Azure AD (Entra ID) Sign-in Logs

Validate the Initial Access Vector

triage

Credential and Account Lockdown

contain

M365 Unified Audit Log Collection

collect

Azure AD Sign-In and Audit Log Collection

collect

Revoke Cloud Sessions and Tokens

contain

Mass Credential Reset and Session Invalidation

eradicate

Covert Evidence Capture for Insider Threat

preserve

Phishing Artifact Collection: Headers, URLs, Attachments

collect

Phishing Campaign Scope and Credential Exposure

analyze

Analyze Cloud IAM Privilege Escalation

analyze

M365/Azure Logs Past Retention Period

Unified Audit Log (UAL) entries in Microsoft 365 or Azure AD sign-in logs have expired beyond the default 90-day (E3) or 180-day (E5) retention window. Historical evidence of initial access, mailbox abuse, or OAuth consent grants is no longer available in the tenant.

Unknown Scope of Credential Compromise

One or more accounts are confirmed compromised, but it is unclear how many additional credentials the attacker has obtained. Resetting only known-compromised accounts may be insufficient, while a mass reset disrupts operations.

Attacker Using VPN/Tor -- Cannot Determine True Origin

The threat actor is connecting through VPN services, Tor exit nodes, or residential proxy networks. Source IP addresses rotate frequently and do not reveal the actual origin, limiting geographic attribution and IP-based blocking.

Suspected Insider Still Has Access -- Investigation Must Be Covert

The primary suspect is a current employee or contractor who still has active credentials and system access. Overt containment actions (account lockout, visible monitoring) would tip off the suspect and risk evidence destruction or acceleration of harmful activity.

Exploitation of Unknown or Unpatched Vulnerability

The initial access vector appears to be a zero-day or otherwise unpatched vulnerability with no public advisory, CVE, or patch available. Signature-based detection misses the exploit; response must pivot to behavioral hunting, exploit-chain hypothesis, and vendor/CERT coordination to accelerate disclosure and mitigation.

Legal Requesting Preservation Conflicts with Containment

Legal counsel has issued a preservation hold requiring that certain systems, mailboxes, or data stores remain untouched. This directly conflicts with containment actions like reimaging hosts, resetting accounts, or blocking network segments.

Regulatory Notification Deadline Approaching

A regulatory reporting deadline (GDPR 72-hour, SEC 4-day, state breach notification, HIPAA) is imminent and the investigation has not yet determined the full scope of data exposure. The team must balance thorough investigation against mandatory disclosure timelines.

Incident Responder Credentials Compromised

The attacker has compromised credentials belonging to a member of the incident response team or to privileged tooling used for the response (EDR console, SIEM, forensic-evidence storage). This is a worst-case blocker: the adversary may be monitoring the response in real time and can exfiltrate evidence or alter it.

Shared Cloud Environment Complicates Isolation

The compromised workload runs in a multi-tenant cloud environment (shared subscription, Kubernetes cluster, or PaaS) where isolation actions may impact other tenants or business-critical services sharing the same infrastructure.

Evidence Spans Multiple Jurisdictions with Conflicting Laws

Affected systems or data span multiple countries with differing data-protection, breach-notification, and cross-border transfer laws (GDPR, data-residency rules, PIPL, LGPD, state-level US laws). Acquisition and analysis that is lawful in one jurisdiction may be unlawful in another. Engage legal counsel early and plan in-region processing.

SaaS Audit Logging Not Enabled or Not Licensed

The investigation depends on SaaS audit evidence that was never enabled, is unavailable under the current subscription tier, or requires a higher-privilege admin role than the response team currently has. This creates blind spots for identity abuse, collaboration-platform misuse, and source-code access.

SaaS Audit Retention Expired Before Collection

The response started after the native retention window for Google Workspace, Okta, Slack, GitHub, or similar SaaS evidence had already passed. The necessary events are no longer available in the vendor UI or API even though the underlying accounts and content may still exist.

Serverless Workload Cannot Host EDR Agent

The compromised workload is serverless (AWS Lambda, GCP Cloud Functions, Azure Functions, Cloudflare Workers) and cannot host a traditional EDR agent. Execution environments are ephemeral and container-isolated; evidence must come from cloud-provider execution logs, function code/config, trigger/event sources, and attached IAM role activity.

Evidence Spans Multiple Clouds and On-Premises

The incident crosses two or more cloud providers (AWS, Azure, GCP) and/or on-premises infrastructure. Each environment has different evidence formats, retention policies, and access patterns. Investigation time is lost to evidence-normalization and timeline-alignment rather than analysis.

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical