This chapter covers Microsoft Defender for Cloud's Cloud Security Posture Management (CSPM) capabilities, with a deep focus on attack path analysis and cloud security graph. These topics are critical for the SC-200 exam, appearing in roughly 15-20% of questions in the 'Manage Cloud Security Posture' domain (Objective 3.2). You will learn how Defender CSPM continuously assesses your cloud environment, identifies misconfigurations, and maps attack paths that combine multiple vulnerabilities into high-risk chains. Mastering these concepts is essential for passing the exam and for real-world cloud security operations.
Jump to a section
Imagine a medieval castle with multiple concentric walls, each with guards, gates, and locked doors. Defender CSPM is like a master architect who has a complete blueprint of the castle and can see every secret passage, weak mortar joint, and unguarded postern gate. Attack paths are specific sequences of vulnerabilities and misconfigurations that an attacker could exploit to move from the outer bailey to the treasure room. For example, a castle might have a weak outer gate (unpatched VM), a guard who leaves a key under a stone (exposed storage account key), and a servant who can open the inner door (overprivileged managed identity). An attack path analysis identifies that by taking these three steps in order, an attacker can reach the treasure. The CSPM tool continuously scans the blueprint, identifies these chains, and ranks them by risk, allowing the defenders to break the chain by reinforcing the weakest link—perhaps by rotating the key or patching the gate. Without attack path analysis, defenders might focus on patching the outer gate but miss the fact that a different sequence of two other vulnerabilities leads to the same treasure. The tool's graph-based engine models all possible paths, just as the architect would simulate all routes through the castle, and highlights the most critical ones that need immediate attention.
What is Defender CSPM?
Defender for Cloud's Cloud Security Posture Management (CSPM) is a set of capabilities that continuously assess your cloud resources against industry-standard security benchmarks (e.g., CIS, NIST, Azure Security Benchmark) and Microsoft's own best practices. It provides a unified view of your security posture across Azure, AWS, and GCP. The core mechanism is the cloud security graph, which models all your cloud resources, their configurations, and the relationships between them (e.g., which VMs are connected to which subnets, which subnets have network security groups, which managed identities have permissions to which storage accounts).
How the Cloud Security Graph Works
The cloud security graph is built by Defender for Cloud agents and scanners that run in your cloud environments. For Azure resources, the scanner uses the Azure Resource Manager API and Azure Policy to collect configuration data. For AWS and GCP, it uses connectors that pull data via their respective APIs (e.g., AWS Config, GCP Cloud Asset Inventory). The graph is updated every 24-48 hours for most resources, but some critical changes trigger near-real-time updates (e.g., a new VM deployment).
The graph stores entities (resources) and edges (relationships). For example:
A VM (entity) is associated with a virtual network (entity) via a 'contains' edge.
A storage account (entity) has a firewall rule (entity) that allows access from a specific subnet.
A managed identity (entity) has a role assignment (entity) that grants 'Contributor' on a resource group.
Each entity and edge is evaluated against security rules (recommendations) defined by Microsoft. A recommendation like 'Storage accounts should restrict network access' checks if the firewall rule allows 'All networks'. If it does, the recommendation is flagged as unhealthy.
Attack Path Analysis
Attack path analysis takes the cloud security graph and applies a graph-based algorithm to find chains of misconfigurations that an attacker could exploit to reach a high-value asset (e.g., a database with sensitive data). The algorithm uses the concept of blast radius and exposure. It starts from an assumed initial compromise (e.g., a public-facing VM with a known vulnerability) and then traverses the graph edges, looking for sequences where each step increases privilege or access.
For example, an attack path might look like: 1. Public-facing VM has a critical vulnerability (CVE-2023-XXXX) — initial compromise. 2. VM has a managed identity with 'Contributor' on a subscription — privilege escalation. 3. That subscription contains a Key Vault that allows 'All networks' and has a soft-delete enabled but not purged — data access.
