Listen to this Post

Introduction:
Cybersecurity defenders are drowning in data but starving for context. Traditional security information and event management (SIEM) systems present data in flat tables, making it nearly impossible to visualize complex relationships like lateral movement paths or privilege escalation chains. Microsoft Sentinel’s new public preview of custom graphs, announced on April 1st, addresses this gap by allowing organizations to model their unique infrastructure and run advanced graph analytics to uncover hidden attack paths, blast radiuses, and choke points that traditional queries miss.
Learning Objectives:
- Understand how to model organizational relationships using custom graphs in Microsoft Sentinel.
- Learn to identify blast radius, privilege chains, and anomalies through graph analytics.
- Implement graph-based hunting techniques to preemptively block attacker lateral movement.
You Should Know:
1. Building Your First Custom Graph in Sentinel
Custom graphs in Sentinel allow you to define nodes (entities like users, devices, IPs) and edges (relationships like “logs into,” “owns,” “contains”). This feature moves beyond simple log aggregation to relationship mapping.
Step‑by‑step guide:
- Navigate to Microsoft Sentinel > Threat Management > Custom Graphs (Public Preview).
2. Click Create New Graph.
- Define your Node Entities: Select tables (e.g.,
IdentityInfo,DeviceInfo,AlertEvidence). For instance, map users from `IdentityLogonEvents` and devices fromDeviceNetworkEvents. - Define Relationships (Edges): Use KQL to define connections. Example: If a user logs into a device (
IdentityLogonEvents), create an edgeUserA --logs into--> DeviceB. - Run Graph Analytics: Sentinel will generate a visual graph. Click on nodes to expand blast radius or identify choke points—nodes with high connectivity that, if compromised, would expose the environment.
-
Advanced Graph Analytics with Kusto Query Language (KQL)
To extract maximum value, you must leverage KQL’s graph operators. The `make-graph` operator allows you to construct graphs directly from your logs.
Linux/Windows Command Context:
While Sentinel operates in the cloud, the data originates from endpoints. To ensure your graph data is accurate, verify source logs:
- On Windows (PowerShell): Ensure security log collection for logon events.
Verify security log status wevtutil gl security Enable verbose logon tracking if needed auditpol /set /subcategory:"Logon" /success:enable /failure:enable
- On Linux: Verify auditd is capturing logons.
sudo auditctl -l | grep logins sudo ausearch -m USER_LOGIN -ts recent
KQL Example for Privilege Chains:
IdentityLogonEvents | where TimeGenerated > ago(7d) | join kind=inner (AlertEvidence) on AccountUpn | make-graph AccountUpn --> DeviceName with (LogonType) | graph-path from AccountUpn to DeviceName with max-depth=5 | project source, target, path, risk_score
This query builds a graph of who logged into what and cross-references it with alerts, then traces the path a compromised account could take to reach a critical device.
3. Identifying Blast Radius and Chokepoints
Once the graph is built, you can run specific analytics to identify weak spots.
Step‑by‑step guide for blast radius:
- Run a graph query focusing on a specific compromised entity (e.g.,
[email protected]). - Use the `graph-explore` function to expand all connected nodes.
- Filter for “High Value Assets”: Overlay your asset criticality data (e.g., tables containing “Domain Controllers” or “Finance DBs”).
- Calculate Degree Centrality: Identify nodes with the highest number of connections. A user with 500+ device logons is a massive blast radius risk. A choke point might be a jump server that connects to all production servers.
Mitigation Commands (Windows/Linux):
If a choke point (e.g., a jump box) is identified, harden it immediately.
– Windows (Firewall rules to limit inbound connections):
New-NetFirewallRule -DisplayName "Block Unauthorized JumpBox Access" -Direction Inbound -LocalPort 3389 -Protocol TCP -Action Block -RemoteAddress "10.0.0.0/24"
– Linux (IPTables to restrict access to critical node):
sudo iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 22 -j DROP
- Integrating Custom Graphs with Microsoft Defender for Endpoint (MDE)
Sentinel custom graphs are most powerful when combined with MDE data. You can model the relationship between alerts and devices to visualize full attack sequences.
Configuration:
Ensure MDE connector is enabled in Sentinel.
KQL Graph for Attack Path Visualization:
AlertEvidence | where TimeGenerated > ago(2d) | where AlertName contains "Lateral movement" | make-graph DeviceName --> DeviceName with (AlertName) // This shows movement between hosts | graph-explore
This creates a visual representation of how an attacker is moving from one machine to another, effectively showing the live attack path.
5. API Security and Cloud Hardening with Graphs
Custom graphs aren’t limited to endpoints. You can model relationships between Azure resources, service principals, and user identities to detect cloud misconfigurations.
Step‑by‑step guide for cloud hardening:
- Ingest Azure Activity Logs and Microsoft Entra ID (Azure AD) sign-in logs.
- Build a graph where Service Principal –> Azure Resource (with role assignments).
3. Query for Privilege Escalation Paths:
AzureActivity | where OperationName contains "Create Role Assignment" | make-graph User --> Resource with (RoleDefinition) | graph-walk where source has "admin"
4. Hardening: Use Azure CLI to remove unused high-privilege roles.
az role assignment list --assignee "[email protected]" --output table az role assignment delete --assignee "[email protected]" --role "Contributor" --scope "/subscriptions/xxxx"
6. Tutorial: Automating Graph-Based Anomaly Detection
To operationalize this, create analytics rules that trigger on graph anomalies.
Tutorial:
1. Create a Custom Analytics Rule in Sentinel.
- Use the `graph-diff` operator to compare the current graph state (last 1 hour) to a baseline (last 7 days).
3. Rule Logic:
let baseline = (LogData | make-graph ... | summarize by Relationship); let current = (LogData | make-graph ... | summarize by Relationship); current | where Relationship !in (baseline) // New connections not seen before
4. Set the rule to trigger an incident when a new, high-value relationship appears (e.g., a low-privilege user suddenly logging into a domain controller).
What Undercode Say:
- Visualization is Critical: Flat tables obscure attacker movement. Graph analytics in Sentinel transform raw telemetry into intuitive attack maps, significantly reducing mean time to detect (MTTD).
- Proactive vs. Reactive: By modeling “blast radius” before an incident, defenders can prioritize patching or isolating choke points, shifting from reactive incident response to proactive threat exposure management.
- Integration is Key: The true value of custom graphs is realized when you combine identity, endpoint, and cloud data. Siloed data sources yield incomplete graphs; unified analytics yield true situational awareness.
Prediction:
The introduction of custom graphs marks a fundamental shift in SIEM technology. Over the next 12-18 months, we predict that graph analytics will become the standard for threat hunting, rendering traditional correlation rules obsolete. Organizations that adopt these custom modeling capabilities will achieve a 50-60% faster identification of attack paths, enabling them to isolate threats before ransomware can propagate. As AI integrates with these graph structures, we will soon see automated “kill path” generation, where Sentinel not only shows the path but also recommends and executes automated remediation steps to sever those connections in real-time.
▶️ Related Video (76% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Markolauren Sentinelplatform – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


