Technical Lab: Evaluate network security recommendations identified by Microsoft Defender for Cloud attack paths
Questionsβ
Question 1 β Multiple Choiceβ
Microsoft Defender for Cloud identifies an attack path in an Azure environment involving a virtual machine exposed to the public internet with an open management port and no multifactor authentication applied to the access account. When analyzing this attack path in the portal, the engineer notices it receives a high risk score.
What is the main criterion that Defender for Cloud uses to calculate the risk level of an attack path?
A) The number of pending security recommendations associated with the resources involved in the path.
B) The combination between the likelihood of exploitation and the potential impact on resources reachable at the end of the path.
C) The individual severity of the entry vulnerability identified in the first node of the path.
D) The time elapsed since the vulnerable resource was deployed without applied remediation.
Question 2 β Technical Scenarioβ
A network engineer receives the following alert from Microsoft Defender for Cloud:
Attack path detected:
[Internet] --> [Public IP: 203.0.113.45]
--> [VM: prod-web-01 | Port 22 open]
--> [Storage Account: sa-backups-prod | Public access enabled]
Risk level: Critical
Recommendation: Restrict SSH access and disable public blob access on storage account.
The engineer applies a Network Security Group (NSG) restricting port 22 access on the VM to only a corporate IP range. After reevaluation, Defender for Cloud still maintains the attack path as active and critical.
What is the most likely cause for the attack path remaining active after the NSG change?
A) Defender for Cloud does not recognize NSG rules as valid mitigation controls for attack paths.
B) The recommendation about the Storage Account with public access enabled has not yet been addressed, keeping the path destination vulnerable.
C) The NSG was applied to the VM's network interface, but the attack path is calculated based on platform-level routes that ignore NSGs.
D) Defender for Cloud requires a period of up to 72 hours to reevaluate attack paths after any configuration change.
Question 3 β True or Falseβ
Statement: In Microsoft Defender for Cloud, disabling a security recommendation associated with an intermediate node of an attack path is sufficient for the path to be automatically removed from the active attack paths list, regardless of the state of the other path nodes.
True or False?
Question 4 β Technical Scenarioβ
A security team analyzes the following attack path identified by Defender for Cloud:
Attack path:
[Internet]
--> [Application Gateway: agw-prod | WAF disabled]
--> [AKS Cluster: aks-prod | API Server publicly exposed]
--> [Key Vault: kv-secrets-prod | Unrestricted network access]
Linked recommendations:
1. Enable WAF on Application Gateway (Severity: High)
2. Restrict AKS API Server access (Severity: High)
3. Configure Key Vault firewall (Severity: Medium)
The team decides to prioritize only recommendation 3 (Key Vault firewall) as it protects the most business-critical resource. After applying the Key Vault firewall, the attack path is reevaluated.
What is the expected behavior of Defender for Cloud after this isolated action?
A) The attack path is removed, as the final resource has been protected and the attacker's objective can no longer be completed.
B) The attack path remains active, as the two intermediate nodes still present vulnerabilities that allow attack progression.
C) Defender for Cloud reclassifies the attack path from critical to medium, reflecting the partial mitigation applied.
D) The attack path is temporarily suspended while Defender for Cloud recalculates the security graph with the new data.
Question 5 β Multiple Choiceβ
A security architect needs to differentiate, in Microsoft Defender for Cloud, what is a security recommendation from an attack path.
Which statement below correctly describes the difference between these two concepts?
A) Security recommendations identify misconfigurations in individual resources, while attack paths model sequences of chained vulnerabilities that an attacker could exploit to reach a critical resource.
B) Attack paths are generated exclusively from active security alerts, while recommendations are based on compliance policies configured by the administrator.
C) Security recommendations have global scope over the subscription, while attack paths are restricted to resources within a single resource group.
D) Attack paths replace security recommendations when Defender for Cloud detects that multiple recommendations affect the same resource simultaneously.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
Defender for Cloud calculates attack path risk by combining two axes: the likelihood of exploitation (considering internet exposure, absence of controls like MFA, open ports) and the potential impact (which sensitive resources are reachable at the end of the path). This model reflects the concept of contextual risk, not just the isolated severity of a vulnerability.
Alternative A describes the Secure Score mechanism, not attack paths. Alternative C would be an incomplete view, as it considers only the entry point. Alternative D introduces a time criterion that is not part of Defender for Cloud's risk model.
Answer Key β Question 2β
Answer: B
An attack path is modeled as a complete chain of vulnerabilities. For it to be removed or reclassified, all critical links in the path need to be addressed. In this scenario, the VM had its SSH access restricted, but the Storage Account with public access enabled represents the vulnerable final destination of the path. While this node remains exposed, the attack path continues to be valid.
Alternative A is incorrect: NSGs are recognized as valid network controls. Alternative C is incorrect: attack paths do consider NSG rules in graph modeling. Alternative D may have some update latency, but the main reason the path persists is the uncorrected vulnerability in the Storage Account, not a processing delay.
Answer Key β Question 3β
Answer: False
Disabling a recommendation associated with an intermediate node does not automatically remove the attack path. Defender for Cloud evaluates the path as a graph of chained vulnerabilities. Disabling a recommendation only means it will not be displayed as pending for that resource, but the underlying configuration state of the resource does not change. If the actual vulnerability in the intermediate node persists, the path continues to be computed as active.
This distinction is important: disabling a recommendation is an administrative action, not a technical correction. Only effective remediation of the vulnerable configuration changes the attack graph state.
Answer Key β Question 4β
Answer: B
Defender for Cloud maintains an attack path active while there exists an exploitable route between the entry point and a critical resource. Protecting the final destination (Key Vault) prevents the final objective from being completed, but the intermediate nodes (Application Gateway without WAF and AKS with exposed API) still represent points of progressive compromise. Defender for Cloud evaluates the viability of the path as a whole, not just the protection of the destination.
Alternative A represents a common misconception: protecting the final destination does not invalidate the path if entry and progression vectors still exist. Alternatives C and D describe behaviors that Defender for Cloud does not execute this way; there is no automatic partial reclassification or temporary path suspension.
Answer Key β Question 5β
Answer: A
Security recommendations identify misconfigurations or absence of controls in individual resources, without necessarily considering how these flaws combine. Attack paths go beyond: they use the Cloud Security Graph to model realistic exploitation sequences, connecting vulnerabilities from multiple resources in a chain that represents an attacker's reasoning.
Alternative B is incorrect because attack paths do not depend on active alerts; they are computed from resource configuration state. Alternative C is incorrect because both recommendations and attack paths operate at subscription or multicloud scope, without restriction by resource group. Alternative D is incorrect because attack paths and recommendations coexist and complement each other; one does not replace the other.