Remediating an account compromise

Overview

When Petra detects a compromised account in your client’s environment, it creates an incident that requires immediate attention. This guide walks you through the process of remediating account compromises with Petra’s one-click remediation tools.

Accessing Incidents

You can access incidents in two ways:

  1. From the top navigation bar, click on “Incidents” to view all active incidents
  2. From your tenant dashboard, click on the specific incident in the Active Incidents panel
Active, unremediated incidents appear highlighted in red.

Remediation Process

Here’s how to handle an incident:

When you first open an incident, you’ll see:

  • Remediation Actions panel (expanded by default for unremediated incidents).
  • Affected identity details (name, email, title, M365 metadata, etc.).
  • Information about the incident (how it was detected, a possible note from our team).
  • Timeline of the attack.
  • Detailed logs viewer with attacker activity auto-highlighted in red.

1. Revoke Sessions and Lock Account

Revoke Sessions and Lock Account should be your first action when remediating a compromise

In the Remediation Actions panel, click the Revoke Sessions and Lock Account button to immediately:

  • Terminate all active user sessions
  • Lock the compromised account
  • Prevent further unauthorized access

Revoke Sessions and Lock Account works for all account types, including on-prem synced and hybrid accounts.

2. Disable Persistence Mechanisms

Attackers often create persistence mechanisms to maintain access even after password changes. Petra identifies these mechanisms and lets you one-click disable them.

These include:

  • Mail filter rules
  • App registrations
  • Service principals
  • Phishing emails sent internally
  • Phishing emails still in mailboxes in your environment

All of these persistence mechanisms are auto-identified and can be removed in one click. Use the Remediation Actions Panel to remove them.

3. Reset Password and Re-enable Account

After removing all persistence mechanisms:

  1. Click the “Reset Password” button. This will generate a new password string and apply it to the account. It will then show you that new password.
  2. Communicate the new password securely to the user. We recommend calling them.
  3. Click “Re-enable Account” to restore access.

4. Mark as Remediated

Once all remediation steps are complete:

  1. Click “Mark as Remediated”
  2. This changes the incident status to “Remediated”
  3. The remediation panel will auto-hide for cleaner viewing

Post-Remediation

After remediation, the incident page remains available for:

  • Generating incident reports
  • Exporting data to share with clients
  • Reviewing the incident timeline and details
  • Further investigation if needed

You can always expand the remediation panel again if you need to review or modify any remediation actions taken.

The Demo Tenant (Acme Corp) is a phenomenal place to see all of this in action.