Forum Discussion

santhoshcv20's avatar
santhoshcv20
Copper Contributor
May 09, 2025

Need help with enabling the "Security attack path" export data type in continuous export

I tried enabling the "Security attack path" via API and CMDLET using Powershell. It is not working. 

New-AzSecurityAutomation ` -Name $automationName ` -ResourceGroupName $resourceGroupName `

I am not sure .Which resource group we should mention here. Is it random RG in a subscription or LAW RG.it is failing in both ways.

API Method

$checkUrl="https://management.azure.com/subscriptions/$($subscription.Id)/resourceGroups/$resourceGroupName/providers/Microsoft.Security/automations/$automationName`?api-version=2023-12-01-preview"

1 Reply

Sort By
  • Ankit365's avatar
    Ankit365
    Copper Contributor
    May 11, 2025

    You're trying to enable "Security attack path" export (part of Microsoft Defender for Cloud’s continuous export) using PowerShell or REST API, but it's failing — possibly due to incorrect resource group usage or unsupported configurations.

    Here’s a full breakdown of how this should be set up

    First: Understand What Resource Group to Use

    Resource Group for New-AzSecurityAutomation
    This must be a resource group where you want to store the Security Automation resource. It’s not necessarily your Log Analytics Workspace (LAW) resource group, but:

    The destination target (e.g., Event Hub, Log Analytics) must be specified correctly.

    The automation’s scope (subscription or resource group) must include the relevant resources you want monitored/exported.

    If you're unsure: use a central shared resource group where you keep Defender/monitoring artifacts — or create a dedicated RG for this. 

    As of early 2025, the "Security attack path" export only works for specific workloads and:

    Is in Preview as of api-version=2023-12-01-preview

    Requires Microsoft Defender for Cloud with Attack Path Analysis enabled

    Works only in certain regions

    Requires the dataTypes value: "AttackPath"

    $subscriptionId = "<your-subscription-id>"
$automationName = "ExportAttackPaths"
$resourceGroupName = "<automation-resource-group>"
$location = "eastus"

New-AzSecurityAutomation `
  -Name $automationName `
  -ResourceGroupName $resourceGroupName `
  -Location $location `
  -Action `
    @{ ActionType="LogAnalytics"; WorkspaceResourceId="/subscriptions/$subscriptionId/resourceGroups/<LAW-RG>/providers/Microsoft.OperationalInsights/workspaces/<Your-LAW-Name>" } `
  -Scope "/subscriptions/$subscriptionId" `
  -Source `
    @{
      EventSource = "Alerts";
      RuleSets = @(
        @{
          Rules = @(
            @{ PropertyJPath = "dataType"; PropertyType = "String"; ExpectedValue = "AttackPath"; Operator = "Equals" }
          )
        }
      )
    }

     

Resources