Yes, you can do this. Just use automatic responses> epo notification events; threat event; And in filter, use the Threat severity attribute and Detecting product attribute set to host ips.
Thanks for that! Will give setting up the automated response a go today. Dave
Thanks georgec, got the automated response working.