Darkmon - Compromised Account Response

Incident-type playbook for 'Darkmon Compromised Credential' (and similar). Identifies the user via the configured directory, suspends, forces a password reset, revokes active sessions, and notifies SOC + the user.

Darkmon · 9 tasks · 1 input · 0 outputs

Inputs

  • AutoDisable — When true, the playbook proceeds straight to the disable + password-reset + revoke-sessions sequence without an analyst approval task. Defaults to false. Accounts in the Darkmon - Auto-Disable Allowlist are never auto-disabled regardless of this input.

Flowchart

yes yes Start Start Disable account - Darkmon - Generic User Action Disable account Darkmon - Generic User Action Force password reset - Darkmon - Generic User Action Force password reset Darkmon - Generic User Action Revoke active sessions - Darkmon - Generic User Action Revoke active sessions Darkmon - Generic User Action Notify SOC + user - Darkmon - Generic Notify Notify SOC + user Darkmon - Generic Notify Done Done Generate new password Generate new password Auto-disable enabled? Auto-disable enabled? Analyst approval to disable account? Analyst approval to disab...