Can this skill help automate security responses?

Yes, it includes steps for creating Sentinel playbooks to automatically revoke suspicious grants or disable compromised identities based on detection results.

Do I need a specific license to use this skill effectively?

Yes, full functionality requires Azure AD/Entra ID P2 licenses for risk-based detection and an active Microsoft Sentinel workspace for log ingestion.

How does this skill detect lateral movement in Azure?

It uses KQL queries to correlate sign-in logs, audit logs, and risk events to find patterns like OAuth abuse, service principal impersonation, and token theft.

Is knowledge of KQL required?

The skill provides structured queries, but a basic understanding of Kusto Query Language (KQL) will help you customize detections for your specific environment.

Azure Lateral Movement Detection

Name: Azure Lateral Movement Detection
Author: mukul975

bymukul975

•

4,120

•

Seguridad y Pruebas

Detects and analyzes lateral movement within Azure AD and Entra ID environments using Microsoft Graph API and KQL hunting queries.

This skill empowers security analysts and developers to identify complex attack patterns in Azure cloud environments, such as service principal abuse, OAuth consent grants, and token theft. By leveraging Microsoft Sentinel and Kusto Query Language (KQL), it correlates disparate logs from sign-in events and audit trails to uncover hidden lateral movement paths that traditional on-premises tools might miss. It is particularly valuable for building robust threat detection pipelines and incident response workflows within Entra ID.

Características Principales

01Microsoft Graph API audit log correlation

02Mapping of detections to MITRE ATT&CK techniques

03Advanced KQL hunting queries for Microsoft Sentinel

04Detection of cross-tenant pivoting and token theft

05OAuth application consent grant auditing

064,120 GitHub stars

Casos de Uso

01Building automated response playbooks for identity-based threats

02Investigating potential token replay attacks and session hijacking

03Identifying unauthorized service principal credential additions

Características Principales

01Microsoft Graph API audit log correlation

02Mapping of detections to MITRE ATT&CK techniques

03Advanced KQL hunting queries for Microsoft Sentinel

04Detection of cross-tenant pivoting and token theft

05OAuth application consent grant auditing

064,120 GitHub stars

Casos de Uso

01Building automated response playbooks for identity-based threats

02Investigating potential token replay attacks and session hijacking

03Identifying unauthorized service principal credential additions