Hunt for newly identified lateral movement paths to sensitive accounts
New Lateral Movement Path To Sensitive Account Identified
Query
IdentityDirectoryEvents
| where ActionType == "Potential lateral movement path identified"
| extend AdditionalInfo = parse_json(AdditionalFields)
| extend LateralMovementPathToSensitiveAccount = AdditionalFields.['ACTOR.ACCOUNT']
| extend FromAccount = AdditionalFields.['FROM.ACCOUNT']
| project
Timestamp,
LateralMovementPathToSensitiveAccount,
FromAccount,
DeviceName,
AccountName,
AccountDomainAbout this query
Hunt for newly identified lateral movement paths to sensitive accounts
Query Information
Description
Defender For Identity identifies lateral movement paths to all sensitive accounts (if possible). This is similar to a Bloodhound output. A newly identified path can mean that a sensitive account can be taken over if the path is followed.
References
Defender XDR
Sentinel
IdentityDirectoryEvents
| where ActionType == "Potential lateral movement path identified"
| extend AdditionalInfo = parse_json(AdditionalFields)
| extend LateralMovementPathToSensitiveAccount = AdditionalFields.['ACTOR.ACCOUNT']
| extend FromAccount = AdditionalFields.['FROM.ACCOUNT']
| project
TimeGenerated,
LateralMovementPathToSensitiveAccount,
FromAccount,
DeviceName,
AccountName,
AccountDomain
Explanation
This query is designed to detect and highlight potential security risks related to lateral movement within a network, specifically targeting sensitive accounts. Here's a simplified breakdown:
-
Purpose: The query aims to identify new paths that could potentially allow unauthorized access to sensitive accounts within an organization's network. This is crucial for preventing account takeovers.
-
Data Source: It uses data from identity directory events, which track actions and changes related to user accounts and their interactions within the network.
-
Key Action: The query filters events where a "Potential lateral movement path" has been identified. This indicates a possible route through which an attacker could move laterally across the network to reach a sensitive account.
-
Details Extracted:
- Timestamp/TimeGenerated: The time when the potential path was identified.
- LateralMovementPathToSensitiveAccount: The sensitive account that could be compromised if the path is exploited.
- FromAccount: The account from which the lateral movement could originate.
- DeviceName: The device involved in the event.
- AccountName and AccountDomain: Information about the account involved in the event.
-
Tools: The query is structured for use in two different security platforms: Defender XDR and Sentinel. Both platforms use similar logic but have slight differences in field names (e.g.,
Timestampvs.TimeGenerated).
Overall, this query helps security teams proactively identify and mitigate risks by understanding potential lateral movement paths to sensitive accounts, thereby enhancing the organization's security posture.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators