iCompaas Support

Description: 

The 'Notify about attack paths with the following risk level (or higher)' feature in Microsoft Defender for Cloud allows you to configure notifications for specific risk levels associated with attack paths. Attack paths represent potential ways that an attacker could exploit vulnerabilities in your environment to gain unauthorized access. By enabling this setting and specifying a risk level, you can receive notifications when attack paths with a higher risk level are identified. This helps your security team take immediate action to mitigate risks before an attack can occur.

Rationale: 

By configuring notifications for attack paths with specified risk levels, you can ensure that your team is promptly alerted about high-risk vulnerabilities and attack vectors that could lead to a data breach or other security incidents. This proactive notification system helps your team respond quickly to emerging threats, reducing the likelihood of exploitation. It's a best practice for meeting security and compliance requirements, such as SOC 2, HIPAA, and NIST, which require prompt detection and response to critical security issues.

Impact:

 Enabling this feature helps improve your organization’s threat detection capabilities by notifying the security team when attack paths with certain risk levels are detected. This allows for faster incident response and remediation. However, it may result in a higher volume of notifications, especially if the risk threshold is set to low, so it's important to fine-tune the settings to match your organization's risk tolerance.

Default Value:

 By default, this setting may not be enabled, and the notifications for attack paths with specified risk levels need to be configured manually or automatically.

Pre-requisites:

• Microsoft Defender for Cloud: Ensure that Microsoft Defender for Cloud is enabled in your environment.
  
  

• Permissions: Ensure you have Owner or Contributor role permissions to configure security settings in Microsoft Defender for Cloud.
  
  

• Risk Levels: Be aware of the different risk levels (e.g., Low, Medium, High) and how they correspond to the severity of attack paths in your environment.
  
  

Remediation:

Automated Steps to Ensure 'Notify About Attack Paths with the Following Risk Level (or Higher)' is Enabled:

1. Sign in to the Azure portal using an account with appropriate permissions.
   
   

2. Navigate to Microsoft Defender for Cloud:
   
   

   • In the Azure portal, search for Microsoft Defender for Cloud and select it.
     
     

3. Go to Environment Settings:
   
   

   • In the Microsoft Defender for Cloud dashboard, click on Environment settings under the Management section.
     
     

4. Configure Notifications for Attack Paths:
   
   

   • Under Security policy settings, find the option for Attack Path Notifications.
     
     

   • Set the toggle to On for the setting that enables notifications for attack paths.
     
     

5. Set Risk Level:
   
   

   • Specify the risk level (e.g., Medium, High) for which you want to receive notifications. You can configure it to notify you about attack paths with that risk level or higher.
     
     

6. Save Settings:
   
   

   • After configuring the notifications and selecting the risk level, ensure that the changes are saved.
     
     

   • Microsoft Defender for Cloud will now notify your team whenever attack paths with the specified risk level or higher are detected.
     
     

Verification:

• You can verify that the setting is enabled by checking the notification settings in the Microsoft Defender for Cloud portal under Environment settings and Security policy.
  
  

Automated Implementation Using Azure CLI:

You can also automate this process using Azure CLI by configuring the necessary notification settings for attack paths. Here's an example command for enabling notifications:

az security settings update --name "attack-path-notifications" --notifications-enabled true --risk-level "High"

This will enable notifications for attack paths at a High risk level.

Backout Plan:

To disable attack path notifications or revert the risk level:

1. Sign in to the Azure portal with appropriate permissions.
   
   

2. Navigate to Microsoft Defender for Cloud:
   
   

   • Go to Microsoft Defender for Cloud in the Azure portal.
     
     

3. Go to Environment Settings:
   
   

   • In the Microsoft Defender for Cloud dashboard, click on Environment settings.
     
     

4. Disable Notifications or Change Risk Level:
   
   

   • In the Attack Path Notifications section, set the toggle to Off or modify the risk level to a lower threshold if necessary.
     
     

5. Save Settings:
   
   

   • Ensure the changes are saved, and notifications will no longer be sent for attack paths at the specified risk level.
     
     

References:

• Microsoft Defender for Cloud - Attack Path Notifications
  
  

• Microsoft Defender for Cloud Documentation