Skip to main content Link Menu Expand (external link) Document Search Copy Copied
TechWorkshop L300 XDR SOC Operations

Task 04: Identity session revoke and SaaS download block

Security Architecture Team

  1. Approve temporary account containment, whether disabling the account or revoking their sign-in session.

  2. Approve session controls, like blocking downloads, for impacted users.

Security Engineering and Administration

  1. At this point, you could revoke Lab User One’s sign in session and disable their account temporarily.

    Do not perform. In the SOC Analyst’s tasks, you’ll sign in with Lab User One to observe what the end user would see, following the SoftDelete purge.

  2. You could then block downloads in a sanctioned app. There’s a session policy already created in a prior exercise to do this.

SOC Analyst

From here, as the SOC Analyst, you could:

  1. Attempt to access a SharePoint Online document to confirm the block.

  2. Navigate to Incidents, then add comments for:

    • User sessions revoked
    • Session policy applied (Blocked Downloads)

  3. Add closing notes:

    • First action time
    • Total time to contain
    • Any user impact observed