KQL Search

Query Details

Exposure Management Lateral Movement Paths

Query

# List Lateral Movements Paths to Compromised Device

### Sentinel
```KQL
// List potential lateralmovement paths to compromised device
let DeviceName = "testdevice.test.com";
ExposureGraphEdges
| where TargetNodeLabel == "device"
| where TargetNodeName == DeviceName
| summarize Total = dcount(SourceNodeName), Details = make_set(SourceNodeName) by EdgeLabel, TargetNodeName
| extend Message = strcat(Total, " details ", EdgeLabel, " ", TargetNodeName)
| project Message, Action = EdgeLabel, Details, Total, Target = TargetNodeName
```

Explanation

This query lists potential paths of lateral movement to a compromised device named "testdevice.test.com" in Sentinel. It counts the number of unique source nodes, creates a set of source node names, and then displays the total count, details, edge label, and target node name in a message.

Details

Bert-Jan Pals

Released: June 27, 2024

Tables

ExposureGraphEdges

Keywords

Device,LateralMovement,Compromised,Paths,Sentinel,ExposureGraphEdges,TargetNodeLabel,TargetNodeName,SourceNodeName,EdgeLabel,Message,Action,Details,Total

Operators

wheresummarizemake_setextendstrcatproject

KQL Search

Exposure Management Lateral Movement Paths

Query

Explanation

Details

Actions