You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/investigate-incidents.md
+13-8Lines changed: 13 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -16,7 +16,7 @@ ms.topic: conceptual
16
16
search.appverid:
17
17
- MOE150
18
18
- MET150
19
-
ms.date: 03/11/2025
19
+
ms.date: 03/27/2025
20
20
appliesto:
21
21
- Microsoft Defender XDR
22
22
- Microsoft Sentinel in the Microsoft Defender portal
@@ -105,19 +105,24 @@ If the incident or related alerts were the result of an analytics rule you've se
105
105
106
106
### Attack paths
107
107
108
-
The incident graph also contains information about **attack paths**. These paths allow security analysts to identify what other entities an attacker is likely to target next. To view an attack path, you can click on an entity in the incident graph and select **Show attack paths**. Attack paths are available for entities with the **critical asset** tag.
108
+
> [!NOTE]
109
+
> To view the details of an attack path, you must have read access permissions in the Microsoft Defender portal and the license for [Microsoft Security Exposure Management](/security-exposure-management/microsoft-security-exposure-management). </br></br>
110
+
> To view attack path details with Microsoft Sentinel in the unified security operations platform, a *Sentinel Reader* role is required. To create new attack paths, the *Security Administrator* role is required.
111
+
112
+
The incident graph also contains information about **attack paths**. These paths allow security analysts to identify what other entities an attacker is likely to target next. To view an attack path, you can click on an entity in the incident graph and select **View attack paths**. The top attack paths are shown within the incident graph. Attack paths are available for entities with the **critical asset** tag. Here's an example.
113
+
114
+
:::image type="content" source="/defender/media/investigate-incidents/attack-path-small.png" alt-text="Highlighting a critical asset and a top attack path in the incident graph" lightbox="/defender/media/investigate-incidents/attack-path.png":::
109
115
110
-
:::image type="content" source="/defender/media/investigate-incidents/attack-path-small.png" alt-text="Highlighting the Show attack paths action in the incident graph." lightbox="/defender/media/investigate-incidents/attack-path.png":::
116
+
When you select **View attack paths** on the incident graph, a flyout pane opens containing a list of all possible attack paths for the selected entity. The attack paths can be filtered based on the attack path name, entry point, entry point type, target, target type, and target criticality. Here's an example.
111
117
112
-
Upon selecting **Show attackpaths**, a side pane opens, displaying a list of attack paths for the selected entity. The attack paths are displayed in a table format, showing the attack path name, entry point, entry point type, target, target type, the target criticality.
118
+
:::image type="content" source="/defender/media/investigate-incidents/attack-paths-flyout-small.png" alt-text="Screenshot highlighting the view attack paths option and the flyout pane list of attack paths" lightbox="/defender/media/investigate-incidents/attack-paths-flyout.png":::
113
119
114
-
Selecting an attack path from the list displays the attack path graph, which shows the attack path from the entry point to the target. Selecting **View map** opens a new window to view the attack path in full.
120
+
Selecting an attack path from the list displays the details of that attack path, showing the attack path from the entry point, possible entities involved, and the target. Selecting **View map** opens a new window to view the attack path in full.
115
121
116
122
:::image type="content" source="/defender/media/investigate-incidents/attack-path-pane-small.png" alt-text="An example of the attack path graph shown in the side pane." lightbox="/defender/media/investigate-incidents/attack-path-pane.png":::
117
123
118
-
> [!NOTE]
119
-
> To view the details of an attack path, you must have read access permissions in the Microsoft Defender portal and the license for [Microsoft Security Exposure Management](/security-exposure-management/microsoft-security-exposure-management). </br></br>
120
-
> To view attack path details with Microsoft Sentinel in the unified security operations platform, a *Sentinel Reader* role is required. To create new attack paths, the *Security Administrator* role is required.
124
+
> [!TIP]
125
+
> To view the details of an attack path, you must have permissions for the workloads that are part of the attack path. For example, to view an attack path that includes a managed device, you must have permissions for Microsoft Defender for Endpoint.
0 commit comments