Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI

Enable Attack Path Email Notifications

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the Notify about attack paths with the following risk level (or higher) setting is enabled within the Email notifications configuration of Microsoft Defender for Cloud for each Azure subscription. When enabled, Microsoft Defender for Cloud sends email notifications about detected attack paths to the subscription owner or other designated security contacts, based on the configured minimum risk level threshold.

Security

Microsoft Defender for Cloud's attack path analysis identifies exploitable sequences of steps that an attacker could use to reach critical assets in your environment. Enabling attack path email notifications ensures that the appropriate security personnel are alerted promptly when such attack paths are detected, enabling them to investigate and remediate potential threats before they can be exploited. Without this configuration, security teams may miss critical signals and be unable to respond to high-risk attack paths in a timely manner.

Note: Enabling attack path email notifications may cause alert fatigue if the risk level threshold is set too low. Select an appropriate minimum risk level (Low, Medium, High, or Critical) to balance security coverage with notification volume. Microsoft Defender for Cloud limits outgoing email volume per risk level to reduce alert fatigue.

Audit

To determine if sending email notifications for attack paths is enabled within Microsoft Defender for Cloud, perform the following operations:

Using Azure Console

  1. Sign in to the Microsoft Azure Portal.

  2. Navigate to Microsoft Defender for Cloud blade available at https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0.

  3. In the left navigation panel, under Management, choose Environment settings.

  4. Under Azure, click on the name (link) of the Azure subscription that you want to examine.

  5. In the left navigation panel, under Settings, choose Email notifications to access the email notification settings available for Microsoft Defender for Cloud in the selected Azure subscription.

  6. In the Notification types section, verify the Notify about attack paths with the following risk level (or higher) setting checkbox to determine the notification feature status. If the Notify about attack paths with the following risk level (or higher) setting checkbox is unchecked, Microsoft Defender for Cloud is not configured to send email notifications for attack paths identified in the selected Azure subscription.

  7. Repeat steps no. 4 – 6 for each Azure subscription available within your Microsoft Azure account.

Using Azure CLI

  1. Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

    az account list
--query '[*].id'

  2. The command output should return the requested subscription identifiers (IDs):

    [
    "abcdabcd-1234-abcd-1234-abcdabcdabcd",
    "abcd1234-abcd-1234-abcd-abcd1234abcd"
]

  3. Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

    az account set
--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

  4. Run account get-access-token command (Windows/macOS/Linux) with custom output filters to retrieve the Microsoft Defender for Cloud notification configuration for the selected Azure subscription:

    az account get-access-token
--query "{subscription:subscription,accessToken:accessToken}"
--out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2023-12-01-preview' | jq '.|.[]'

  5. The command output should return the notification configuration for Microsoft Defender for Cloud in the selected subscription. Check the "notificationsSources" array for an entry where "sourceType" is "AttackPath" and verify that the "minimalRiskLevel" attribute is set to an appropriate risk level:

    {
    "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Security/securityContacts/default",
    "name": "default",
    "type": "Microsoft.Security/securityContacts",
    "properties": {
        "isEnabled": true,
        "emails": "user@domain.com",
        "notificationsByRole": {
            "state": "On",
            "roles": ["Owner"]
        },
        "notificationsSources": [
            {
                "sourceType": "Alert",
                "minimalSeverity": "Medium"
            },
            {
                "sourceType": "AttackPath",
                "minimalRiskLevel": "Medium"
            }
        ]
    }
}

    If the "notificationsSources" array does not contain an entry with "sourceType": "AttackPath", Microsoft Defender for Cloud is not configured to send email notifications for attack paths identified in the selected Azure subscription.

  6. Repeat steps no. 3 – 5 for each Azure subscription available within your Microsoft Azure account.

Remediation / Resolution

To configure Microsoft Defender for Cloud to send email notifications for attack paths identified within your Azure cloud account, perform the following operations:

Using Azure Console

  1. Sign in to the Microsoft Azure Portal.

  2. Navigate to Microsoft Defender for Cloud blade available at https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0.

  3. In the left navigation panel, under Management, choose Environment settings.

  4. Under Azure, click on the name (link) of the Azure subscription that you want to configure (see Audit section part I to identify the right subscription).

  5. In the left navigation panel, under Settings, choose Email notifications to access the email notification settings available for Microsoft Defender for Cloud in the selected Azure subscription.

  6. In the Email recipients section, ensure that at least one email recipient is selected to receive alert notifications from Microsoft Defender for Cloud. Check the All users with the following roles and Additional email addresses (separated by commas) configuration fields to identify the email recipient(s) configured for your Azure subscription.

  7. In the Notification types section, check the Notify about attack paths with the following risk level (or higher) setting checkbox to enable Microsoft Defender for Cloud to send attack path email notifications to the subscription owners and/or administrators. Select an appropriate risk level from the setting dropdown menu.

  8. Choose Save from the top menu to apply the configuration changes.

  9. Repeat steps no. 4 – 8 for each Azure subscription available within your Microsoft Azure account.

Using Azure CLI

  1. Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

    az account list
--query '[*].id'

  2. The command output should return the requested subscription identifiers (IDs):

    [
    "abcdabcd-1234-abcd-1234-abcdabcdabcd",
    "abcd1234-abcd-1234-abcd-abcd1234abcd"
]

  3. Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to configure as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

    az account set
--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

  4. Define the configuration parameters to enable attack path email notifications for Microsoft Defender for Cloud in the selected Azure subscription, by including the following configuration object: {"sourceType": "AttackPath", "minimalRiskLevel": "Medium"} in the "notificationsSources" array. To change the risk level, modify the "minimalRiskLevel" attribute value (supported values: "Low", "Medium", "High", and "Critical"). Save the configuration document to a JSON file named enable-attack-path-notifications.json:

    {
    "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Security/securityContacts/default",
    "name": "default",
    "type": "Microsoft.Security/securityContacts",
    "location": "West Europe",
    "properties": {
        "isEnabled": true,
        "emails": "user@domain.com",
        "phone": "",
        "notificationsByRole": {
            "state": "On",
            "roles": [
                "Owner"
            ]
        },
        "notificationsSources": [
            {
                "sourceType": "Alert",
                "minimalSeverity": "Medium"
            },
            {
                "sourceType": "AttackPath",
                "minimalRiskLevel": "Medium"
            }
        ]
    }
}

  5. Run account get-access-token command (Windows/macOS/Linux) using the configuration document defined at the previous step (i.e., enable-attack-path-notifications.json file), to enable Microsoft Defender for Cloud to send attack path email notifications to the subscription owners and/or administrators:

    az account get-access-token
--query "{subscription:subscription,accessToken:accessToken}"
--out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default?api-version=2023-12-01-preview -d@"enable-attack-path-notifications.json"'

  6. The output should return the updated notification configuration applied to Microsoft Defender for Cloud, with the "AttackPath" source type present in the "notificationsSources" array:

    {
    "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Security/securityContacts/default",
    "name": "default",
    "type": "Microsoft.Security/securityContacts",
    "location": "West Europe",
    "properties": {
        "isEnabled": true,
        "emails": "user@domain.com",
        "phone": "",
        "notificationsByRole": {
            "state": "On",
            "roles": [
                "Owner"
            ]
        },
        "notificationsSources": [
            {
                "sourceType": "Alert",
                "minimalSeverity": "Medium"
            },
            {
                "sourceType": "AttackPath",
                "minimalRiskLevel": "Medium"
            }
        ]
    }
}

  7. Repeat steps no. 3 – 6 for each Azure subscription available within your Microsoft Azure account.

References

Publication date May 29, 2026

Related SecurityCenter rules