This chapter covers Microsoft Defender for Cloud's Attack Path Analysis, a powerful feature that visualizes how an attacker could chain multiple security weaknesses to compromise critical cloud resources. For the AZ-500 exam, this topic appears in approximately 5-10% of questions, primarily in the Security Operations domain (objective 4.1). You will need to understand what attack paths are, how they are generated, how to interpret them, and how to use them to prioritize remediation. This chapter gives you the technical depth to answer both conceptual and scenario-based questions confidently.
Jump to a section
Imagine a large office building with multiple floors, each floor having several offices, conference rooms, and server closets. A security guard patrols the building every night, checking doors, windows, and access logs. The guard doesn't just note that a door is unlocked—they also check if any windows are open, if the alarm system is disabled, or if a suspicious device is plugged into a network port. The guard's patrol log is a chronological record of all observations, but more importantly, they create an 'attack path map' that shows how an intruder could chain these weaknesses: start from the unlocked parking garage door, take the stairs to the second floor, enter the unlocked server room, and access the mainframe. This map highlights the most critical risks to address first, like reinforcing the server room door. In Azure, Defender for Cloud's Attack Path Analysis works exactly like this: it scans your cloud resources, identifies security misconfigurations and vulnerabilities, and then models how an attacker could chain them to reach high-value assets (like a storage account with sensitive data). It doesn't just list issues—it shows the exploitable paths, ranked by risk, so you can prioritize remediation that breaks the chain.
What is Attack Path Analysis in Defender for Cloud?
Attack Path Analysis is a graph-based security feature in Microsoft Defender for Cloud (formerly Azure Security Center) that identifies the most likely routes an attacker could take to compromise your cloud environment. It does not simply list vulnerabilities; it correlates multiple security findings—such as open management ports, high-privileged identities, exposed storage accounts, and missing encryption—into a directed graph that shows the chain of exploitable conditions. The result is a prioritized list of attack paths, each with a risk score, that helps security teams focus on the highest-impact remediations.
Why Attack Path Analysis Exists
Traditional vulnerability management tools present security issues in isolation: a VM has an open SSH port, a storage account is publicly accessible, a SQL database has a weak firewall rule. But attackers rarely exploit a single weakness; they chain multiple weaknesses to achieve their objective. For example, an attacker might:
Exploit an open SSH port on a VM (initial access)
Use the VM's managed identity to access a key vault (privilege escalation)
Retrieve a storage account key from the vault (credential access)
Access a storage container with sensitive data (exfiltration)
Attack Path Analysis automates the discovery of such chains, showing you the full picture. Without it, you might prioritize fixing the open SSH port, but the real danger is the chain that leads to data exfiltration. With attack paths, you see that the critical fix is to restrict the VM's managed identity permissions, which breaks the chain at the privilege escalation step.
How Attack Path Analysis Works Internally
Defender for Cloud continuously collects security data from your Azure resources via the Log Analytics agent, Azure Policy, and built-in vulnerability scanners. This data includes:
Network configurations (NSG rules, firewall rules, public IPs)
Identity and access management (Azure RBAC role assignments, managed identities, service principals)
Resource configurations (storage account network rules, key vault firewall, SQL server firewall)
Vulnerability assessment results (from Qualys or Microsoft threat and vulnerability management)
Security alerts (from Defender for Cloud's threat detection)
The analysis engine then builds a graph model of your environment. Nodes represent resources (VMs, storage accounts, key vaults, SQL servers, etc.) and edges represent possible attacker actions (e.g., "can connect from VM to storage account via managed identity"). The engine uses a set of predefined attack vectors and a knowledge base of common exploitation techniques to simulate how an attacker could move from an initial entry point (e.g., an internet-facing VM with a vulnerability) to a target (e.g., a storage account with sensitive data).
The simulation is not a live attack—it's a static analysis of configurations and vulnerabilities. It does not trigger any actual changes. The engine runs periodically (typically every 12 hours) and on-demand when you request a refresh. Results are stored in the Defender for Cloud database and displayed in the Azure portal.
