SaaS Audit Logging Not Enabled or Not Licensed
The investigation depends on SaaS audit evidence that was never enabled, is unavailable under the current subscription tier, or requires a higher-privilege admin role than the response team currently has. This creates blind spots for identity abuse, collaboration-platform misuse, and source-code access.
Signals
- •Slack Audit Logs, Google Workspace audit data sources, Okta System Log access, or GitHub enterprise audit scope are missing or unavailable for the tenant in scope
- •The responder account can view basic admin dashboards but cannot export the required logs or historical activity
- •Tenant documentation or vendor support confirms the current plan does not include the needed audit surface or retention depth
Pivot Actions
- 1.Preserve proof of the gap itself by capturing plan details, admin-role assignments, and the exact audit surfaces that were or were not available during the incident
- 2.Pull compensating evidence from the upstream identity provider, SIEM, endpoint telemetry, email records, or cloud-provider logs that still bound the actor activity
- 3.Engage the SaaS owner and vendor support immediately to request temporary elevated access, expedited export help, or historical recovery if contractually available
- 4.Record the missing SaaS visibility as a formal investigation limitation and create a post-incident remediation owner for licensing and enablement changes
Alternate Evidence Sources
- •SIEM copies of Google Workspace, Slack, Okta, or GitHub events that were streamed before the incident
- •Identity-provider, email, proxy, and endpoint evidence that still shows downstream use of the compromised SaaS account
- •Admin screenshots, export job metadata, and vendor support responses documenting the scope of the gap