Would it be possible to disable user accounts associated with EDR detection?

We had an incident occur on a workstation where a domain user's account and then a domain administrator's account were used as part of an attack. It would be really handy if we could prevent additional lateral movement by disabling those accounts (in both cases of being a local computer user or a domain account).

Logic something like: Incident Occurs -> User Account issued command or action detected in signals -> User is Domain User -> Agent on AD Server for Same domain -> issue disable account (lock... similar to how ITDR propogates down a user lockout AD SYNC)

Also, maybe a roll back feature to re-enable them (similar to host isolation... un-isolated / unlock the user account?)

Thanks,

Clay