Key Components of an Attack Path
Each attack path consists of: - Start node: The initial resource an attacker can access (e.g., a VM with a public IP and an open management port). - End node: The target resource with high business impact (e.g., a storage account with sensitive data, a key vault, a SQL database). - Path edges: Each step in the chain, represented as a directed arrow with a description of the action (e.g., "Use managed identity to access storage account"). - Risk score: A numerical value (0-100) that combines the severity of the vulnerabilities and the likelihood of exploitation. Higher scores indicate more critical paths. - Affected resources: All resources along the path. - Active alerts: Any security alerts associated with the path.
Path Types and Examples
Defender for Cloud defines several path types based on common attack patterns. The exam focuses on these:
Internet-exposed VM with vulnerable software to storage account: A VM has a public IP, an open port (e.g., SSH or RDP), and a critical vulnerability. The VM also has a managed identity with read access to a storage account. The attack path shows: Internet -> VM (via vulnerability) -> Storage Account (via managed identity).
VM with high-privileged managed identity to key vault: A VM has a managed identity with 'Key Vault Secrets User' role on a key vault. If the VM is compromised, the attacker can read secrets.
Storage account with public network access to SQL database: A storage account is configured to allow access from all networks, and it has a firewall rule that allows traffic from a SQL server. If an attacker gains access to the storage account, they could pivot to the SQL server.
Container registry with weak credentials to a container instance: A container registry has admin credentials enabled, and a container instance uses an image from that registry. An attacker could steal credentials and push a malicious image.
Risk Scoring Mechanism
The risk score for an attack path is calculated using: - Severity of vulnerabilities (Critical, High, Medium, Low) - Exploitability (whether a known exploit exists, ease of exploitation) - Impact (what the attacker can achieve at the end node) - Number of steps (shorter paths are generally more dangerous) - Active threats (if there are ongoing attacks detected)
The formula is proprietary, but you should know that paths with a score above 70 are considered critical and should be addressed immediately.
Configuration and Verification
Attack Path Analysis is automatically enabled when you enable Defender for Cloud's enhanced security features (Defender for Cloud's 'Defender for Cloud' plan, formerly Azure Defender). You do not need to install any agents or configure anything for the analysis itself—it works on existing data. However, to get the most value, you should:
Enable vulnerability assessment for VMs (via Qualys or Microsoft TVM).
Enable Defender for Cloud plans for storage, SQL, key vault, etc.
Ensure that the Log Analytics agent is installed on VMs (for OS-level vulnerability data).
You can view attack paths in the Azure portal under Defender for Cloud -> Attack Path Analysis. The interface shows a list of paths sorted by risk score, with a visual graph for each path. You can click on any path to see details and recommended remediation steps.
To trigger an on-demand refresh, click the 'Refresh' button. This initiates a new analysis that may take several minutes to complete.
Interaction with Related Technologies
Attack Path Analysis integrates with: - Microsoft Defender for Cloud's regulatory compliance dashboard: Attack paths can affect compliance scores (e.g., if a path exposes sensitive data, it may violate GDPR or PCI DSS). - Microsoft Sentinel: You can export attack path data to Sentinel for correlation with other security events. - Azure Policy: Misconfigurations that contribute to attack paths are often flagged by Azure Policy (e.g., 'Storage accounts should restrict network access'). - Just-In-Time (JIT) VM access: If you enable JIT, it reduces the attack surface by closing management ports by default, which can eliminate many attack paths.
Common Misconfigurations That Create Attack Paths
Overly permissive NSG rules: Allowing inbound RDP/SSH from 'Any' (0.0.0.0/0) is a classic start node.
Overly permissive managed identity roles: Assigning 'Contributor' or 'Owner' to a VM's managed identity creates a powerful pivot point.
Public storage accounts: Setting 'Allow storage account key access' to 'Enabled' and 'Network access' to 'All networks' makes the storage account an easy target.
Key vault with public network access: Disabling the key vault firewall or allowing all networks exposes secrets.
SQL servers with public endpoint: Enabling 'Allow Azure services and resources to access this server' can open the database to all Azure IPs.