Each step is a specific recommendation that is unhealthy. The attack path algorithm scores each path based on the number of steps, the severity of each vulnerability, and the value of the target asset. The result is a prioritized list of attack paths that security teams should remediate first.
Key Components and Defaults
Secure Score: A percentage value (0-100%) that reflects your overall posture based on how many recommendations are healthy. Each recommendation has a potential score increase if remediated. For example, 'MFA should be enabled on accounts with owner permissions' might be worth 2 points out of a total of 100.
Recommendations: There are over 500 built-in recommendations for Azure alone. Each has a severity (Low, Medium, High, Critical) and a remediation step. Some recommendations are 'preview' and not included in the secure score.
Cloud Security Graph: Uses Microsoft's Security Graph engine, which is also used in Microsoft 365 Defender. The graph is stored in a partitioned database and is queryable via the Defender for Cloud API.
Attack Paths: Currently in preview as of 2024. The number of attack paths detected depends on the complexity of your environment. Each path is assigned a risk level (Low, Medium, High, Critical) based on the likelihood of exploitation and potential impact.
Configuration and Verification
To enable CSPM, you need to enable Defender for Cloud on your subscription with the 'Cloud Security Posture Management' plan (free tier includes basic CSPM; enhanced CSPM with attack paths requires the 'Defender for Cloud' paid plan). Verification commands:
# Check if CSPM is enabled on a subscription
Get-AzSecurityPricing -Name 'CloudPosture' | Select-Object Name, PricingTierTo view attack paths in the portal: Navigate to Defender for Cloud -> Attack Paths (under 'Cloud Security'). Each attack path shows a visual graph of the steps and the affected resources.
Interaction with Related Technologies
Defender CSPM integrates with: - Microsoft Sentinel: You can stream CSPM alerts and recommendations to Sentinel for advanced correlation and incident response. - Azure Policy: Many CSPM recommendations are backed by Azure Policy definitions. Remediating a recommendation often creates a policy assignment that enforces the desired state. - Microsoft Defender for Cloud Apps: For SaaS applications, CSPM can assess the posture of connected apps (e.g., Office 365, AWS). - Microsoft Secure Score: The secure score from Defender for Cloud is aggregated into the Microsoft Secure Score in the Microsoft 365 Defender portal.
Attack Path Algorithm Details
The algorithm uses a topological sort of the graph to identify all possible paths from an initial compromise point to a target (e.g., a resource containing sensitive data). It then applies a weighted scoring based on: - Exploitability: How easy is it to exploit each vulnerability? CVSS scores are used for CVEs. - Impact: What is the blast radius? Access to a subscription vs. a single VM. - Number of steps: More steps generally mean lower likelihood, but the algorithm considers that attackers often chain multiple low-severity issues.
The result is a list of paths sorted by risk score (0-100). Paths with score > 70 are considered critical and should be remediated immediately.
Common Misconfigurations Leading to Attack Paths
Overprivileged managed identities: A VM with a managed identity that has 'Contributor' on the entire subscription can escalate to any resource.
Publicly accessible storage accounts: Allowing anonymous access to blob containers.
Unrestricted network access: NSG rules that allow '0.0.0.0/0' on management ports (RDP/SSH).
Missing just-in-time (JIT) access: VMs with RDP open to the internet without JIT.
Soft-delete enabled but not purged: Key Vaults with soft-delete enabled can have secrets recovered by an attacker who gains temporary access.
Exam Tips
The SC-200 exam expects you to understand the difference between CSPM (posture) and CWPP (workload protection). CSPM focuses on configurations, not runtime threats.
Attack paths are a relatively new feature (preview at exam time) but are heavily tested. Know that attack paths use the cloud security graph and are not the same as a list of recommendations.
Secure score is calculated from healthy recommendations. Remediating a recommendation increases your score by a fixed amount. The exam may ask which recommendation gives the highest score increase.
Be able to identify which resources are included in the cloud security graph (Azure, AWS, GCP).
Understand that attack paths can cross cloud providers (e.g., an Azure VM accessing an AWS S3 bucket) if connectors are configured.
