Credential Theft Hunt and Anomaly Validation

The Credential Theft Hunt & Anomaly Validation Agent acts as a virtual Tier 1 SOC analyst, automatically investigating credential theft alerts to determine if they are real incidents or false positives.

This agent solves the "alert fatigue" problem. Instead of just flagging a single, noisy event (like LSASS memory access), it automatically hunts for related evidence across your Microsoft Sentinel workspace to confirm a real attack.

Key Features
- Automated Correlation: Connects the dots between suspicious endpoint telemetry (from Defender XDR), identity anomalies (from Entra ID), and lateral movement (new RDP/SMB connections).
- High-Fidelity Incidents: Stops the noise by only creating a high-confidence incident in Sentinel when multiple, related pieces of evidence are found.
- Reduces Analyst Workload: Automatically performs the initial hunt, provides a full Markdown summary, and reduces Mean Time to Detect (MTTD).

How It Works
When an alert is triggered or on a scheduled hunt, the agent runs a series of KQL queries to find correlated events, including:
- Suspicious processes (mimikatz.exe, procdump.exe)
- Anomalous sign-ins (Impossible Travel, new device)
- New outbound RDP or SMB connections

If a strong correlation is found, the agent calculates a confidence score and creates an enriched incident for your team to review.