Remediation Strategies
When you identify a critical attack path, you should: 1. Break the chain at the most impactful point: Usually, the best point is where the attacker gains privileged access (e.g., remove the managed identity's role assignment). 2. Harden the start node: Close unnecessary ports, apply Just-In-Time access, patch vulnerabilities. 3. Harden the end node: Enable firewall rules, use private endpoints, enable encryption. 4. Monitor for active threats: Check if any security alerts are firing along the path.
Exam Tips
You will not be asked to calculate risk scores manually, but you should know that higher scores mean higher priority.
Know the difference between an attack path and a security alert: an alert indicates an ongoing or past attack; an attack path is a potential future attack scenario.
Attack paths are not real-time; they are based on periodic analysis (every 12 hours by default).
You can export attack path data to Sentinel for advanced hunting.
The exam may present a scenario with multiple misconfigurations and ask which attack path is most critical—look for the path that ends at a high-value asset (e.g., key vault with secrets) and has a short chain.
Step-by-step: Viewing and Interpreting an Attack Path
Navigate to Defender for Cloud in the Azure portal.
Under 'Cloud Security', select 'Attack path analysis'.
The dashboard shows a list of attack paths, sorted by risk score. Each entry shows: risk score, start node, end node, and number of steps.
Click on a path to open the graph view. The graph displays resources as nodes and attacker actions as edges. Hover over a node to see its details (e.g., open ports, role assignments).
Below the graph, there is a 'Remediation' tab that lists recommended actions for each step. Actions are specific Azure CLI or portal steps (e.g., 'Remove the following role assignment: Storage Blob Data Reader from VM1').
To export the path, use the 'Export' button to download a CSV or JSON report.
To refresh the analysis, click 'Refresh' at the top of the page. The refresh may take a few minutes.
PowerShell and Azure CLI Examples
While you cannot directly create attack paths via CLI, you can retrieve information about resources that contribute to paths. For example, to list all VMs with public IPs and open ports:
Get-AzNetworkInterface | Where-Object {$_.NetworkSecurityGroup -ne $null} | ForEach-Object {
$nsg = Get-AzNetworkSecurityGroup -ResourceGroupName $_.ResourceGroupName -Name $_.NetworkSecurityGroup.Id.Split('/')[-1]
$nsg.SecurityRules | Where-Object {$_.Direction -eq 'Inbound' -and $_.Access -eq 'Allow' -and $_.SourceAddressPrefix -eq '*'}
}To check for managed identities with high privileges:
az role assignment list --assignee <vm-principal-id> --include-inherited --output tableBut for the exam, focus on understanding the concept and the portal interface.
Enable Enhanced Security Features
Attack Path Analysis requires Defender for Cloud's enhanced security features (formerly Azure Defender) to be enabled on your subscription. This is done under 'Environment settings' -> 'Defender plans'. You must enable the 'Cloud Security Posture Management (CSPM)' plan and optionally the 'Defender for Cloud' plans for specific resource types (e.g., servers, storage, SQL). Once enabled, Defender for Cloud begins collecting security data from your resources via agents, Azure Policy, and built-in scanners. This data includes network configurations, identity permissions, vulnerability assessments, and security alerts. The analysis engine uses this data to build a graph model of your environment. Without enhanced security, Attack Path Analysis will not generate any paths.
Data Collection and Graph Building
Defender for Cloud continuously collects metadata from Azure Resource Manager, Azure Policy compliance data, vulnerability assessment results, and security alerts. This data is aggregated into a graph database where each resource (VM, storage account, key vault, etc.) is a node, and each potential interaction (e.g., 'VM can read from storage account via managed identity') is an edge. The graph is updated periodically (every 12 hours by default) and on-demand when you manually refresh. The graph does not contain actual data—only metadata about configurations and permissions. The size of the graph depends on the number of resources and the complexity of permissions. For large environments, the analysis may take longer.
