List Lateral Movements Paths to Compromised Device
Exposure Management Lateral Movement Paths
Query
// List potential lateralmovement paths to compromised device
let DeviceName = "testdevice.test.com";
ExposureGraphEdges
| where TargetNodeLabel == "device"
| where TargetNodeName == DeviceName
| summarize Total = dcount(SourceNodeName), Details = make_set(SourceNodeName) by EdgeLabel, TargetNodeName
| extend Message = strcat(Total, " details ", EdgeLabel, " ", TargetNodeName)
| project Message, Action = EdgeLabel, Details, Total, Target = TargetNodeNameAbout this query
List Lateral Movements Paths to Compromised Device
Sentinel
Explanation
This KQL query is designed to identify and summarize potential lateral movement paths to a specific compromised device within a network. Here's a breakdown of what the query does in simple terms:
-
Device Specification: The query starts by specifying a device of interest, in this case, "testdevice.test.com". This is the device that is suspected to be compromised.
-
Filter for Target Device: It filters the data to focus only on paths where the target node is a device and matches the specified device name.
-
Summarize Paths: For each type of connection (or "edge") leading to the compromised device, it counts the number of unique source nodes (other devices or entities) that have a path to the target device. It also collects the names of these source nodes.
-
Create a Message: It constructs a message that summarizes the findings, indicating how many unique paths (or connections) exist for each type of action or relationship (EdgeLabel) leading to the target device.
-
Output: The final output includes:
- A message summarizing the number of paths and the type of connection.
- The type of action or relationship (EdgeLabel) leading to the device.
- The list of source nodes that have paths to the target device.
- The total number of unique paths.
- The name of the target device.
In essence, this query helps security analysts understand how many and which entities in the network have potential paths to a compromised device, which can be crucial for assessing the risk and planning a response.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators