Remediate an Account Compromise

​

Overview

The Remediation Actions panel guides you through the 6 steps of remediating an account compromise:

1. Revoke Sessions and Lock Account
2. Retract Phishing Emails
3. Disable Persistence Mechanisms
4. Reset Password
5. Re-enable Account
6. Mark as Remediated

Remediation Actions Panel

​

Step 1: Revoke Sessions and Lock Account

In the Remediation Actions panel, click the Revoke Sessions and Lock Account button to immediately:

• Terminate all active user sessions
• Lock the compromised account
• Prevent further unauthorized access

​

Step 2: Retract Phishing Emails

Similar phishing emails are identified automatically and can be moved to Deleted Items.

Stop others from falling for the same phish

​

Step 3: Disable Persistence Mechanisms

Attackers often create persistence mechanisms to maintain access even after password changes. Petra identifies these mechanisms and lets you one-click disable them.

These include:

• Mail filter rules
• App registrations
• Service principals
• Phishing emails sent internally
• Phishing emails still in mailboxes in your environment

Remediate inbox rules and app registrations

​

Step 4: Reset Password

After removing all persistence mechanisms:

1. Click the “Reset Password” button. This will generate a new password string and apply it to the account. It will then show you that new password.
2. Communicate the new password securely to the user. We recommend calling them.

​

Step 5: Re-enable Account

After resetting the password, you can re-enable the account.

​

Step 6: Mark as Remediated

Once all remediation steps are complete:

1. Click “Mark as Remediated”
2. This changes the incident status to “Remediated”
3. The remediation panel will auto-hide for cleaner viewing

​

Post-Remediation

After remediation, the incident page remains available for:

• Generating incident reports
• Exporting data to share with clients
• Reviewing the incident timeline and details
• Further investigation if needed