Hunt For Newly Identified Lateral Movement Paths To Sensitive Accounts
Description
This KQL query looks for Defender For Identity identified lateral movement paths to all sensitive accounts (if possible). This is similar to a Bloodhound output. A newly identified path can mean that a sensitive account can be taken over if the path is followed.
Query
Microsoft Defender For Endpoint
Kusto
IdentityDirectoryEvents
| where ActionType == "Potential lateral movement path identified"
| extend AdditionalInfo = parse_json(AdditionalFields)
| extend LateralMovementPathToSensitiveAccount = AdditionalFields.['ACTOR.ACCOUNT']
| extend FromAccount = AdditionalFields.['FROM.ACCOUNT']
| project
Timestamp,
LateralMovementPathToSensitiveAccount,
FromAccount,
DeviceName,
AccountName,
AccountDomainMicrosoft Sentinel
Kusto
IdentityDirectoryEvents
| where ActionType == "Potential lateral movement path identified"
| extend AdditionalInfo = parse_json(AdditionalFields)
| extend LateralMovementPathToSensitiveAccount = AdditionalFields.['ACTOR.ACCOUNT']
| extend FromAccount = AdditionalFields.['FROM.ACCOUNT']
| project
TimeGenerated,
LateralMovementPathToSensitiveAccount,
FromAccount,
DeviceName,
AccountName,
AccountDomain