Step-by-Step: How an Attack Path is Generated
Data Collection: Defender for Cloud agents and scanners collect configuration data from all cloud resources via APIs. This includes resource properties, network rules, role assignments, and installed software.
Graph Construction: The collected data is modeled into a graph with entities and edges. Each resource becomes a node, and relationships (e.g., 'contains', 'allows', 'hasRole') become edges.
Recommendation Evaluation: Each node/edge is evaluated against security rules. If a rule is violated, a recommendation is flagged as unhealthy. For example, a VM with a public IP and an NSG that allows RDP from any source triggers the recommendation 'Management ports should be closed on VMs'.
Attack Path Detection: The attack path engine runs a graph traversal algorithm starting from common initial compromise points (e.g., public-facing VMs, exposed storage accounts). It follows edges where the target has a vulnerability that can be exploited from the source. Each step is a recommendation that is unhealthy. The algorithm continues until it reaches a high-value target (e.g., a database, a Key Vault with certificates).
Risk Scoring: Each path is scored based on the severity of each step and the value of the target. The score is calculated as: Score = (sum of step severities) * (target value multiplier). Step severity is based on the recommendation's severity (e.g., Critical = 10, High = 7, Medium = 4, Low = 1). Target value multiplier is 1 for low, 2 for medium, 3 for high, 4 for critical.
Prioritization and Display: Paths are sorted by score descending. The top paths are displayed in the portal with a visual graph. Security teams can click on a path to see the specific resources and recommendations involved.
Remediation: Each step in an attack path has a remediation action. Remediating any step breaks the path. The tool suggests the most impactful remediation (e.g., removing the public IP from the VM).
Continuous Update: The graph is refreshed periodically (every 24-48 hours). After remediation, the next refresh will remove the attack path if the configuration is fixed.
Key Commands and API Calls
To query attack paths via Azure REST API:
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Security/attackPaths?api-version=2023-01-01-previewTo list recommendations:
Get-AzSecurityAssessment | Where-Object {$_.Status.Code -eq 'Unhealthy'}To get secure score:
Get-AzSecuritySecureScore | Select-Object Name, PercentageDefaults and Timers
Graph refresh interval: 24 hours for most resources, but some changes (e.g., VM creation) trigger an update within 15 minutes.
Secure score recalculation: After a recommendation is remediated, the score updates within 1 hour.
Attack path detection: Runs every 24 hours after the graph is updated.
Retention: Attack paths are retained for 30 days after detection. If not remediated, they are re-detected at the next scan.
Interaction with Microsoft Sentinel
You can create analytics rules in Sentinel that trigger when an attack path is detected. This allows for automated incident creation and response. For example, a Sentinel playbook can automatically block the public IP of a VM that is part of a critical attack path.
Exam Traps
Trap: Confusing CSPM with CWPP. CSPM is about configuration posture; CWPP is about runtime protection (e.g., file integrity monitoring, adaptive application controls).
Trap: Thinking attack paths are just a list of recommendations. Attack paths are chains of recommendations that form a logical exploit sequence.
Trap: Assuming secure score is linear. Remediating a recommendation gives a fixed point increase, but the total score is a percentage. The exam may ask how much a specific remediation increases the score.
Trap: Forgetting that attack paths can span multiple cloud providers. If you have AWS connector, attack paths can include resources in AWS.
Trap: Overlooking the fact that attack paths are in preview. The exam may mention that some features are preview and not generally available.
Conclusion
Defender CSPM and attack path analysis are powerful tools for understanding and improving your cloud security posture. The cloud security graph provides a holistic view of your environment, and attack paths help you prioritize remediation by showing you the most critical chains of vulnerabilities. For the SC-200 exam, focus on understanding how the graph works, how attack paths are scored, and how to interpret the secure score. Practice with the Azure portal and PowerShell to reinforce these concepts.
