A few years ago, an enterprise investigation began with someone’s laptop. Today it usually begins in a mailbox, a Teams chat, or an audit log. By the time anyone touches a physical device, most of the story has already played out in the cloud. That single shift changes what your forensic toolkit has to be capable of — and it’s the reason we keep pointing enterprise clients toward Magnet Axiom Cyber.
There’s a common misunderstanding worth clearing up first. When people say “cloud forensics,” they often picture running forensic software on cloud servers. That’s not the hard part. The hard part is investigating what actually happens inside the cloud — Microsoft 365, Google Workspace, Slack, Box, OneDrive, SharePoint, Teams, the audit logs, and the identity activity wrapped around all of it.
The questions a modern investigation has to answer
When a business email compromise, an insider-threat case, a data leak, or a messy employee departure lands on your desk, the key evidence is usually sitting in a cloud service before it’s anywhere near an endpoint. To get to the truth, you need to be able to answer things like: Who accessed what, when, and from where? Were files downloaded, synced, shared, or deleted before someone resigned? Did a login really come from the expected user and device — or from an unfamiliar IP on the other side of the world? Did a suspicious third-party app quietly gain access to email or storage? And crucially: does the cloud activity line up with what’s on the person’s actual device?
That last question is the one that wins or loses cases. Cloud evidence rarely tells the whole story on its own.
Microsoft 365 is usually the main event — and the clock is ticking
For most enterprises, Microsoft 365 is where the investigation lives: mailboxes, attachments, calendars, Teams, OneDrive, SharePoint, and the unified audit log. Axiom Cyber collects all of it through a proper administrator-authorised workflow, where someone with the right permissions selects exactly which users and which data are in scope. That matters, because what enterprise teams need isn’t a data dump — it’s targeted collection they can stand behind and explain afterwards.
Here’s a detail many teams get caught out by: audit-log retention is shorter than people assume. By default, Microsoft keeps audit logs for Exchange, SharePoint, OneDrive, and Entra for about a year — but a lot of other audit activity is held for only 180 days, and some related cloud logs for as little as 90. Once a log ages out, it’s gone for good. So the ability to acquire and preserve those logs quickly, before the window closes, isn’t a nice-to-have. It’s the whole ballgame.
Logs tell you something happened. Endpoints tell you what they did next.
A Microsoft 365 audit event might show that a file was downloaded. But the investigation isn’t finished there. Was the file opened locally? Copied to a USB stick? Compressed, renamed, or uploaded somewhere else? Was any of this normal behaviour for that user? A cloud-only view has blind spots; an endpoint-only view has different ones. The strongest investigations stitch both together.
This is where Axiom Cyber earns its place. It collects from the cloud and performs targeted remote and off-network collection from Windows, Mac, and Linux machines — and if a device drops offline mid-collection, it resumes automatically. Then it brings cloud, endpoint, mobile, and third-party evidence into one case, with tools like Timeline and Connections that turn a pile of raw logs into a clear sequence of events anyone can follow.
Modern cloud attacks are really identity attacks
It’s worth saying plainly: attackers often don’t “hack a server” anymore. They use stolen credentials, hijacked session cookies, malicious app consents, MFA fatigue, or a compromised SaaS vendor to walk in through the front door. That means a proper cloud investigation has to examine login activity, failed and successful sign-ins, MFA events, OAuth grants, mailbox forwarding rules, privilege changes, and access from unusual locations — then place all of it alongside the device evidence. Axiom Cyber moves you from “there was a suspicious login” to “here’s exactly what happened before, during, and after it.”
Collect the right data — not all of it
Over-collection is a quiet tax on cloud investigations. Grabbing everything inflates privacy risk, review costs, and legal complexity, and buries the relevant material under noise. Increasingly, regulators and courts — and Malaysia’s PDPA — expect you to collect only what’s in scope. Axiom Cyber’s Microsoft 365 workflow is built for that, with filtering by time range and keyword and targeted folder selection, so you take what matters, preserve it properly, and can explain precisely why it was in scope.
One case, many stakeholders
Cloud investigations rarely stay with one team. A single employee-departure matter can become an IP-theft case, a legal-hold issue, an HR matter, and a security investigation all at once. HR needs findings in plain language; legal needs defensible preservation and export; the security team needs speed; the examiner needs everything to hold up. Because Axiom Cyber combines collection, preservation, analysis, and reporting in one workflow, the same evidence can serve all of those audiences without being scattered across separate tools.
Why this matters for your organisation
Enterprise evidence no longer sits neatly on one laptop. It’s spread across Microsoft 365, cloud storage, collaboration apps, SaaS platforms, and endpoints — and the tool you rely on has to collect the right cloud evidence, preserve it defensibly before logs expire, analyse it fast, and connect it to the rest of the case. That’s exactly what Magnet Axiom Cyber is built to do, and it’s why it’s our go-to recommendation for enterprise cloud and internal investigations.
As Magnet Forensics’ partner in Malaysia, SIAGA does more than hand over a licence. We help you scope Axiom Cyber to your environment, deploy it, train your investigators, and support you when a real incident hits — whether it’s business email compromise, insider risk, a compromised account, or an eDiscovery and legal-hold matter.
If your investigations still start with seizing a device, let’s show you what a cloud-first, endpoint-aware workflow looks like in practice. Contact SIAGA to arrange a walkthrough or a real-world demonstration of Magnet Axiom Cyber.
