IMAP (and POP3) clients will download individual emails using a Bind operation. This is an advantage, as you can track individual emails by following the "Message ID" field through various log entries.

The PowerShell command "Get-OrganizationConfig | Format-List AuditDisabled" will help you confirm that audit logs are not disabled (meaning they are enabled). The double negative can be confusing: false means that auditing is turned on.

By providing the application ID (ClientID) and the client secret, you can make a call to the Graph API and obtain an authorization token.

Serverless and containers are hot topics. Containers are a great way to sandbox an application, while serverless is an efficient way to run a small amount of code. From a DFIR perspective, they both represent challenges. Containers are likely to purge all log data on exit, while serverless typically runs for a short amount of time, leaving very little in terms of logs.

Each cloud vendor has a shared responsibility model explaining what they will take care of versus what the customer is expected to handle. Regardless of cloud type, the customer is ultimately responsible for the information and data they put in the cloud.

Clouds use a per-consumption model, which means everything you do has a cost. Disks and snapshots are examples of persistent costs, which accrue constantly until the resource or object is deleted. There are also temporary costs, which accrue only when the resource is running, such as with a virtual machine.

The SoftDelete action moves messages to the Recoverable Items folder. HardDelete purges items from that folder. MoveToDeletedItems moves them to the Deleted Items folder. MailItemsAccessed shows when items are accessed, not when they are deleted.