Skip to content

Incident Response Runbook: Account Compromise

1. Identification

  • Triggers: Suspicious logins (Impossible travel, unfamiliar IP, unusual timing), Privileged Identity Management (PIM) alert, Defender for Identity alert, user reporting compromised credentials.
  • Immediate Action: Confirm if the behavior was authorized. Verify with the affected user out-of-band (e.g., Slack, phone).

2. Containment

  1. Revoke Active Sessions:
  2. Azure Portal > Microsoft Entra ID > Users > Select User > Revoke sessions.
  3. Reset Password:
  4. Enforce immediate password reset on next login.
  5. Block Sign-in (If necessary):
  6. If the threat is ongoing, block the account from signing in entirely until investigation is complete.
  7. Disable MFA Devices:
  8. Remove any unfamiliar Authentication methods registered to the account.

3. Eradication & Investigation

  • Query SigninLogs in the Log Analytics workspace: 
    SigninLogs
| where UserPrincipalName == "<user@domain.com>"
| where TimeGenerated > ago(7d)
  • Identify IP addresses and locations of the malicious logins.
  • Review AuditLogs for any administrative actions performed by the user in Azure AD (e.g., adding credentials to an app, modifying groups).
  • Review Azure Activity Logs to determine if the compromised user altered any Azure resources (e.g., VMs, Storage, Key Vaults).

4. Recovery

  • Unblock the account (if blocked) after securing credentials and verifying MFA methods.
  • Revert any unauthorized changes identified in the logs (e.g., remove malicious app credentials, revert modified RBAC assignments).
  • Monitor account activity closely for 72 hours.

5. Lessons Learned

  • Was MFA bypassed (e.g., MFA fatigue)? Consider enforcing phishing-resistant MFA (FIDO2 / Windows Hello) for this user.
  • Document timeline and update policies if needed.