Query Details

List Lateral Movements Paths to Compromised Device

Exposure Management Lateral Movement Paths

Query

// List potential lateralmovement paths to compromised device
let DeviceName = "testdevice.test.com";
ExposureGraphEdges
| where TargetNodeLabel == "device"
| where TargetNodeName == DeviceName
| summarize Total = dcount(SourceNodeName), Details = make_set(SourceNodeName) by EdgeLabel, TargetNodeName
| extend Message = strcat(Total, " details ", EdgeLabel, " ", TargetNodeName)
| project Message, Action = EdgeLabel, Details, Total, Target = TargetNodeName

About this query

List Lateral Movements Paths to Compromised Device

Sentinel

Explanation

This KQL query is designed to identify and summarize potential lateral movement paths to a specific compromised device within a network. Here's a breakdown of what the query does in simple terms:

  1. Device Specification: The query starts by specifying a device of interest, in this case, "testdevice.test.com". This is the device that is suspected to be compromised.

  2. Filter for Target Device: It filters the data to focus only on paths where the target node is a device and matches the specified device name.

  3. Summarize Paths: For each type of connection (or "edge") leading to the compromised device, it counts the number of unique source nodes (other devices or entities) that have a path to the target device. It also collects the names of these source nodes.

  4. Create a Message: It constructs a message that summarizes the findings, indicating how many unique paths (or connections) exist for each type of action or relationship (EdgeLabel) leading to the target device.

  5. Output: The final output includes:

    • A message summarizing the number of paths and the type of connection.
    • The type of action or relationship (EdgeLabel) leading to the device.
    • The list of source nodes that have paths to the target device.
    • The total number of unique paths.
    • The name of the target device.

In essence, this query helps security analysts understand how many and which entities in the network have potential paths to a compromised device, which can be crucial for assessing the risk and planning a response.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

ExposureGraphEdges

Keywords

ExposureGraphEdgesDeviceTargetNodeLabelTargetNodeNameSourceNodeNameEdgeLabel

Operators

letwheresummarizedcountmake_setbyextendstrcatproject

Actions

GitHub