I run a landscaping and snow management company in Massachusetts--definitely not a cybersecurity expert. But I can tell you about automation that saved our operation during critical moments, and the principle is identical to what you're asking about. When snow hits at 3 AM, we have automated trigger systems on our equipment that alert our team the second accumulation reaches our threshold. Before we automated this, we'd manually check weather reports and sometimes miss the narrow window to get commercial properties clear before business hours. Now our plows are rolling within minutes of that trigger, and we've cut response time from 45+ minutes down to under 10. That speed difference is literally the difference between a client keeping or losing business that day. The reason automation beats manual every time: humans sleep, get distracted, or misread situations. Our automated system doesn't care if it's Thanksgiving--it sees the condition, sends the alert, and our team mobilizes. I'd imagine ransomware containment works the same way--an EDR API sees the signature, immediately isolates the infected endpoint, and you're containing damage before someone even reads the alert email. For your specific question, I'd look into CrowdStrike's Falcon API with automated network isolation. I've seen IT folks in our contractor network mention it can quarantine a machine the instant it detects ransomware behavior, no human decision needed. When every second counts, you need that automatic trigger.
One of my favorite automations uses an EDR API in the trigger of a multi-system containment workflow. At the detection of a high-confidence ransomware incident, the first API call gets executed, carrying an EDR 'network contain' command, pulling the endpoint offline to prevent any lateral spread. At the same time, the second API call is being made to the identity provider (such as Azure AD or Okta) to disable the user account on that device and to force a global sign-out. Much better than the 'manual' ghantlet an analyst runs when responding: "Oh, I see the alert! Let me log into the EDR console.... Okay, I've isolated the machine. Oh wait, what's my password...how do I log in to the identity admin center to disable the user account?" It's at least five minutes of back and forth. The automated workflow does both critical functions in under ten seconds, shutting the two main attack vectors (the network, you and your credentials) down before the human can even log into the first dashboard.