Simulate Attacker Movement
The analysis engine uses a set of predefined attack vectors (e.g., 'Exploit vulnerable VM', 'Use managed identity', 'Access over public network') to simulate how an attacker could move from an entry point to a high-value target. The simulation is a static analysis—it does not actually attempt to exploit anything. It checks for conditions like: Is there an internet-facing VM with a critical vulnerability? Does that VM have a managed identity with a role assignment to a storage account? Is that storage account publicly accessible? If all conditions are met, an attack path is created. The engine evaluates all possible combinations and ranks them by risk score.
Risk Scoring and Prioritization
Each attack path receives a risk score from 0 to 100. The score is calculated based on the severity of vulnerabilities along the path, the ease of exploitation, the potential impact on the target resource, and the number of steps. For example, a path that starts with a VM having a critical RCE vulnerability and ends at a key vault with secrets will have a higher score than a path that starts with a low-severity misconfiguration and ends at a less sensitive resource. Paths with scores above 70 are marked as critical. The scoring is proprietary, but you should understand the factors that influence it. The exam may ask you to compare two paths and determine which is more critical based on these factors.
Display and Remediation Recommendations
The attack paths are displayed in the Azure portal under Defender for Cloud -> Attack path analysis. Each path shows a visual graph with nodes and edges. Clicking on a path reveals detailed information about each step, including the specific misconfiguration or vulnerability. A 'Remediation' tab provides step-by-step instructions to fix each issue, often with Azure CLI commands or portal steps. For example, if a path involves a VM with an open management port, the remediation might be to 'Create a Just-In-Time access rule for this VM'. The goal is to break the chain at the most effective point. You can also export the path data to CSV or JSON for reporting.
Scenario 1: Financial Services Company with PCI DSS Compliance
A large financial services company uses Azure to host a payment processing application. The application consists of VMs running a web server, a SQL database, and a storage account for transaction logs. The security team is required to maintain PCI DSS compliance. They enable Defender for Cloud and regularly review attack paths. One day, they find a critical attack path: an internet-facing VM (web server) has a critical vulnerability (CVE-2023-1234) and its managed identity has 'Storage Blob Data Contributor' role on the storage account containing transaction logs. The path score is 85. The team quickly patches the VM (breaking the initial access) and also removes the managed identity's write permission to the storage account (breaking the privilege escalation). They also enable Just-In-Time access to close the management port. This remediation reduces the risk score to 0 for that path. Without Attack Path Analysis, they might have only patched the VM, missing the fact that the managed identity could be used to exfiltrate logs. The team now has a monthly review of attack paths as part of their compliance process.
Scenario 2: Healthcare Provider with HIPAA Requirements
A healthcare provider runs an electronic health records (EHR) system on Azure Kubernetes Service (AKS). They store patient data in an Azure SQL database and encryption keys in an Azure Key Vault. They enable Defender for Cloud and find an attack path: a container in AKS has a vulnerability that allows privilege escalation, and the AKS cluster's managed identity has 'Key Vault Secrets User' role on the key vault. The path score is 92. The security team realizes that if an attacker compromises the container, they can read encryption keys and then decrypt the SQL database. They immediately restrict the AKS managed identity permissions to only the specific secrets needed, and they also enable network restrictions on the key vault to block public access. They also update the container image to patch the vulnerability. This scenario highlights the importance of least privilege for managed identities, even for AKS clusters.
Scenario 3: E-commerce Company with High Traffic
An e-commerce company uses Azure for its online store. They have multiple VMs behind a load balancer, a storage account for product images, and a Cosmos DB for user profiles. They notice a medium-risk attack path: a storage account is configured to allow access from 'All networks', and a VM has a managed identity with 'Reader' role on that storage account. The path score is 45. While not critical, the team decides to remediate by enabling the storage account firewall and restricting access to only the load balancer's IP range. They also remove the managed identity's read permission since the VM doesn't need to read product images directly (it uses a CDN). This proactive measure prevents a potential data breach. In production, performance considerations include the fact that attack path analysis runs every 12 hours, so changes to permissions may not be reflected immediately. The team uses the on-demand refresh after making changes to verify that the path is eliminated.
Common Pitfalls in Production
Overlooking managed identities: Many organizations give VMs or AKS clusters broad permissions (like 'Contributor') for convenience, creating dangerous attack paths.
