Identify and remediate attack paths

Defender for Cloud uses a proprietary algorithm to locate potential attack paths specific to your multicloud environment. Instead of looking for preset attack paths, Defender for Cloud uses its algorithm to detect potential attack paths based on your multicloud security graph. Attack path analysis helps you focus on the most critical security issues that could lead to a breach.

You can use attack path analysis to address security issues that pose immediate threats and have the greatest potential for exploitation in your environment. Defender for Cloud analyzes which security issues are part of potential attack paths that attackers could use to breach your environment. It also highlights the security recommendations you need to resolve to mitigate these issues.

By default attack paths are organized by risk level. The risk level is determined by a context-aware risk-prioritization engine that considers the risk factors of each resource. Learn more about how Defender for Cloud prioritizes security recommendations.

Prerequisites

To view attack paths that are related to containers:

  • You must enable agentless container posture extension in Defender CSPM or

  • You can enable Defender for Containers, and install the relevant agents in order to view attack paths that are related to containers. This also gives you the ability to query containers data plane workloads in security explorer.

  • Required roles and permissions: Security Reader, Security Admin, Reader, Contributor, or Owner.

Identify attack paths

The attack path page shows you an overview of all of your attack paths. You can also see your affected resources and a list of active attack paths.

Screenshot of a sample attack path homepage.

You can use Attack path analysis to locate the biggest risks to your environment and to remediate them.

To identify attack paths:

  1. Sign in to the Azure portal.

  2. Navigate to Microsoft Defender for Cloud > Attack path analysis.

    Screenshot that shows the attack path analysis page on the main screen.

  3. Select an attack path.

  4. Select a node.

    Screenshot of the attack path screen that shows you where the nodes are located for selection.

  5. Select Insight to view the associated insights for that node.

    Screenshot of the insights tab for a specific node.

  6. Select Recommendations.

    Screenshot that shows you where to select recommendations on the screen.

  7. Select a recommendation.

  8. Remediate the recommendation.

Remediate attack paths

Once you're done with your investigation of an attack path and you review all of the associated findings and recommendations, you can start to remediate the attack path.

To remediate an attack path:

  1. Navigate to Microsoft Defender for Cloud > Attack path analysis.

  2. Select an attack path.

  3. Select Remediation.

    Screenshot of the attack path that shows you where to select remediation.

  4. Select a recommendation.

  5. Remediate the recommendation.

Once an attack path is resolved, it can take up to 24 hours for an attack path to be removed from the list.

Remediate all recommendations within an attack path

Attack path analysis grants you the ability to see all recommendations by attack path without having to check each node individually. You can resolve all recommendations without having to view each node individually.

The remediation path contains two types of recommendation:

  • Recommendations - Recommendations that mitigate the attack path.
  • Additional recommendations - Recommendations that reduce the exploitation risks, but don’t mitigate the attack path.

To resolve all recommendations:

  1. Sign in to the Azure portal.

  2. Navigate to Microsoft Defender for Cloud > Attack path analysis.

  3. Select an attack path.

  4. Select Remediation.

    Screenshot that shows where to select on the screen to see the attack paths full list of recommendations.

  5. Expand Additional recommendations.

  6. Select a recommendation.

  7. Remediate the recommendation.

Once an attack path is resolved, it can take up to 24 hours for an attack path to be removed from the list.

Next Step