Step 1 is to review your existing telemetry. You determine the possible scope of the attack based on the evidence you find. You remediate based on that. You may also want to consider scope that you don't have evidence for but that you lack telemetry for and that you believe an attacker could have accessed - that's fine too.
This comes down to a risk assessment. No company has a breach and just shuts everything down, that is insane. When we perform IR we build a detailed timeline, we collect the scope of potential access, and we form a remediation plan. We don't just go "well hey, anything can happen right? shut it all down".
This comes down to a risk assessment. No company has a breach and just shuts everything down, that is insane. When we perform IR we build a detailed timeline, we collect the scope of potential access, and we form a remediation plan. We don't just go "well hey, anything can happen right? shut it all down".