Not refreshing after changes: After remediating, you must manually refresh to see if the path is gone. The automatic refresh may take up to 12 hours.
Ignoring low-score paths: While critical paths should be prioritized, low-score paths can become critical if combined with other changes. Regular review is essential.
Misunderstanding the graph: Some teams think the graph shows actual attacks, but it only shows potential paths. No actual exploitation occurs.
What AZ-500 Tests on Attack Path Analysis
The AZ-500 exam objective 4.1 states: 'Configure and manage security monitoring and automation solutions in Azure, including Microsoft Defender for Cloud.' Within this, Attack Path Analysis is a specific sub-topic. The exam tests your ability to:
Identify what Attack Path Analysis is and its purpose.
Interpret attack path graphs and prioritize remediation.
Understand the prerequisites (enhanced security features enabled).
Know the integration with other Defender for Cloud features (e.g., vulnerability assessment, JIT VM access).
Recognize scenarios where attack paths exist and how to break them.
Common Wrong Answers and Why Candidates Choose Them
'Attack Path Analysis shows real-time attacks': This is false. Attack paths are static analyses of configurations and vulnerabilities, not live attacks. Candidates choose this because they confuse 'attack path' with 'security alert'. Remember: alerts are real-time; attack paths are potential future paths.
'You need to install an agent on every VM for Attack Path Analysis': Partially true—vulnerability assessment needs an agent, but the analysis itself works on metadata from Azure Resource Manager and Azure Policy. Many candidates overestimate the agent requirement. The correct answer is that the Log Analytics agent is required for OS-level vulnerability data, but the core analysis uses existing metadata.
'Attack paths are automatically remediated': No, they only provide recommendations. You must manually remediate. Candidates assume automation because Defender for Cloud has auto-remediation for some policies, but not for attack paths.
'Risk score is based only on vulnerability severity': Wrong. It also considers exploitability, impact, number of steps, and active threats. Candidates often simplify the scoring.
Specific Numbers and Terms to Memorize
Default refresh interval: 12 hours.
Risk score scale: 0-100, with >70 considered critical.
Prerequisite: Enhanced security features (Defender for Cloud's CSPM plan) must be enabled.
Integration: Can export to Microsoft Sentinel.
Edge Cases and Exceptions
Attack paths can exist even without any vulnerabilities: For example, if a storage account is publicly accessible and a VM has a managed identity with read access, but the VM has no vulnerabilities, the path still exists because the attacker could compromise the VM through other means (e.g., weak admin password). The exam may test that vulnerabilities are not strictly required.
Attack paths may not appear immediately after enabling enhanced security: The first analysis runs within 12 hours. If you need immediate results, you must manually refresh.
Attack paths are scoped to a subscription: They do not cross subscription boundaries. If a managed identity in Subscription A can access a resource in Subscription B, that path may not be shown unless you have cross-subscription visibility enabled (which is not default).
How to Eliminate Wrong Answers
If an answer says 'real-time' or 'live attack', it is likely wrong.
If an answer claims automatic remediation, it is wrong.
If an answer says attack paths require no prerequisites, it is wrong (enhanced security must be on).
If an answer says attack paths only consider vulnerabilities, it is wrong (they also consider permissions and network configurations).
Use the underlying mechanism: Attack Path Analysis is a static graph-based analysis of configurations and vulnerabilities. It does not execute any code, does not run continuously, and does not fix issues. It provides a prioritized list of potential attack chains.
Attack Path Analysis is a static, graph-based feature that models how an attacker could chain multiple security weaknesses.
It requires Defender for Cloud's enhanced security features (CSPM plan) to be enabled.
The analysis runs automatically every 12 hours and can be manually refreshed.
Risk scores range from 0 to 100; scores above 70 are considered critical.
Attack paths are not real-time; they do not detect ongoing attacks.
You can export attack path data to Microsoft Sentinel for advanced correlation.
To break an attack path, focus on the most impactful step (e.g., removing a privileged role assignment).
These come up on the exam all the time. Here's how to tell them apart.
