Remediating Compromised Accounts
When Petra detects a compromised account, it immediately appears as an active incident and notifies you via configured notification methods, such as your PSA, Teams chat, calls, or texts.Steps to Remediate an Account
- Navigate to the Dashboard by clicking the Petra logo in the top left corner. You can also go to the Incidents tab in the top navigation bar.
- The incident will appear in red. You can’t miss it.
-
In the incident detail view, you’ll see the Remediation Actions panel.
- If the account is actively compromised (unremediated), this panel is fully expanded and displays a prominent red button prompting immediate action.
-
Click Revoke Sessions and Lock Account. This will apply immediately, and works even with hybrid and on-prem synced M365 accounts.
After performing this action, Petra logs the exact time, which you can see as a confirmation checkmark in the Remediation Actions panel.
- Following the initial lockout, any auto-identified persistence mechanisms will also appear for 1-click disabling in the Remediation Actions Panel.
Automatic Remediation with Petra Response
If you have enabled Petra Response for a tenant, our security team is authorized to automatically handle critical remediation tasks for you, including:- Locking compromised accounts
- Revoking active sessions
- Disabling identified persistence mechanisms
- Retracting phishing emails from users’ inboxes
- Navigate to the Dashboard by clicking the Petra logo in the top left corner.
- Toggle Petra Response on the bottom tenant list to authorize or de-authorize the Petra team to take immediate action when an incident occurs.
Enabling Petra Response allows our team to remediate an incident, remove persistence mechanisms,
and retract phishing emails as soon as the incident occurs. We have an extremely low surfaced
false-alarm rate, so business disruption is minimal. We highly recommend that everyone enables
Petra Response.