You are investigating a security incident in Microsoft Sentinel where a user received a phishing email containing a link to a malicious domain. The link was clicked, but no further actions were observed. Which playbook action should you take immediately to prevent potential lateral movement?
Trap 1: Disable the user's account
The user clicked a link but no compromise is confirmed; disabling is too aggressive without evidence.
Trap 2: Revoke the user's active sessions
Revoking sessions is for token theft; not indicated here.
Trap 3: Reset the user's password
Password reset is for confirmed credential compromise; here only a link was clicked.
- A
Disable the user's account
Why wrong: The user clicked a link but no compromise is confirmed; disabling is too aggressive without evidence.
- B
Revoke the user's active sessions
Why wrong: Revoking sessions is for token theft; not indicated here.
- C
Reset the user's password
Why wrong: Password reset is for confirmed credential compromise; here only a link was clicked.
- D
Block the malicious domain on the firewall
Blocking the domain prevents further access to the malicious site, containing the threat.