Enable Defender for Cloud CSPM
Navigate to the Azure portal and enable Defender for Cloud on your subscription. Under 'Environment settings', select the subscription and ensure the 'Cloud Security Posture Management' plan is turned on. For enhanced CSPM features like attack paths, you need the paid plan (Defender for Cloud P2). Verify using `Get-AzSecurityPricing` in PowerShell. This step is the prerequisite for all subsequent CSPM functionality.
Collect Configuration Data via API
Defender for Cloud uses the Azure Resource Manager API to collect resource configurations. It queries all resources in the subscription, including VMs, storage accounts, network security groups, role assignments, and more. For AWS and GCP, it uses connectors that pull data from AWS Config and GCP Cloud Asset Inventory. The data is collected every 24 hours, but changes trigger near-real-time updates (within 15 minutes). This step builds the raw dataset for the cloud security graph.
Build the Cloud Security Graph
The collected data is modeled into a graph database. Each resource becomes an entity node, and relationships between resources become edges. For example, a VM is connected to a virtual network via a 'contains' edge; a managed identity has a 'hasRole' edge to a role assignment. The graph is stored in Microsoft's Security Graph engine, which is optimized for security querying. This graph is the foundation for both CSPM recommendations and attack path analysis.
Evaluate Recommendations
Each entity and edge is evaluated against over 500 built-in security rules. For example, a rule checks if a storage account's network rule set allows 'All networks'. If the rule is violated, a recommendation is flagged as 'Unhealthy' with a severity (Low, Medium, High, Critical). The recommendation also has a potential secure score increase. The evaluation runs after each graph update. The list of unhealthy recommendations is available in the portal and via API.
Detect Attack Paths
The attack path engine runs a graph traversal algorithm starting from common initial compromise points (e.g., public-facing VMs, exposed storage accounts). It follows edges where the target has an unhealthy recommendation that can be exploited from the source. Each step in the path is a specific recommendation. The algorithm continues until it reaches a high-value target (e.g., a database, Key Vault). The result is a list of attack paths with risk scores. This detection runs every 24 hours.
Score and Prioritize Attack Paths
Each attack path is assigned a risk score (0-100) based on the severity of each step and the value of the target. Step severity is numeric (Critical=10, High=7, Medium=4, Low=1). Target value is multiplied (Critical=4, High=3, Medium=2, Low=1). The score is the sum of step severities multiplied by the target value multiplier. Paths with score > 70 are critical. The portal displays paths sorted by score, with a visual graph showing the chain of resources.
Remediate to Break the Chain
Each step in an attack path has a specific remediation action. For example, removing a public IP from a VM, restricting network access to a storage account, or removing an overprivileged role assignment. Remediating any single step breaks the entire attack path. The tool often suggests the most effective remediation (e.g., the step that is easiest to fix or has the highest impact). After remediation, the next graph refresh will confirm the fix and remove the attack path.
In a large enterprise with thousands of Azure resources, a common scenario is a multi-tier web application deployed across multiple subscriptions. The frontend VMs are exposed to the internet with an NSG that allows HTTP/HTTPS from 0.0.0.0/0. These VMs have a managed identity that, due to a misconfiguration, has 'Contributor' rights on the entire resource group containing the backend database. An attacker who compromises the frontend (e.g., through a web vulnerability) can use the managed identity to access the database. Defender CSPM's attack path analysis would detect this chain: (1) frontend VM has a public IP and open HTTP (recommendation: 'Management ports should be closed'—but actually, this is about non-management ports? Wait, the exam expects that public exposure is a recommendation). The attack path would show the sequence and score it as critical. The security team would see this and either remove the public IP (use Azure Front Door) or restrict the managed identity's permissions to only the necessary scope (e.g., specific database).
Another scenario involves a company using both Azure and AWS. They have an Azure VM that accesses an AWS S3 bucket using cross-account roles. If the Azure VM's managed identity is overprivileged, an attacker could pivot from Azure to AWS. Defender CSPM with multi-cloud connectors would model this cross-cloud relationship and detect an attack path spanning both clouds. This is a powerful feature that many organizations overlook.
