Lock an account and kill sessions

​

Remediating Compromised Accounts

When Petra detects a compromised account, it immediately appears as an active incident and notifies you via configured notification methods, such as your PSA, Teams chat, calls, or texts.

​

Steps to Remediate an Account

1. Navigate to the Dashboard by clicking the Petra logo in the top left corner. You can also go to the Incidents tab in the top navigation bar.

2. The incident will appear in red. You can’t miss it.

3. In the incident detail view, you’ll see the Remediation Actions panel.

   • If the account is actively compromised (unremediated), this panel is fully expanded and displays a prominent red button prompting immediate action.

4. Click Revoke Sessions and Lock Account. This will apply immediately, and works even with hybrid and on-prem synced M365 accounts.

   After performing this action, Petra logs the exact time, which you can see as a confirmation checkmark in the Remediation Actions panel.

   Revoking sessions and locking the account works even if the account is hybrid or on-prem synced.

5. Following the initial lockout, any auto-identified persistence mechanisms will also appear for 1-click disabling in the Remediation Actions Panel.

​

Automatic Remediation with Petra Response

If you have enabled Petra Response for a tenant, our security team is authorized to automatically handle critical remediation tasks for you, including:

• Locking compromised accounts
• Revoking active sessions
• Disabling identified persistence mechanisms
• Retracting phishing emails from users’ inboxes

You can enable or disable Petra Response for specific tenants:

• Navigate to the Dashboard by clicking the Petra logo in the top left corner.
• Toggle Petra Response on the bottom tenant list to authorize or de-authorize the Petra team to take immediate action when an incident occurs.