Attack Path Analysis
Static analysis of configurations and vulnerabilities
Shows potential future attack chains
Risk score based on severity, exploitability, impact
Updated every 12 hours (or on-demand)
Provides remediation recommendations to break the chain
Security Alerts
Real-time detection of ongoing or past attacks
Shows actual malicious activity
Severity based on the actual threat
Generated in near real-time as attacks occur
Provides steps to investigate and respond to the alert
Mistake
Attack Path Analysis shows ongoing attacks in real time.
Correct
Attack Path Analysis is a static analysis of configurations and vulnerabilities. It does not detect active attacks. It models potential attack paths that could be exploited in the future. Real-time attacks are shown in Security Alerts.
Mistake
You must have the Log Analytics agent installed on all VMs for Attack Path Analysis to work.
Correct
The Log Analytics agent is required for OS-level vulnerability assessment, but the core attack path analysis uses metadata from Azure Resource Manager, Azure Policy, and network security group rules. You can see many attack paths without any agents.
Mistake
Attack paths are automatically remediated by Defender for Cloud.
Correct
Defender for Cloud only provides recommendations and remediation steps. You must manually apply the fixes. There is no auto-remediation for attack paths.
Mistake
The risk score is based solely on the severity of vulnerabilities.
Correct
The risk score combines vulnerability severity, exploitability, potential impact, number of steps, and active threats. A path with multiple low-severity issues can have a high score if the impact is high.
Mistake
Attack Path Analysis only works for VMs and storage accounts.
Correct
It works for many resource types, including VMs, storage accounts, key vaults, SQL databases, container registries, AKS clusters, and more. Any resource that can be part of an attack chain is included.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
An attack path is a static, predictive model showing how an attacker could potentially chain misconfigurations and vulnerabilities to compromise a high-value asset. It is based on current configurations and does not indicate ongoing activity. A security alert, on the other hand, is generated when Defender for Cloud detects actual malicious behavior or suspicious activity in real time. Alerts require immediate investigation, while attack paths guide proactive remediation. On the exam, remember that alerts are 'real-time detections' and attack paths are 'potential future paths'.
By default, Attack Path Analysis updates every 12 hours. You can force an immediate update by clicking the 'Refresh' button in the Azure portal under Defender for Cloud -> Attack path analysis. The refresh may take several minutes to complete, depending on the size of your environment. After making changes to your resources (e.g., closing a port or removing a role assignment), use the refresh to verify that the attack path is eliminated.
No, the core Attack Path Analysis works without agents. It uses metadata from Azure Resource Manager, Azure Policy, network security group rules, and other configurations. However, to get the most value, you should enable vulnerability assessment on VMs, which requires the Log Analytics agent (or the Azure Monitor agent) to be installed. Without vulnerability data, attack paths may miss paths that involve unpatched software.
No, Attack Path Analysis is scoped to a single subscription. If a managed identity in Subscription A can access a resource in Subscription B, that path will not be shown in Subscription A's analysis. To get cross-subscription visibility, you would need to use a tool like Microsoft Sentinel that can correlate data from multiple subscriptions. The exam may test this limitation.
A risk score of 85 indicates a critical attack path. Scores above 70 are considered critical and should be addressed as a high priority. The score is calculated based on factors like vulnerability severity, ease of exploitation, potential impact, and number of steps. You should examine the path, identify the most effective remediation point (often the step with the highest impact), and apply the fix. After remediation, refresh the analysis to confirm the path is gone.
In the Azure portal, under Defender for Cloud -> Attack path analysis, select the attack path you want to export. Click the 'Export' button and choose between CSV or JSON format. The export includes details about each step in the path, affected resources, and remediation recommendations. You can also use the Defender for Cloud API to programmatically retrieve attack path data.
Yes, Attack Path Analysis can include AKS clusters and container images. For example, it can identify a container with a vulnerability that allows privilege escalation, and then trace how that container's managed identity can access other resources. However, the depth of analysis depends on the integration with Defender for Containers. Make sure you have the Defender for Containers plan enabled.
You've just covered Defender for Cloud Attack Path Analysis — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?