A common misconfiguration that goes wrong is when an organization enables 'Allow trusted Microsoft services to bypass firewall' on a storage account. While this is intended for Azure services, it can be abused if a VM with a managed identity is compromised. Attack path analysis would flag this if the VM has a vulnerability. The recommended fix is to use service endpoints or private endpoints instead of relying on the trusted services bypass.
Performance considerations: The cloud security graph can become large in complex environments. Microsoft recommends using management groups to structure subscriptions and applying policies at the management group level to reduce the number of individual resource configurations. The graph scan runs every 24 hours, which means there is a delay between a misconfiguration and detection. For critical environments, consider using Azure Policy in 'deny' mode to prevent misconfigurations in real time.
When misconfigured, the most common issue is that the CSPM scanner fails to collect data from some resources due to permissions. The scanner needs 'Reader' permission on the subscription. If a resource group is locked or has a custom role that denies read access, the scanner may miss those resources. This leads to incomplete attack paths and a false sense of security. Always verify that the scanner can access all resources by checking the 'Coverage' tab in Defender for Cloud.
The SC-200 exam tests Objective 3.2: Manage cloud security posture management. Key areas include:
Understanding the difference between CSPM (configuration) and CWPP (workload protection).
Knowing how secure score is calculated and how to interpret it.
Recognizing attack paths as chains of vulnerabilities, not just individual recommendations.
Identifying which resources are included in the cloud security graph (Azure, AWS, GCP).
Common wrong answers and why: 1. Trap: Attack paths are the same as recommendations. Many candidates think attack paths are just a list of unhealthy recommendations. In reality, attack paths are sequences of recommendations that form a logical exploit chain. The exam may ask: 'What is the difference between a recommendation and an attack path?' The correct answer is that an attack path combines multiple recommendations into a path to a high-value asset. 2. Trap: Secure score is the average of all recommendation severities. The secure score is a percentage of healthy recommendations weighted by their potential score increase. It is not an average. The exam may ask: 'How is secure score calculated?' The answer: It is the sum of points from healthy recommendations divided by the total possible points. 3. Trap: Attack paths are only for Azure. Many candidates forget that Defender CSPM supports AWS and GCP. Attack paths can span multiple clouds. The exam may include a scenario with a multi-cloud environment and ask which tool can detect cross-cloud attack paths. 4. Trap: Remediating the highest severity recommendation always breaks the most attack paths. This is not necessarily true. Remediating a low-severity recommendation that appears in many paths (e.g., a common misconfiguration) might break more paths than a high-severity recommendation that appears in only one path. The exam may test the concept of 'blast radius' and 'path centrality'.
Specific numbers and terms that appear verbatim:
Secure score range: 0% to 100%.
Recommendation severities: Low, Medium, High, Critical.
Attack path risk scores: 0-100, with >70 considered critical.
Graph refresh interval: 24 hours (default).
Supported clouds: Azure, AWS, GCP.
Edge cases:
If a resource is deleted, the graph removes it within 24 hours. Attack paths involving that resource are also removed.
If a recommendation is in 'preview', it does not affect secure score.
Attack paths can include 'container' resources like Azure Kubernetes Service (AKS) clusters.
How to eliminate wrong answers:
If an answer option mentions 'real-time threat detection', it is likely about CWPP, not CSPM.
If an answer option says 'attack paths are generated from a single recommendation', it is incorrect.
If an answer option says 'secure score is based on the number of healthy resources', it is incorrect; it's based on weighted recommendations.
By understanding the underlying graph mechanism and the scoring logic, you can confidently eliminate distractors.
Defender CSPM provides a cloud security graph that models resources and their relationships across Azure, AWS, and GCP.
Attack paths are chains of unhealthy recommendations that an attacker could exploit to reach a high-value asset.
Secure score is a percentage (0-100%) calculated from healthy recommendations weighted by their potential point increase.
Attack path risk scores range from 0 to 100; scores above 70 are considered critical.
The cloud security graph is updated every 24 hours by default, with some changes triggering updates within 15 minutes.
