·8 min read·Microsoft Sentinel

Seeing the Attack Path Before the Breach — Graph Analytics in Microsoft Sentinel

KQL tells you what happened. Graph tells you what's possible. Here's how blast radius visualization, hunting graphs, and relationship traversal change the way SOCs scope incidents and find lateral movement.

Microsoft Sentinelgraph analyticsblast radiusthreat huntingidentitylateral movement
Seeing the Attack Path Before the Breach — Graph Analytics in Microsoft Sentinel

Seeing the Attack Path Before the Breach — Graph Analytics in Microsoft Sentinel

KQL answers these questions well: Did this user sign in from this IP? Was this file accessed? Did this process run on this device?

There's a different class of security question that KQL handles poorly: Can this user reach this key vault — through any combination of group memberships, role assignments, and application permissions, including indirect paths through intermediary accounts they don't even know they have access through?

That question is a graph question. It requires relationship traversal across multiple hops, not row-level filtering.

Graph analytics in Microsoft Sentinel — enabled by the data lake and the unified SecOps platform — adds that capability to the toolset. This article covers what's available today, how it changes incident investigation, and where the capability is heading with preview features.

Why tabular queries miss relationship-based attacks

Consider this T7 scenario: a third-party vendor identity authenticates to your tenant. It's been accessing the same set of SharePoint sites it always accesses. No anomaly. No alert. Conditional access doesn't flag it because the access pattern looks normal.

What your tabular telemetry doesn't show: that vendor identity was added six months ago to a resource group. The resource group has a role assignment that includes a custom role. That custom role, through a permission chain that nobody mapped deliberately, includes read access to a production key vault containing application secrets.

The vendor account is three hops from your key vault through legitimate relationship paths that accumulated over months. A KQL query on sign-in logs returns one normal authentication event. A graph traversal from that identity returns the full access chain — every resource reachable from that starting point, direct and indirect.

That's the gap graph analytics closes.

Blast radius and hunting graph (GA with Sentinel data lake)

Once your Sentinel workspace has the data lake enabled, two graph capabilities become available in the Defender XDR portal without additional configuration or preview enrollment. Both are generally available.

Blast radius graph — When you're working an incident in the Defender XDR portal, the incident graph now shows two things simultaneously: the current confirmed breach scope (what entities are known to be involved) and the possible future lateral movement paths from any compromised entity in the graph. One visualization, two time horizons: what happened and what could happen next.

In practice this changes incident prioritization. An analyst looking at a compromised user identity can see immediately — from the blast radius visualization — whether that identity has reachable paths to domain controllers, key vaults, or customer data repositories. The answer shapes the urgency and scope of the containment action. You're not making containment decisions based on what you know the attacker has done. You're making them based on what they can do.

Hunting graph — In the advanced hunting interface, the hunting graph provides interactive graph traversal alongside your KQL results. When a query surfaces a suspicious user or device, you can pivot directly to a visual exploration of that entity's relationships: who else can the user reach, what group memberships create unexpected access, which devices share a network segment with the compromised endpoint.

This is the manual analyst version of the graph MCP tool workflows. The hunting graph is the interactive exploration interface; the MCP tools are the agent-accessible API. Both draw from the same relationship data enabled by the data lake tier.

Using graph analytics for T7, T10, and T11

The blueprint identifies three specific threat-graph intersections where graph traversal changes the detection outcome.

T7 — Third-party and access broker exploitation

Static Entra identity reviews — quarterly access reviews, PIM role reports — miss multi-hop privilege paths. A vendor identity that reaches a production key vault through three intermediate group memberships generates zero alert in any security tool until the vault is accessed.

Graph traversal makes the path visible before the access event. Specifically: run exposure_perimeter (preview) against any sensitive resource to return every identity that can reach it, including indirect paths. You'll find relationships that access review processes never surface because they span multiple configuration layers.

For active T7 incidents: run blast_radius against the vendor identity to scope what it can reach. This replaces 30-90 minutes of manual privilege enumeration — reading role assignments, following group memberships, tracing service principal access chains — with a query that returns the full scope in seconds.

T10 — Insider threat and privileged user abuse

Insider threat at the pattern level — gradual privilege expansion over weeks and months — is systematically underdetected by tabular UEBA baselines. The reason: no single event in the buildup is anomalous. A role assignment added in January isn't interesting. A group membership change in March isn't interesting. By June, the cumulative scope of access created by ten months of small additions creates significant blast radius. But the tabular alert history shows ten routine administrative events, not a trend.

