Every computer or user profile discovered by Azure ATP to be in an LMP has a Lateral movement paths tab. Computers and profiles with no tab have never been discovered within a potential LMP.Each time the tab is clicked, Azure ATP displays the most recently discovered LMP. Each potential LMP is displayed for 48 hours following discovery. LMP history is available. View older LMPs that were discovered in the past by clicking onView a different date.
V2.56 of Azure ATP adds two additional LMP capabilities. Discover when potential LMPs were identified and where, meaning which related entities are potentially involved.
From the Activities tab, we’ve added an indication when a new potential LMP was identified:
Sensitive users – when a new path was identified to a sensitive user
Non-sensitive users and computers – when this entity was identified in a potential LMP leading to a sensitive user.
LMP can now directly assists with your investigation process. Azure ATP security alert evidence lists provide the related entities that are involved in each potential lateral movement path. The evidence lists directly help your security response team increase or reduce the importance of the security alert and/or investigation of the related entities. For example, when a Pass the Ticket alert is issued, the source computer, compromised user and destination computer the stolen ticket was used from, are all part of the potential lateral movement path leading to a sensitive user. The existence of the detected LMP makes investigating the alert and watching the suspected user even more important to prevent your adversary from additional lateral moves. Trackable evidence is provided in LMPs to make it easier and faster for you to prevent attackers from moving forward in your network.