Compromised User Account Response Skill
Structured workflow for responding to potentially compromised user accounts using the PICERL model.
Inputs
USER_ID- Username or email of the potentially compromised userCASE_ID- SOAR case ID for documentationALERT_GROUP_IDENTIFIERS- Alert group identifiers from SOAR- (Optional)
INITIAL_ALERT_DETAILS- Summary of triggering alert
Required Outputs
After completing each phase, you MUST report these outputs:
Identification Phase
| Output | Description |
|---|---|
AFFECTED_ACCOUNTS | User accounts confirmed or suspected compromised |
SUSPICIOUS_ACTIVITY | Summary of anomalous activity detected |
ACCESS_SCOPE | Systems/data the account had access to |
COMPROMISE_LIKELIHOOD | Assessment level: Low, Medium, High, Confirmed |
Containment Phase
| Output | Description |
|---|---|
DISABLED_ACCOUNTS | Accounts that were disabled |
RESET_PASSWORDS | Accounts with passwords reset |
REVOKED_SESSIONS | Sessions terminated |
Eradication Phase
| Output | Description |
|---|---|
REMOVED_PERSISTENCE | Persistence mechanisms removed (forwarding rules, OAuth apps, etc.) |
CLEANED_ENDPOINTS | Associated endpoints verified clean |
Recovery Phase
| Output | Description |
|---|---|
RESTORED_ACCOUNTS | Accounts re-enabled with new security controls |
USER_NOTIFICATIONS | Users notified of incident and required actions |
PICERL Phases
Phase 2: Identification
Step 2.1: Get Context
secops-soar.get_case_full_details(case_id=CASE_ID)
Use /check-duplicates.
Step 2.2: Gather Initial Context
SIEM entity lookup:
secops-mcp.lookup_entity(entity_value=USER_ID)
(If IDP tools available):
- Account status
- Recent logins
- MFA configuration
- Password last changed
Step 2.3: Analyze User Activity
Search SIEM for last 96 hours:
secops-mcp.search_security_events(
text="All activity for USER_ID",
hours_back=96
)
Look for:
- Anomalous logins: Unusual locations, times, IPs, user agents
- Suspicious commands: On associated endpoints
- Sensitive access: Files, applications, databases
- Lateral movement: Logins to other systems
- Data exfiltration: Large transfers, unusual destinations
- Account changes: MFA, recovery email, forwarding rules
- OAuth grants: New application authorizations
Step 2.4: Check Related Cases
Use /find-relevant-case with [USER_ID].
Step 2.5: Assess Compromise Likelihood
| Level | Indicators |
|---|---|
| Low | Single anomalous event, user confirms legitimate |
| Medium | Multiple anomalies, unverified |
| High | Clear malicious activity patterns |
| Confirmed | Known credential theft, attacker actions visible |
Document: COMPROMISE_LIKELIHOOD
Step 2.6: Document Identification
Use /document-in-case with findings and assessment.
Phase 3: Containment
Step 3.1: Confirm Containment Actions
Based on COMPROMISE_LIKELIHOOD, use /confirm-action:
High/Confirmed:
"Disable account [USER_ID] immediately?"
Medium:
"Reset password and terminate sessions for [USER_ID]?"
Low:
"Force MFA re-enrollment for [USER_ID]?"
Step 3.2: Execute Containment
(Requires Identity Provider tools)
Actions by severity:
- Disable account: Immediate lockout
- Reset password: Force change on next login
- Terminate sessions: Invalidate all active sessions
- Revoke tokens: OAuth and API tokens
Step 3.3: Verify Containment
Monitor for continued activity:
secops-mcp.search_security_events(
text="Activity from USER_ID after containment",
hours_back=1
)
Use /document-in-case with containment status.
Phase 4: Eradication
Step 4.1: Investigate Attacker Actions
Thoroughly review what the attacker did while in the account:
secops-mcp.search_security_events(
text="All actions by USER_ID during compromise window",
hours_back=96
)
Focus on:
- Emails: Sent, received, forwarding rules created
- Data access: Files downloaded, shared externally
- Configuration: Account settings changed
- OAuth apps: New authorizations
- Lateral movement: Other systems accessed
Step 4.2: Check for Persistence
(Requires email/cloud platform tools)
Look for:
- Email forwarding rules to external addresses
- Delegate access grants
- Malicious OAuth applications
- Inbox rules that hide attacker activity
- Recovery email/phone changes
Step 4.3: Remove Persistence
Delete/revoke all identified persistence:
- Remove forwarding rules
- Revoke OAuth apps
- Remove delegate access
- Reset recovery options
Step 4.4: Endpoint Investigation
If account accessed specific endpoints:
Trigger endpoint triage to check for:
- Malware dropped
- Persistence mechanisms
- Credential caching
Use /document-in-case with eradication findings.
Phase 5: Recovery
Step 5.1: Ensure Threat Removed
Verify:
- All persistence removed
- Associated endpoints clean
- No ongoing attacker access
Step 5.2: Secure Account
- Strong password set
- MFA properly configured (hardware key preferred)
- Recovery options secured
- Review account permissions
Step 5.3: Re-enable Account
(If disabled during containment)
Re-enable with:
- Password change required on first login
- MFA verification required
Step 5.4: Communicate with User
Inform the user:
- What happened (appropriate level of detail)
- Actions taken on their account
- Steps they need to take
- Warning signs to watch for
- How to report suspicious activity
Step 5.5: Monitor Account
Enhanced monitoring for 30 days:
- Watch for anomalous activity
- Alert on unusual logins
- Track sensitive data access
Use /document-in-case with recovery status.
Phase 6: Lessons Learned
Use /generate-report with:
- Initial access vector (if determined)
- Attacker actions during compromise
- Data potentially exposed
- Response timeline
- Recommendations
Review:
- How was compromise detected?
- Was MFA bypassed? How?
- What data was at risk?
- What detections should be added/tuned?
Critical Warnings
- DO NOT execute containment without analyst confirmation
- DO NOT re-enable without checking for persistence
- MUST document all findings in SOAR
- ALWAYS check for forwarding rules and OAuth apps
Containment Decision Matrix
| Likelihood | Disable Account | Reset Password | Terminate Sessions |
|---|---|---|---|
| Confirmed | ✅ Immediate | ✅ | ✅ |
| High | ✅ Recommended | ✅ | ✅ |
| Medium | Consider | ✅ | ✅ |
| Low | No | Consider | Consider |
Common Persistence Mechanisms
| Mechanism | Where to Check |
|---|---|
| Email forwarding | Mail rules |
| Delegate access | Mailbox permissions |
| OAuth apps | Connected applications |
| Inbox rules | Mail filters |
| Recovery options | Account settings |
| API tokens | Developer settings |