CoursesAzure securityGovernance & incident response

Incident response & forensics

Revoke sessions, isolate, snapshot, hunt persistence.

Expert35 min · lesson 15 of 15

Cloud incident response is a race between the attacker and your ability to contain, understand, and evict them — run on infrastructure that is all API calls and short-lived tokens. The winning move is a rehearsed runbook that contains the threat without destroying the evidence you need.

Contain the identity, preserve the resource

For a compromised Entra identity, disable the account and revoke its refresh and sign-in sessions — because access tokens already issued stay valid until they expire, disabling alone is not enough. For a compromised VM, apply a deny-all NSG to isolate it and snapshot its disk before any destructive action, rather than deleting and losing the evidence. Contain first, preserve second; a deleted VM and an un-revoked session both leave you blind.

revoke sessions, isolate, snapshot
# 1. Compromised user: disable and revoke ALL sessions (tokens already issued).
az ad user update --id [email protected] --account-enabled false
az rest --method POST \
--url "https://graph.microsoft.com/v1.0/users/[email protected]/revokeSignInSessions"
# 2. Compromised VM: isolate with a deny-all NSG, then snapshot BEFORE deleting.
az network nsg rule create -g rg --nsg-name vm-nsg -n quarantine \
--priority 100 --direction Inbound --access Deny --protocol '*' --source-address-prefixes '*'
az snapshot create -g rg -n ir-8891 --source $(az vm show -g rg -n web01 --query storageProfile.osDisk.managedDisk.id -o tsv)

Investigate, hunt persistence, recover

With the threat contained, reconstruct what happened from the Activity Log (control-plane actions), Entra sign-in and audit logs, and resource diagnostics — an immutable, centralized store means the evidence survives even if a subscription was owned. Then hunt for persistence, because a competent attacker plants a second way in: new app registrations, added service-principal credentials, fresh role assignments, altered Conditional Access, or new federated trust. Rotate what was exposed, remove the footholds, rebuild clean, and only then reconnect — and rehearse the whole sequence as a drill.

Azure incident response phases
stop the bleeding
contain
disable + revoke sessions, deny-all NSG
preserve
disk snapshot before deleting
understand
investigate
Activity Log + Entra sign-in/audit logs
hunt persistence
app regs, SP creds, role/CA changes
restore
eradicate + rotate
remove footholds, rotate secrets
recover
rebuild clean, then reconnect
Contain first, preserve second, understand third. Skipping persistence-hunting is how attackers walk back in an hour later.
Disabling the account is not revoking the token
Disabling an Entra user does not invalidate access tokens already issued — they remain valid until expiry (often up to an hour). Always call revokeSignInSessions to kill refresh tokens and force re-authentication, and snapshot evidence before deleting any resource.