The Attacker Almost Won On a quiet Tuesday morning in June 2026, an employee at a mid-size organization pressed Win+R, pasted a command they found on a website, and hit Enter. By the time SentinelOne surfaced its first alert, Lumma Stealer had already spent over five minutes inside the machine — reading browser memory, querying the Windows credential database, capturing keystrokes, and probing the network for other machines to move to. The user had no idea. They spent the nex

An attacker silenced the EDR agent, waited weeks, dropped a hidden payload, then fired off a command designed to wipe every byte on the server. One thing stood between them and total data destruction.

Traditional digital forensics has a straightforward playbook for compromised machines: pull the drive, image it, analyze the image. In cloud environments that approach does not work. You cannot physically pull a disk from a data center you do not have physical access to. Downloading a full virtual disk over the internet for a 512GB drive takes hours and costs a significant amount in egress fees. And shutting down the VM disrupts the business and may destroy volatile evidence.

Network logs tell you what traffic hit a machine. Activity logs tell you when it was created and modified. But neither tells you what happened inside the operating system — which processes ran, which accounts authenticated locally, which files were accessed. For that level of detail, you need OS-level logs, and in Azure collecting those requires an agent running on the VM itself. The upside is significant: Azure's diagnostic agent lets you pull Windows event logs and Linux sy

If the previous article covered the logs you are likely to find turned on when you arrive at a scene, this one covers the logs you need but probably will not find. NSG flow logs, storage account access logs, and the forensic trails for tracking data exfiltration — all off by default. That means you either find them already configured or you turn them on immediately and accept that prior activity may be gone forever. The good news: when these logs were configured, they hold so