Evidence Spans Multiple Clouds and On-Premises
The incident crosses two or more cloud providers (AWS, Azure, GCP) and/or on-premises infrastructure. Each environment has different evidence formats, retention policies, and access patterns. Investigation time is lost to evidence-normalization and timeline-alignment rather than analysis.
Signals
- •Attacker identity or activity observed across two or more cloud providers
- •Evidence trails in AWS CloudTrail, Azure Activity Log, and GCP Cloud Audit simultaneously
- •Federated identity (Okta, Entra ID, Ping) links cloud sessions that appear separate in each provider
Pivot Actions
- 1.Normalize timestamps to UTC across all providers immediately; time-zone drift kills cross-cloud correlation
- 2.Use the federated identity provider as the anchor: Okta/Entra audit and sign-in logs tie together sessions that look disconnected per-cloud
- 3.Standardize IoC vocabulary: IPs, user agents, session IDs, device fingerprints, access-key prefixes (AWS), refresh-token IDs (Azure AD)
- 4.Build a single unified timeline in the SIEM or a forensic-specific tool (Timesketch, log2timeline); avoid spreadsheets that diverge
- 5.Engage each cloud provider's forensic/support team in parallel rather than sequentially; initial-response SLAs overlap
Alternate Evidence Sources
- •Identity-provider logs (Okta System Log, Entra ID Sign-in logs, PingOne audit) as the cross-cloud anchor
- •Each cloud provider's native audit trail (CloudTrail, Azure Activity Log, GCP Cloud Audit)
- •SIEM with multi-cloud connectors (Sentinel, Splunk, Chronicle) for cross-provider correlation
- •CASB/SSPM platforms (Netskope, Adaptive Shield, Wiz) that normalize multi-cloud data