Agent Foskett Academy • Lesson 81 • Advanced Defender XDR Investigation

Investigating Lateral Movement in Microsoft Defender XDR.

One compromised account.

Three devices.

Fifteen minutes.

The attacker wasn't staying in one place.

Agent Foskett followed the trail.

Agent Foskett Academy lesson investigating lateral movement in Microsoft Defender XDR
Lesson overview

Learn how to investigate lateral movement by correlating Microsoft Defender XDR device logon, identity logon, network and process telemetry into one clear investigation timeline.

Start with DeviceLogonEvents
Compare identity and device evidence
Review RDP, SMB and remote execution signals
Build the lateral movement timeline

Why lateral movement matters

Lateral movement is the point where an investigation stops being about one machine and starts becoming an environment-wide incident.
One account can touch many devicesA compromised account may authenticate to file servers, admin workstations, jump boxes and user endpoints in a short period of time.
Successful logons can still be suspiciousAttackers often use valid credentials, which means the strongest clue is not always failure. Sometimes it is unusual success.
Device and identity evidence must agreeDeviceLogonEvents and IdentityLogonEvents help defenders compare what the endpoint saw with what the identity layer recorded.

The lateral movement investigation workflow

Agent Foskett follows the authentication trail first, then pivots into network and process evidence.
1. Which account moved?Identify accounts that authenticated to multiple devices in a short period of time.
2. Which devices were touched?Summarise target devices to understand whether the activity crossed workstations, servers or privileged systems.
3. What logon type was used?Review LogonType, ActionType and remote logon indicators to separate normal sign-in from suspicious movement.
4. Was RDP, SMB or WinRM involved?Use DeviceNetworkEvents to look for common remote administration and lateral movement protocols.
5. Did remote execution follow?Use DeviceProcessEvents to identify PowerShell, cmd, PsExec-like activity or unusual parent-child process chains.
6. Can the path be proven?Build a timeline showing source device, account, destination device, process evidence and network activity.

Step 1 — Find accounts accessing multiple devices

Start with DeviceLogonEvents to identify accounts that successfully authenticated to several devices in a short window.
step-1-multiple-device-logons.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
DeviceLogonEvents
| where Timestamp > ago(24h)
| where ActionType == "LogonSuccess"
| summarize DevicesAccessed = dcount(DeviceName),
            DeviceList = make_set(DeviceName),
            FirstSeen = min(Timestamp),
            LastSeen = max(Timestamp)
    by AccountName, AccountDomain, AccountUpn
| where DevicesAccessed >= 3
| order by DevicesAccessed desc

Step 2 — Review logon details for the suspicious account

Once an account stands out, inspect the devices, source IP addresses and logon types involved.
step-2-review-suspicious-account-logons.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
let SuspiciousAccount = "user@contoso.com";
DeviceLogonEvents
| where Timestamp > ago(24h)
| where AccountUpn =~ SuspiciousAccount
| project Timestamp,
          DeviceName,
          AccountUpn,
          ActionType,
          LogonType,
          RemoteIP,
          RemoteDeviceName,
          InitiatingProcessFileName
| order by Timestamp asc

Step 3 — Compare identity logon evidence

Use IdentityLogonEvents to compare sign-in behaviour, applications and source addresses recorded by the identity layer.
step-3-identity-logon-evidence.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
let SuspiciousAccount = "user@contoso.com";
IdentityLogonEvents
| where Timestamp > ago(24h)
| where AccountUpn =~ SuspiciousAccount
| project Timestamp,
          AccountUpn,
          ActionType,
          LogonType,
          Application,
          DeviceName,
          IPAddress,
          FailureReason
| order by Timestamp asc

Step 4 — Look for remote administration protocols

Review DeviceNetworkEvents for protocol patterns commonly associated with lateral movement, such as RDP, SMB and WinRM.
step-4-remote-admin-protocols.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (3389, 445, 5985, 5986)
| project Timestamp,
          DeviceName,
          InitiatingProcessAccountUpn,
          InitiatingProcessFileName,
          RemoteIP,
          RemotePort,
          RemoteUrl,
          ActionType
| order by Timestamp asc

Step 5 — Hunt for remote execution activity

Look for process creation patterns that may indicate remote execution or attacker-driven administration.
step-5-remote-execution-activity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wmic.exe", "psexec.exe", "schtasks.exe")
   or ProcessCommandLine has_any ("Invoke-Command", "Enter-PSSession", "\\", "ADMIN$", "-EncodedCommand")
| project Timestamp,
          DeviceName,
          AccountUpn,
          FileName,
          ProcessCommandLine,
          InitiatingProcessFileName,
          InitiatingProcessCommandLine
| order by Timestamp asc