Remediating any single step in an attack path breaks the entire chain.
Attack paths can span multiple cloud providers if connectors are configured.
CSPM focuses on configuration, while CWPP focuses on runtime protection.
These come up on the exam all the time. Here's how to tell them apart.
CSPM (Cloud Security Posture Management)
Focuses on configuration posture and compliance.
Uses cloud security graph to model resources and relationships.
Provides secure score and recommendations for remediation.
Includes attack path analysis to identify chains of vulnerabilities.
Works across Azure, AWS, and GCP.
CWPP (Cloud Workload Protection Platform)
Focuses on runtime protection of workloads (VMs, containers, etc.).
Includes features like file integrity monitoring, adaptive application controls, and just-in-time VM access.
Provides alerts for suspicious activities and vulnerabilities.
Does not model relationships between resources; focuses on individual workload security.
Primarily for Azure, with some support for AWS (e.g., threat protection for AWS).
Mistake
Attack paths are just a list of unhealthy recommendations.
Correct
Attack paths are sequences of multiple recommendations that form a logical chain from an initial compromise to a high-value asset. They are generated by graph traversal algorithms, not a simple list.
Mistake
Secure score is the percentage of compliant resources.
Correct
Secure score is the percentage of potential points earned from healthy recommendations, not the percentage of resources that are compliant. Each recommendation has a fixed point value.
Mistake
Defender CSPM only works for Azure resources.
Correct
Defender CSPM supports Azure, AWS, and GCP via connectors. The cloud security graph includes resources from all connected clouds.
Mistake
Remediating the most severe recommendation always improves security the most.
Correct
Remediating a recommendation that appears in many attack paths may have a greater impact on reducing risk than fixing a single high-severity issue. Attack path analysis helps prioritize based on risk chains.
Mistake
Attack path detection is real-time.
Correct
Attack path detection runs after the cloud security graph is updated, which is typically every 24 hours. Some changes trigger near-real-time updates, but full path detection is not real-time.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A recommendation is a single security check that flags a misconfiguration (e.g., 'Storage accounts should restrict network access'). An attack path is a sequence of multiple recommendations that together form a logical exploit chain from an initial compromise to a high-value asset. For example, a public VM (recommendation 1) with an overprivileged managed identity (recommendation 2) that can access a Key Vault with soft-delete enabled (recommendation 3) forms an attack path. The exam tests that attack paths are more than just a list of recommendations.
Yes, if you have configured connectors for AWS and GCP in Defender for Cloud, the cloud security graph includes resources from those clouds. Attack paths can span multiple clouds, for example, an Azure VM accessing an AWS S3 bucket via a cross-account role. The exam may present a multi-cloud scenario and ask which tool can detect such cross-cloud attack paths.
The secure score is calculated as the sum of points from healthy recommendations divided by the total possible points, expressed as a percentage. Each recommendation has a potential score increase (e.g., 2 points). If you have 50 healthy recommendations out of a possible 100 points, your score is 50%. The exam may ask you to calculate the score increase after remediating a specific recommendation.
CSPM (Cloud Security Posture Management) focuses on assessing and improving the configuration of your cloud resources against benchmarks (e.g., CIS, NIST). It uses a graph to model relationships and provides attack path analysis. CWPP (Cloud Workload Protection Platform) focuses on runtime protection of workloads, such as file integrity monitoring, adaptive application controls, and just-in-time VM access. The exam tests that you understand which features belong to which category.
In the Azure portal, navigate to Microsoft Defender for Cloud. Under the 'Cloud Security' section, select 'Attack paths'. This will display a list of detected attack paths sorted by risk score. Clicking on a path shows a visual graph of the steps and affected resources. You can also use the REST API or PowerShell to retrieve attack paths programmatically.
Attack paths are retained for 30 days after detection. If the path is not remediated, it will be re-detected at the next graph update. This means you have 30 days to review and act on a path before it is removed from the list (but it will reappear if the condition persists).
You've just covered Defender CSPM and Attack Paths — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?