Cloud & Identity Compromise

Unauthorized access to cloud infrastructure or identity provider through stolen tokens, OAuth abuse, or misconfigured access policies.

Triage

3 procedures
P1

Bound the Investigation Timeframe

~30 min
P1

Identify Patient Zero (First Compromised System)

~60 min
P2

Validate the Initial Access Vector

~45 min

Containment

2 procedures
P1

Credential and Account Lockdown

~45 min
P1

Revoke Cloud Sessions and Tokens

~30 min
Sponsored

Preservation

4 procedures
P1

Volatile Memory Capture

~60 min
P1

Log Preservation and Snapshot

~45 min
P2

Document Chain of Custody for All Collected Evidence

~30 min
P2

Cloud Tenant Configuration Snapshot

~60 min

Collection

5 procedures
P2

EDR Telemetry Collection

~120 min
P2

M365 Unified Audit Log Collection

~90 min
P2

Azure AD Sign-In and Audit Log Collection

~60 min
P2

Identify Alternative Evidence When Primary Logs Are Missing

~60 min
P3

Coordinate Log Collection from Third-Party Vendors

~120 min

Analysis

3 procedures
P1

Lateral Movement Analysis and Mapping

~120 min
P2

Detect OAuth and Consent Phishing Abuse

~60 min
P2

Investigate Mailbox Rule Modifications

~45 min

Eradication

4 procedures
P1

Mass Credential Reset and Session Invalidation

~90 min
P1

Comprehensive Persistence Mechanism Sweep

~120 min
P1

Eradication Verification Checklist

~90 min
P2

Post-Incident Configuration Hardening

~180 min

Recovery

1 procedure
P2

Phased Service Restoration with Enhanced Monitoring

~120 min

Post-Incident Review

4 procedures
P2

Create New Detection Rules Based on Incident Findings

~90 min
P2

Generate Comprehensive Incident Report

~180 min
P2

Review Cloud Hardening Gaps After Identity Compromise

~75 min
P3

Conduct Lessons Learned Review Session

~120 min