Skip to content
AscendCore
Back to Runbook Library
Security Template: configurable per customer

Suspicious Sign-In Investigation

Pull a user's recent sign-in activity into one summary card and offer an approval-gated containment action, fully audited.

Integrates with

Entra IDOkta

The problem

When a sign-in looks off, triage means digging through logs across the identity provider, correlating locations and devices, then deciding whether to act. Under time pressure, that work is inconsistent from one analyst to the next.

What AscendCore does

An admin runs the investigation on a user from Slack or Teams. AscendCore pulls recent sign-ins (locations, devices, risk signals) into one card and offers an approval-gated containment action. The investigation and any action are recorded in the audit chain.

Status

Template. The signals surfaced and containment options are configurable per customer. Connect it to your Entra ID or Okta tenant to enable.

Runbook source preview

Versioned, deterministic, auditable

Every runbook is defined as a versioned YAML manifest with explicit triggers, steps, and approval policies. The runbook itself is the audit-ready record of what AscendCore can and will do. Chat is just the interface that triggers it.

name: suspicious-signin-investigation
trigger:
  channels: [slack, teams]
  command: investigate-signins
steps:
  - resolve_target_user
  - pull_recent_signins        # locations, devices, risk
  - render_summary_card
  - admin_approval             # optional containment
  - contain_if_approved
approval:
  required: true
  approvers: [it-admins, sec-team]
Want this runbook?

Configure suspicious sign-in investigation for your environment

Templates are configurable per customer environment. Talk to us about the specific systems and approval flow you need.

See plans & pricingBrowse all runbooks

More security runbooks

Live

Security Alert Triage

IT-admin-initiated security triage: invoke /alert-triage on a user account when you spot suspicious activity, AscendCore proposes account suspension pending investigation, suspension executes only on explicit approval. Distinct security-event audit namespace for SOC-2 evidence separation.

Read more
Template

Conditional Access Policy Review

Surface a proposed conditional-access change as a clear diff for approval before it affects sign-in, with a full audit record.

Read more
Template

Endpoint Isolation

Quarantine a suspected-compromised device from the network on explicit approval, with owner notification and a security-namespaced audit row.

Read more