Detect lateral movement in Azure AD/Entra ID environments using Microsoft Graph API audit logs, Azure Sentinel KQL hunting queries, and sign-in anomaly correlation to identify privilege escalation, token theft, and cross-tenant pivoting.

mukul975/Anthropic-Cybersecurity-Skills|Updated May 25, 2026

Works with

Claude CodeCursorClineWindsurfCodex

Installation Guide

Select your AI agent

How to use detecting-azure-lateral-movement on Cursor

AI-first code editor with Composer

Prerequisites

Before installing skills in Cursor, ensure your development environment meets these requirements:

›Cursor installed and configured on your machine
›Node.js 16+ with npm — verify with node --version
›Active project directory where you want to add detecting-azure-lateral-movement

Run the install command

Execute the skills CLI command in your project's root directory to begin installation:

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/detecting-azure-lateral-movement

Fetches detecting-azure-lateral-movement from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.

Select Cursor when prompted

The CLI shows a list of agents. Use arrow keys and space to select Cursor:

◆ Which agents do you want to install to?

│

│ ── Universal (.agents/skills) ────────────────

│ · Cline · Codex · Goose · Windsurf

│ ●Cursor(selected)

│ · Cursor · Aider · Continue

Verify installation

Confirm successful installation by checking the skill directory location:

.cursor/skills/detecting-azure-lateral-movement

Restart Cursor to activate detecting-azure-lateral-movement. Access via /detecting-azure-lateral-movement in your agent's command palette.

⚠

Security Notice

We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.

Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.

›View source on GitHub ›Skills CLI docs ›About Cursor ›What are agent skills?

Documentation

List & Monetize Your Skill

Submit your Claude Code skill and start earning

Get started →

Use Cases

Task Automation & Efficiency

Automate repetitive workflows and reduce manual effort

Example

Generate reports, summarize documents, draft communications

✓

Save 3-5 hours per week on routine tasks

Knowledge Enhancement

Learn new skills, understand complex topics, get expert guidance

Example

Explain concepts, provide examples, suggest learning resources

✓

Accelerate learning and skill development by 2x

Quality Improvement

Enhance output quality through reviews, suggestions, and refinements

Example

Review drafts, suggest improvements, catch errors

✓

Improve work quality by 30-40% with less effort

Overview

Lateral movement in Azure AD/Entra ID differs from on-premises environments. Attackers pivot through OAuth application consent grants, service principal abuse, cross-tenant access policies, and stolen refresh tokens rather than SMB/RDP connections. Detection requires correlating Microsoft Graph API audit logs, Azure AD sign-in logs, and Entra ID protection risk events using KQL queries in Microsoft Sentinel. This skill covers building detection analytics for common Azure lateral movement techniques including application impersonation, mailbox delegation abuse, and conditional access policy bypasses.

When to Use

When investigating security incidents that require detecting azure lateral movement

When building detection rules or threat hunting queries for this domain

When SOC analysts need structured procedures for this analysis type

When validating security monitoring coverage for related attack techniques

Prerequisites

Azure subscription with Microsoft Sentinel workspace configured

Azure AD P2 or Entra ID P2 license for risk-based sign-in detection

Microsoft Graph API permissions: AuditLog.Read.All, Directory.Read.All, SecurityEvents.Read.All

Log Analytics workspace ingesting AuditLogs, SigninLogs, and AADServicePrincipalSignInLogs

Familiarity with KQL (Kusto Query Language)

Steps

Step 1: Configure Log Ingestion

Enable diagnostic settings to stream Azure AD logs to Log Analytics:

Sign-in logs (interactive and non-interactive)

Audit logs (directory changes, app consent)

Service principal sign-in logs

Provisioning logs

Risky users and risk detections

Step 2: Build Detection Queries

Create KQL analytics rules in Sentinel for:

Unusual service principal credential additions

OAuth application consent grants to unknown apps

Cross-tenant sign-ins from new tenants

Token replay from different IP/user-agent combinations

Mailbox delegation changes (FullAccess, SendAs)

Step 3: Correlate Events

Chain multiple low-confidence indicators into high-confidence lateral movement detections by correlating sign-in anomalies with directory changes within time windows.

Step 4: Automate Response

Create Sentinel playbooks (Logic Apps) to automatically revoke suspicious OAuth grants, disable compromised service principals, and enforce step-up authentication.

name	detecting-azure-lateral-movement
description	Detect lateral movement in Azure AD/Entra ID environments using Microsoft Graph API audit logs, Azure Sentinel KQL hunting queries, and sign-in anomaly correlation to identify privilege escalation, token theft, and cross-tenant pivoting.
domain	cybersecurity
subdomain	cloud-security
tags	- azure - entra-id - lateral-movement - sentinel - kql - graph-api - cloud-security - threat-hunting
version	'1.0'
author	mahipal
license	Apache-2.0
nist_csf	- PR.IR-01 - ID.AM-08 - GV.SC-06 - DE.CM-01

detecting-azure-lateral-movement

Installation Guide

How to use detecting-azure-lateral-movement on Cursor

Prerequisites

Run the install command

Select Cursor when prompted

Verify installation

Security Notice

Documentation

List & Monetize Your Skill

Use Cases

Task Automation & Efficiency

Knowledge Enhancement

Quality Improvement

Install Skill

Detecting Azure Lateral Movement

Overview

When to Use

Prerequisites

Steps

Step 1: Configure Log Ingestion

Step 2: Build Detection Queries

Step 3: Correlate Events

Step 4: Automate Response

Expected Output

Implementation Guide

Best Practices

When to Use This

Learning Path

Related Skills

performing-cryptographic-audit-of-application

implementing-soar-playbook-with-palo-alto-xsoar

exploiting-deeplink-vulnerabilities

analyzing-network-traffic-with-wireshark

generating-threat-intelligence-reports

scanning-docker-images-with-trivy

Reviews

Discussion