# Compromise Remediation Upon page load, CIPP will run an analysis on the user to identify common Indicators of Compromise (IoC). Once that analysis is returned, review the information presented and determine if the user has been compromised. The analysis performs the checks listed in the table below. A green check will indicate that information was found for the check and needs review. {% hint style="warning" %} Note: This page is intended to surface information about potential information that should be reviewed when a compromise is suspected. The existence of information in one of the indicators should not be interpreted as an absolute sign of compromise but rather as a useful tool to help quickly surface the basic information that should be reviewed during your investigation. {% endhint %} ## Indicators of Compromise Checks | Check | Description | Where to Dig Deeper? | | -------------------------- | ------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------- | | Mailbox Rules | This will present any mailbox rules found for the client. | [Mailbox Rules](/user-documentation/email/administration/mailbox-rules.md) | | Recently added users | This will display any newly created users in the tenant. | [Users](/user-documentation/identity/administration/users.md) | | New Applications | This will display any newly registered enterprise applications. | [Applications](/user-documentation/endpoint/applications.md) | | Mailbox permission changes | This will identify any suspicious mailbox permission changes. | [Mailboxes](/user-documentation/email/administration/mailboxes.md) and review the indicated mailboxes for the permissions data. | | MFA Devices | This will identify any MFA devices for review, including when the type of device and the datetime when it was registered. | | | Password Changes | This will display any recent password changes for the tenant. | | ## Actions | Action | Description | | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Refresh Data | This will refresh the analysis for the user and update the Indicators of Compromise checks. | | Remediate User | This action will block user sign-in, reset the user's password, disconnect all current sessions, remove all MFA methods for the user, and disable all inbox rules for the user. | | GeneratePDF Report | Generates a PDF of the report data, including helpful data points on user education | | Download JSON | This will download a JSON file for the checks completed in the analysis. | *** ## Feature Requests / Ideas We value your feedback and ideas. Please raise any [feature requests](https://github.com/KelvinTegelaar/CIPP/issues/new?template=feature.yml) on GitHub. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.cipp.app/user-documentation/identity/administration/users/user/bec.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.