Conducting Cloud Incident Response When to Use - Cloud security posture management (CSPM) alerts on unauthorized resource changes - CloudTrail, Azure Activity Logs, or GCP Audit Logs show suspicious API calls - Cloud access keys or service principal credentials are suspected compromised - Unauthorized compute instances, storage buckets, or IAM changes are detected - A cloud-hosted application is breached and attacker activity spans cloud services Do not use for on-premises-only incidents with no cloud component; use standard enterprise IR procedures. Prerequisites - Cloud-native logging enabl…