Blog
Practical incident response and DFIR guides from the CICADA IR team.
- ·13 min read
The first hour of a credential compromise: a repeatable IR playbook
What you do in the first hour of a credential compromise decides how the rest of the investigation goes. A minute-by-minute IR playbook — triage without destroying evidence, collect the telemetry that expires first, build the timeline, and contain with an approval gate and full audit trail.
Credential CompromisePlaybooksIncident ResponseEntra IDDFIR - ·13 min read
Investigating Microsoft 365 BEC: OAuth grants, mailbox rules, and the BEC kill chain
Business Email Compromise has moved past simple password theft. Modern BEC chains pivot through OAuth consent grants, mailbox forwarding rules, and inbox poisoning. A step-by-step IR workflow for tracing a BEC incident end-to-end in a Microsoft 365 tenant.
Microsoft 365BECEntra IDIncident ResponseDFIR - ·12 min read
How to investigate a compromised Entra ID account: a step-by-step IR workflow
A practical incident response workflow for investigating a suspected compromised Microsoft Entra ID user — from initial triage to containment, evidence collection, and report generation.
Entra IDMicrosoft 365Incident ResponseDFIR