Adaptive Active Adversary Protection

From this morning's New Innovations email:

"Adaptive Active Adversary Protection temporarily puts the impacted device into a more aggressive security mode that disrupts and delays the attacker by automatically blocking a wide range of activities that are commonly performed in human-led attacks. Just a few examples of the malicious behaviors that we prevent include:

  • Attempts to run remote admin tools
  • Attempts to run untrusted executables
  • Attempts to boot the machine in Safe Mode"

Can someone point me to the documentation on how Sophos knows this is an attack, vs. my tech remote accessing a system to do work?

Untrusted executables is not an issue, running admin tools and booting to safe mode are things we do remotely.
My searches didn't get me any information other than links for Active Directory stuff. 

Added TAGs
[edited by: Gladys at 8:59 AM (GMT -8) on 1 Mar 2023]