. Integration capabilities: There's an API, but most of it is around how you handle incidents. We're also not using the whole Threat Response suite, just the subset. So, we've never had to or could integrate anything else. We're limited to the Exchange portion only. The whole Threat Response should be labeled as a SOAR tool. The portion we have, I would call it "SOAR-lite." I know there are a couple of others that offer a SOAR-lite, but we're just starting to look at them.