Step 6 — Build the lateral movement timeline

Union the strongest evidence into one chronological view so the movement path can be explained clearly.
step-6-lateral-movement-timeline.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
let InvestigationAccount = "user@contoso.com";
let Logons = DeviceLogonEvents
| where Timestamp > ago(24h)
| where AccountUpn =~ InvestigationAccount
| project Timestamp, EventType = "Device logon", DeviceName, AccountUpn, Evidence = strcat(ActionType, " / ", LogonType), Detail = tostring(RemoteIP);
let Network = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where InitiatingProcessAccountUpn =~ InvestigationAccount
| where RemotePort in (3389, 445, 5985, 5986)
| project Timestamp, EventType = "Network connection", DeviceName, AccountUpn = InitiatingProcessAccountUpn, Evidence = tostring(RemotePort), Detail = tostring(RemoteIP);
let Processes = DeviceProcessEvents
| where Timestamp > ago(24h)
| where AccountUpn =~ InvestigationAccount
| project Timestamp, EventType = "Process execution", DeviceName, AccountUpn, Evidence = FileName, Detail = ProcessCommandLine;
union Logons, Network, Processes
| order by Timestamp asc

How to read the lateral movement timeline

A strong timeline should explain where the attacker started, what account was used and which systems were accessed next.
Source before destinationIdentify the device where suspicious activity started before following the account to other machines.
Authentication before executionA remote logon followed by PowerShell, cmd or admin share activity is stronger than either signal alone.
Protocol before payloadRDP, SMB or WinRM activity can show how the attacker reached the next device.
One timeline, not isolated queriesThe goal is to combine logon, identity, network and process telemetry into one defensible story.

Real-world investigation

This is the type of scenario defenders may face when a workstation compromise becomes a broader incident.
The first clueA user workstation records a successful logon from an account that normally only signs in during business hours.
The second deviceThe same account authenticates to a file server minutes later using a remote logon pattern.
The admin pathDeviceNetworkEvents shows connections over SMB and WinRM to systems the user does not normally administer.
The execution evidenceDeviceProcessEvents shows PowerShell running shortly after the remote connection.
The patternNo single event proves the full incident, but the sequence shows movement from one device to another.
The conclusionThe investigation confirms suspected lateral movement and requires containment, account reset, device isolation and privileged access review.

Investigation checklist

Use this checklist when reviewing suspected lateral movement in Microsoft Defender XDR.
Account identifiedConfirm the account involved and whether it is a normal user, service account or privileged account.
Devices mappedList every source and destination device touched during the investigation window.
Logon type reviewedCheck whether the logon pattern suggests interactive, remote interactive, network or service activity.
Protocols inspectedReview RDP, SMB, WinRM and other remote administration traffic.
Processes checkedLook for PowerShell, cmd, WMI, PsExec-style execution, scheduled tasks and encoded commands.
Timeline completedDocument the sequence from initial device activity to each destination system.

Related Agent Foskett Academy lessons

DeviceLogonEvents InvestigationsUnderstand device logon telemetry and how endpoint authentication evidence appears in Defender XDR.
IdentityLogonEvents InvestigationsReview identity sign-in behaviour and compare identity evidence with endpoint activity.
DeviceNetworkEvents InvestigationsInvestigate outbound and internal network connections from Defender endpoint telemetry.
DeviceProcessEvents InvestigationsAnalyse process execution, command lines and parent-child process relationships.
Building a Complete Phishing InvestigationSee how email activity can lead into endpoint execution and follow-on investigation.
Correlating EmailEvents with DeviceProcessEventsPractise correlating user-facing events with endpoint execution evidence.
Microsoft Defender KQL Threat Hunting GuideUse the broader GEMXIT Defender KQL guide for hunting across email, identity and endpoint data.

Coming next

Lesson 82 continues the investigation by focusing on PowerShell attacks and suspicious command-line evidence.
Lesson 82 — Investigating PowerShell AttacksNext, Agent Foskett investigates PowerShell execution, encoded commands, suspicious parent processes and attacker automation.
Why this mattersLateral movement often leads to remote PowerShell, scripted discovery and payload execution. Lesson 82 follows that evidence deeper.

Final thought

Lateral movement is not always loud. Sometimes it looks like a valid user successfully signing in to the wrong places at the wrong time.
Agent Foskett mindsetDo not stop at the first compromised device. Follow the account, follow the protocol, follow the process and prove the movement path.
The timeline told the storyWhen the events are placed in order, lateral movement becomes easier to explain, contain and remediate.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating Lateral Movement in Microsoft Defender XDR

Agent Foskett Academy Lesson 81 teaches defenders how to investigate lateral movement in Microsoft Defender XDR.

Defender XDR lateral movement investigation workflow

This lesson explains how DeviceLogonEvents, IdentityLogonEvents, DeviceNetworkEvents, DeviceProcessEvents, AccountUpn, LogonType, RemoteIP, RemotePort, RDP, SMB, WinRM and PowerShell activity help defenders reconstruct lateral movement across devices.