A materialized identity graph (preview) — updated on a daily or hourly schedule — detects this pattern structurally. As permissions accumulate and the blast radius grows, the graph score changes. Centrality analysis identifies accounts that have become unexpected intermediaries in the access topology: accounts that now sit between a large number of identities and critical resources because of accumulated group memberships.

Departing employee forensics benefits directly from this. The question "what did this person have access to" takes minutes with graph traversal and hours without it.

T11 — AI agent infrastructure attacks

Over-permissioned agent service principals create blast radius risk that identity reviews don't surface. An agent service principal with a managed identity, assigned to a resource group for legitimate automation purposes, may have transitive access to a key vault or a storage account through the resource group's role assignments.

That's T11 blast radius: the attacker who exploits a XPIA vulnerability against the agent doesn't need to steal credentials. The agent's own authorized identity becomes the attack vector. Scope how far the agent identity can reach with blast_radius before you deploy agentidentities to production. Treat the blast radius output as the authorization boundary — if the agent doesn't need access to something in the radius graph, remove the permission.

Custom graphs (preview)

Two types of custom graphs are available via preview enrollment, both from December 2025.

Ephemeral custom graphs — constructed from data lake telemetry for a single investigation, used for analysis, discarded. No persistent storage. The use cases: lateral movement chain reconstruction (graph user logons against source IPs and target systems across a 30-day incident window), TTP investigation (map observed events against expected attacker progression from MITRE ATT&CK), supply chain attack scope (graph CI/CD pipeline execution against developer credentials).

The practical impact is lateral movement chain reconstruction. When you have an incident that involves multiple compromised accounts or devices, standard incident investigation requires manually building a timeline of which account accessed which system. A custom investigation graph constructs that relationship map automatically from the telemetry — surfacing credential reuse chains and access pivots that are invisible in tabular queries.

Materialized custom graphs — persistent graph datasets stored in the graph database, updated on a configurable schedule. The primary use case is an enterprise identity knowledge graph: continuously mapping relationships across Entra ID, on-premises Active Directory, and SaaS platforms. As credentials, groups, and permissions evolve, the graph updates. Continuous blast radius scoring for all identities runs against the current state.

The key capability this enables that nothing else does: detecting the gradual buildup of privilege overlap that insider threat actors exploit over months. The tabular UEBA query sees ten routine events. The materialized graph sees the access topology that resulted from those ten events combined — and scores the change.

For MSSP and multi-tenant deployments, materialized graphs provide continuous exposure monitoring across the tenant portfolio rather than per-incident investigation replay.

Preview enrollment

The graph MCP tools and custom graph capabilities require preview enrollment. Check current status and enroll at learn.microsoft.com/azure/sentinel/datalake/sentinel-graph-overview.

Preview features can change behavior between now and general availability. Verify current feature state before building production agent workflows that depend on graph MCP tool behavior. The blast radius graph and hunting graph in the Defender XDR portal are both generally available — no preview enrollment needed, just the data lake tier enabled.

Executive Summary for Security Leadership

  • KQL-based detection catches known-bad patterns in event streams. Graph analytics reveals structural risk — access paths that exist as attack vectors even before any attacker action, including multi-hop privilege chains that no single administrative event creates visibly.

  • The blast radius visualization in incidents changes containment prioritization from evidence-based (what did the attacker do?) to path-based (what can they do next?). Containment decisions made on path visibility are faster and more complete than those made after the lateral movement has already occurred.

  • Third-party and vendor identity risk is the highest-value immediate application. Graph traversal surfaces vendor access chains that quarterly access reviews miss because the paths span multiple configuration layers. Exposure perimeter analysis against your most sensitive resources will surface relationships your current process isn't finding.

  • Materialized custom graphs (preview) address the insider threat detection gap that tabular UEBA cannot close. Gradual privilege accumulation over months produces no individual anomalous event — it produces a changed graph topology. Continuous blast radius scoring makes the drift visible before it becomes a breach.

  • This quarter: enable the data lake tier (prerequisite for all graph capabilities), then use the blast radius visualization in one active incident to scope containment. That's the practical first step. Preview enrollment for MCP tools and custom graphs can follow once the foundation is in place.

What's next

The series is now eight articles deep. You have the threat model, the tool map, the log architecture, the agent automation layer, the SIEM architecture foundation, the migration playbook, the hunting program, and the graph analytics layer.

The last article in this series is about measurement: how to know if any of this is actually working, and what the numbers should look like at 30, 60, and 90 days after implementation.

Article 8: Measuring What Matters — SOC Metrics for the Agentic Era

This article is part of the Threat-Informed Defense Series: The Agentic SOC. See the pillar article for the complete framework.

← All posts