Cloud IR Case Study Part 1: Initial Triage

Placeholder content for testing layout. This is the first post in a multi-part series documenting a cloud incident response engagement.

The Alert

It started with an anomalous sign-in alert from Entra ID. A service principal was authenticating from an IP range that didn’t match any known infrastructure.

First Steps

# Pull recent sign-in logs for the service principal
az ad sp show --id <app-id>
az monitor activity-log list --caller <app-id> --start-time 2026-01-08

Scoping the Blast Radius

# Check what resources the compromised identity could access
Get-AzRoleAssignment -ServicePrincipalName <app-id> |
    Select-Object RoleDefinitionName, Scope

What We Found

The initial triage revealed access to three subscriptions and a Key Vault containing production database credentials. The full timeline and containment steps will be covered in Part 2.