Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Attack Path Email Notifications

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Enable sending alert notifications about attack paths to the security contact email address defined in the Microsoft Defender for Cloud settings. The contact information provided will be used by Microsoft Defender for Cloud to contact the subscription owners and/or administrators when potential attack paths are found within their cloud environment.

Security

Microsoft Defender for Cloud's attack path analysis helps you prioritize security remediation by identifying exploitable attack sequences within your multicloud environment. It provides actionable recommendations to close these security gaps. Enabling attack path email notifications ensures the right people are notified when potential attack paths are identified in your Azure cloud account, in order to be able to mitigate the risks in a timely fashion.

Audit

To determine if sending alert notifications for attack paths is enabled within Microsoft Defender for Cloud, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade available at https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0.

03 In the left navigation panel, under Management, choose Environment settings.

04 Under Azure, click on the name (link) of the Azure subscription that you want to examine.

05 In the left navigation panel, under Settings, choose Email notifications to access the email notification settings available for Microsoft Defender for Cloud in the selected Azure subscription.

06 In the Notification types section, verify the Notify about attack paths with the following risk level (or higher) setting checkbox to determine the notification feature status. If the Notify about attack paths with the following risk level (or higher) setting checkbox is unchecked, Microsoft Defender for Cloud is not configured to send alert notifications for attack paths identified in the selected Azure subscription.

07 Repeat steps no. 4 – 6 for each Azure subscription created within your Microsoft Azure account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run account get-access-token command (Windows/macOS/Linux) with custom output filters to determine if attack path alert notifications are enabled for Microsoft Defender for Cloud in the selected Azure subscription: 

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2023-12-01-preview' | jq '.|.value[] | select(.type=="Microsoft.Security/securityContacts")'|jq '.properties.notificationsSources[].sourceType'

05 The command output should return the notification sources configured for Microsoft Defender for Cloud. The security service supports two notification sources: "Alert" and "AttackPath": 

"Alert"

If "AttackPath" is not included in the notification source list returned by the account get-access-token command output, Microsoft Defender for Cloud is not configured to send alert notifications for attack paths identified in the selected Azure subscription.

06 Repeat steps no. 4 and 5 for each Azure subscription created within your Microsoft Azure account.

Remediation / Resolution

To configure Microsoft Defender for Cloud to send alert notifications for attack paths identified within your Azure cloud account, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade available at https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0.

03 In the left navigation panel, under Management, choose Environment settings.

04 Under Azure, click on the name (link) of the Azure subscription that you want to configure.

05 In the left navigation panel, under Settings, choose Email notifications to access the email notification settings available for Microsoft Defender for Cloud in the selected Azure subscription.

06 In the Email recipients section, ensure that at least one email recipient is selected to receive alert notifications from Microsoft Defender for Cloud. Check the All users with the following roles and Additional email addresses (separated by commas) configuration fields to identify the email recipient(s) configured for your Azure subscription.

07 In the Notification types section, check the Notify about attack paths with the following risk level (or higher) setting checkbox to enable Microsoft Defender for Cloud to send attack path alert notifications to the subscription owners and/or administrators. Select an appropriate risk level from the setting dropdown menu.

08 Choose Save from the top menu to apply the configuration changes.

09 Repeat steps no. 4 – 8 for each Azure subscription created within your Microsoft Azure account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Define the configuration parameters for the account get-access-token command in order to enable attack path alert notifications for Microsoft Defender for Cloud in the selected Azure subscription, by adding the following configuration object: {"sourceType": "AttackPath", "minimalRiskLevel": "Medium"} to the "notificationsSources" array, as shown in the configuration file listed below. To change the risk level, modify the "minimalRiskLevel" attribute value (supported values: "Low", "Medium", "High", and "Critical"). Save the configuration document to a JSON file named enable-attack-path-notifications.json: 

{
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Security/securityContacts/default",
	"name": "default",
	"type": "Microsoft.Security/securityContacts",
	"location": "West Europe",
	"properties": {
		"isEnabled": true,
		"emails": "user@domain.com",
		"phone": "",
		"notificationsByRole": {
			"state": "On",
			"roles": [
			"Owner"
			]
		},
		"notificationsSources": [
			{
			"sourceType": "Alert",
			"minimalSeverity": "Medium"
			},
			{
			"sourceType": "AttackPath",
			"minimalRiskLevel": "Medium"
			}
		]
	}
}

05 Run account get-access-token command (Windows/macOS/Linux) with the configuration document defined at the previous step (i.e., enable-attack-path-notifications.json file), to enable Microsoft Defender for Cloud to send attack path alert notifications to the subscription owners and/or administrators: 

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default?api-version=2023-12-01-preview -d@"enable-attack-path-notifications.json"'

06 The output should return the notification configuration applied to Microsoft Defender for Cloud: 

{
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Security/securityContacts/default",
	"name": "default",
	"type": "Microsoft.Security/securityContacts",
	"location": "West Europe",
	"properties": {
		"isEnabled": true,
		"emails": "user@domain.com",
		"phone": "",
		"notificationsByRole": {
			"state": "On",
			"roles": [
			"Owner"
			]
		},
		"notificationsSources": [
			{
			"sourceType": "Alert",
			"minimalSeverity": "Medium"
			},
			{
			"sourceType": "AttackPath",
			"minimalRiskLevel": "Medium"
			}
		]
	}
}

07 Repeat steps no. 4 – 3 for each Azure subscription created within your Microsoft Azure account.

References

Publication date May 7, 2025

Related SecurityCenter rules