Darkmon - Compromised Account Response
Incident-type playbook for 'Darkmon Compromised Credential' (and similar). Identifies the user via the configured directory, suspends, forces a password reset, revokes active sessions, and notifies SOC + the user.
Darkmon · 9 tasks · 1 input · 0 outputs
Inputs
AutoDisable— When true, the playbook proceeds straight to the disable + password-reset + revoke-sessions sequence without an analyst approval task. Defaults to false. Accounts in the Darkmon - Auto-Disable Allowlist are never auto-disabled regardless of this input.