Post-Incident ReviewP2~75 min

Review Cloud Hardening Gaps After Identity Compromise

Review identity-plane and cloud-control-plane weaknesses that allowed attacker persistence or tenant abuse, including conditional access, service principals, OAuth grants, and AKS control-plane visibility.

Actions

1
Document every tenant control that failed or was bypassed: MFA coverage gaps, weak conditional access scoping, stale break-glass accounts, excessive app consent, and unmanaged workload identities.
2
Review all service principals, managed identities, and OAuth grants touched during the incident. Remove unnecessary permissions and add monitoring for privileged credential changes.
3
Assess Azure infrastructure logging coverage, including AKS diagnostic settings, Kubernetes audit retention, resource-level activity logs, and ACR access telemetry.
4
Define a hardening backlog for conditional access, application governance, workload identity restrictions, and cloud admin break-glass procedures.

Queries

AuditLogs | where TimeGenerated > ago(30d) | where OperationName has_any ("Add service principal credentials", "Consent to application", "Add member to role") | project TimeGenerated, OperationName, InitiatedBy, TargetResources

AzureActivity | where TimeGenerated > ago(30d) | where ResourceProvider has "Microsoft.ContainerService" or ResourceProvider has "Microsoft.ContainerRegistry" | summarize count() by OperationNameValue, Caller, ResourceGroup

Notes

Cloud hardening reviews should include workload identity and cluster control-plane telemetry, not just user account abuse.

If AKS or container services are in scope, missing audit settings are evidence gaps that need explicit remediation owners.

Where to Go Next

Turn cloud findings into new detections

Improve cloud detections

Capture the cloud hardening decisions

Update the incident report

Related Resources

Artifacts

Azure AD (Entra ID) Audit LogsAzure Portal > Entra ID > Monitoring > Audit logs (or Microsoft Graph API /auditLogs/directoryAudits)Conditional Access Policy LogsAzure Portal > Entra ID > Monitoring > Sign-in logs > Conditional Access tab Service Principal & App Registration ActivityAzure Portal > Entra ID > App registrations and Enterprise applications > Audit logs (or Microsoft Graph API)Azure Kubernetes Service (AKS) Activity LogsAzure Portal > Monitor > Activity Log filtered to Microsoft.ContainerService/managedClusters AKS Kubernetes Audit LogsAzure Monitor diagnostic settings for AKS (categories: kube-audit, kube-audit-admin)AWS CloudTrail Management EventsAWS CloudTrail > Event history (last 90 days) or trail delivery in S3 / CloudWatch Logs AWS IAM Credential Report & Access Key MetadataAWS IAM > Credential report plus IAM API responses for users and access keys Amazon EKS Control Plane LogsCloudWatch Logs group /aws/eks/<cluster>/cluster for api, controllerManager, and scheduler log types Amazon EKS Kubernetes Audit LogsCloudWatch Logs group /aws/eks/<cluster>/cluster log type: audit Amazon ECR CloudTrail and Registry EventsCloudTrail events for ecr.amazonaws.com plus repository and image metadata from ECR APIs Google Workspace Admin Audit EventsGoogle Admin Console > Reporting > Audit and investigation > Admin log events Google Workspace OAuth Token and App Access Audit EventsGoogle Admin Console > Reporting > Audit and investigation > OAuth log events Google Cloud Audit LogsGoogle Cloud Logging > Logs Explorer > cloudaudit.googleapis.com/*Google Kubernetes Engine Audit LogsCloud Logging > GKE cluster audit streams and Kubernetes API audit entries Okta System LogOkta Admin Console > Reports > System Log or Okta System Log API Slack Audit LogsSlack Admin > Audit Logs or Slack Audit Logs API GitHub Enterprise Audit Log EventsGitHub Enterprise or organization audit log UI and REST API

Common Blockers

Cloud or Container Logging Coverage Missing SaaS Audit Logging Not Enabled or Not Licensed SaaS Audit Retention Expired Before Collection