Identify and remediate attack paths

Defender for Cloud's contextual security capabilities assists security teams in the reduction of the risk of impactful breaches. Defender for Cloud uses environment context to perform a risk assessment of your security issues. Defender for Cloud identifies the biggest security risk issues, while distinguishing them from less risky issues.

Attack path analysis helps you to address the security issues that pose immediate threats with the greatest potential of being exploited in your environment. Defender for Cloud analyzes which security issues are part of potential attack paths that attackers could use to breach your environment. It also highlights the security recommendations that need to be resolved in order to mitigate it.

You can check out the full list of Attack path names and descriptions.

Availability

Aspect Details
Release state Preview
Prerequisites - Enable agentless scanning, or Enable Defender for Server P1 (which includes MDVM) or Defender for Server P2 (which includes MDVM and Qualys).
- Enable Defender for CSPM
- Enable Defender for Containers, and install the relevant agents in order to view attack paths that are related to containers. This will also give you the ability to query containers data plane workloads in security explorer.
Required plans - Defender Cloud Security Posture Management (CSPM) enabled
Required roles and permissions: - Security Reader
- Security Admin
- Reader
- Contributor
- Owner
Clouds: Commercial clouds (Azure, AWS)
Commercial clouds (GCP)
National (Azure Government, Azure China 21Vianet)

Features of the attack path overview page

The attack path page shows you an overview of all of your attack paths. You can also see your affected resources and a list of active attack paths.

Screenshot of a sample attack path homepage.

On this page you can organize your attack paths based on name, environment, paths count, risk categories.

For each attack path you can see all of risk categories and any affected resources.

The potential risk categories include credentials exposure, compute abuse, data exposure, subscription and account takeover.

Learn more about the cloud security graph, attack path analysis, and the cloud security explorer?.

Investigate and remediate attack paths

You can use Attack path analysis to locate the biggest risks to your environment and to remediate them.

To investigate and remediate an attack path:

  1. Sign in to the Azure portal.

  2. Navigate to Microsoft Defender for Cloud > Recommendations > Attack path

    Screenshot that shows where the icon is on the recommendations page to get to attack paths.

  3. Select an attack path.

    Screenshot that shows a sample of attack paths.

    Note

    An attack path may have more than one path that is at risk. The path count will tell you how many paths need to be remediated. If the attack path has more than one path, you will need to select each path within that attack path to remediate all risks.

  4. Select a node.

    Screenshot of the attack path screen that shows you where the nodes are located for selection.

  5. Select Insight to view the associated insights for that node.

    Screenshot of the insights tab for a specific node.

  6. Select Recommendations.

    Screenshot that shows you where to select recommendations on the screen.

  7. Select a recommendation.

  8. Follow the remediation steps to remediate the recommendation.

  9. Select other nodes as necessary and view their insights and recommendations as necessary.

Once an attack path is resolved, it can take up to 24 hours for an attack path to be removed from the list.

View all recommendations with attack path

Attack path analysis also gives you the ability to see all recommendations by attack path without having to check each node individually. You can resolve all recommendations without having to view each node individually.

To resolve all recommendations:

  1. Sign in to the Azure portal.

  2. Navigate to Microsoft Defender for Cloud > Recommendations > Attack paths.

  3. Select an attack path.

  4. Select Recommendations.

    Screenshot that shows where to select on the screen to see the attack paths full list of recommendations.

  5. Select a recommendation.

  6. Follow the remediation steps to remediate the recommendation.

Once an attack path is resolved, it can take up to 24 hours for an attack path to be removed from the list.

External attack surface management (EASM)

An external attack surface is the entire area of an organization or system that is susceptible to an attack from an external source. An organization's attack surface is made up of all the points of access that an unauthorized person could use to enter their system. The larger your attack surface is, the harder it's to protect.

While you are investigating and remediating an attack path, you can also view your EASM if it is available and you have enabled Defender EASM to your subscription.

Note

To manage your EASM, you must deploy the Defender EASM Azure resource to your subscription. Defender EASM has it's own cost and is separate from Defender for Cloud. To learn more about Defender for EASM pricing options, you can check out the pricing page.

To manage your EASM:

  1. Sign in to the Azure portal.

  2. Navigate to Microsoft Defender for Cloud > Recommendations > Attack paths.

  3. Select an attack path.

  4. Select a resource.

  5. Select Insights.

  6. Select Open EASM.

    Screenshot that shows you where on the screen you need to select open Defender EASM from.

  7. Follow the Using and managing discovery instructions.

Next Steps

Learn how to Build queries with cloud security explorer.