Overview

The Remediation Actions panel guides you through the 6 steps of remediating an account compromise:

  1. Revoke Sessions and Lock Account
  2. Retract Phishing Emails
  3. Disable Persistence Mechanisms
  4. Reset Password
  5. Re-enable Account
  6. Mark as Remediated

Remediation Actions Panel

Step 1: Revoke Sessions and Lock Account

Revoke Sessions and Lock Account should be your first action when remediating a compromise

In the Remediation Actions panel, click the Revoke Sessions and Lock Account button to immediately:

  • Terminate all active user sessions
  • Lock the compromised account
  • Prevent further unauthorized access

Revoke Sessions and Lock Account works for all account types, including on-prem synced and hybrid accounts.

Step 2: Retract Phishing Emails

Similar phishing emails are identified automatically and can be moved to Deleted Items.

Similar Phish Retraction

Stop others from falling for the same phish

Step 3: Disable Persistence Mechanisms

Attackers often create persistence mechanisms to maintain access even after password changes. Petra identifies these mechanisms and lets you one-click disable them.

These include:

  • Mail filter rules
  • App registrations
  • Service principals
  • Phishing emails sent internally
  • Phishing emails still in mailboxes in your environment
Remediate inbox rules and app registrations

Remediate inbox rules and app registrations

All of these persistence mechanisms are auto-identified and can be removed in one click. Use the Remediation Actions Panel to remove them.

Step 4: Reset Password

After removing all persistence mechanisms:

  1. Click the “Reset Password” button. This will generate a new password string and apply it to the account. It will then show you that new password.
  2. Communicate the new password securely to the user. We recommend calling them.

Step 5: Re-enable Account

After resetting the password, you can re-enable the account.

Step 6: Mark as Remediated

Once all remediation steps are complete:

  1. Click “Mark as Remediated”
  2. This changes the incident status to “Remediated”
  3. The remediation panel will auto-hide for cleaner viewing

Post-Remediation

After remediation, the incident page remains available for:

  • Generating incident reports
  • Exporting data to share with clients
  • Reviewing the incident timeline and details
  • Further investigation if needed

You can always expand the remediation panel again if you need to review or modify any remediation actions taken.

The Demo Tenant (Acme Corp) is a phenomenal place to see all of this in action.