Tutorial: Investigate a user

Note

The Azure ATP features explained on this page are also accessible using the new portal.

Azure ATP alert evidence and lateral movement paths provide clear indications when users have performed suspicious activities or indications exist that their account has been compromised. In this tutorial you'll use the investigation suggestions to help determine the risk to your organization, decide how to remediate, and determine the best way to prevent similar future attacks.

  • Gather information about the user.
  • Investigate activities that the user performed.
  • Investigate resources the user accessed.
  • Investigate lateral movement paths.

Check and investigate the user profile for the following details and activities:

  1. Who is the user?

    1. Is the user a sensitive user (such as admin, or on a watchlist, etc.)?
    2. What is their role within the organization?
    3. Are they significant in the organizational tree?
  2. Suspicious activities to investigate:

    1. Does the user have other opened alerts in Azure ATP, or in other security tools such as Windows Defender-ATP, Azure Security Center and/or Microsoft CAS?
    2. Did the user have failed log ons?
    3. Which resources did the user access?
    4. Did the user access high value resources?
    5. Was the user supposed to access the resources they accessed?
    6. Which computers did the user log in to?
    7. Was the user supposed to log in to those computers?
    8. Is there a lateral movement path (LMP) between the user and a sensitive user?

See Also