11-27-2018 10:20 AM
11-27-2018 10:20 AM
Yes, more new features!
In an effort to continue to improve and enhance your experience using Azure ATP, major improvements were made to Azure ATP Lateral Movement Path (LMP).
Effective from V2.5.6 (11/25/2018) Azure ATP:
Learn more about investigations using lateral movement paths.
As always, your feedback is welcome!
Every computer or user profile discovered by Azure ATP to be in an LMP has a Lateral movement paths tab. Computers and profiles with no tab have never been discovered within a potential LMP.Each time the tab is clicked, Azure ATP displays the most recently discovered LMP. Each potential LMP is displayed for 48 hours following discovery. LMP history is available. View older LMPs that were discovered in the past by clicking on View a different date.
V2.56 of Azure ATP adds two additional LMP capabilities. Discover when potential LMPs were identified and where, meaning which related entities are potentially involved.
From the Activities tab, we’ve added an indication when a new potential LMP was identified:
LMP can now directly assists with your investigation process. Azure ATP security alert evidence lists provide the related entities that are involved in each potential lateral movement path. The evidence lists directly help your security response team increase or reduce the importance of the security alert and/or investigation of the related entities. For example, when a Pass the Ticket alert is issued, the source computer, compromised user and destination computer the stolen ticket was used from, are all part of the potential lateral movement path leading to a sensitive user. The existence of the detected LMP makes investigating the alert and watching the suspected user even more important to prevent your adversary from additional lateral moves. Trackable evidence is provided in LMPs to make it easier and faster for you to prevent attackers from moving forward in your network.