Forum Discussion
Need help with enabling the "Security attack path" export data type in continuous export
You're trying to enable "Security attack path" export (part of Microsoft Defender for Cloud’s continuous export) using PowerShell or REST API, but it's failing — possibly due to incorrect resource group usage or unsupported configurations.
Here’s a full breakdown of how this should be set up
First: Understand What Resource Group to Use
Resource Group for New-AzSecurityAutomation
This must be a resource group where you want to store the Security Automation resource. It’s not necessarily your Log Analytics Workspace (LAW) resource group, but:
The destination target (e.g., Event Hub, Log Analytics) must be specified correctly.
The automation’s scope (subscription or resource group) must include the relevant resources you want monitored/exported.
If you're unsure: use a central shared resource group where you keep Defender/monitoring artifacts — or create a dedicated RG for this.
As of early 2025, the "Security attack path" export only works for specific workloads and:
Is in Preview as of api-version=2023-12-01-preview
Requires Microsoft Defender for Cloud with Attack Path Analysis enabled
Works only in certain regions
Requires the dataTypes value: "AttackPath"
$subscriptionId = "<your-subscription-id>"
$automationName = "ExportAttackPaths"
$resourceGroupName = "<automation-resource-group>"
$location = "eastus"
New-AzSecurityAutomation `
-Name $automationName `
-ResourceGroupName $resourceGroupName `
-Location $location `
-Action `
@{ ActionType="LogAnalytics"; WorkspaceResourceId="/subscriptions/$subscriptionId/resourceGroups/<LAW-RG>/providers/Microsoft.OperationalInsights/workspaces/<Your-LAW-Name>" } `
-Scope "/subscriptions/$subscriptionId" `
-Source `
@{
EventSource = "Alerts";
RuleSets = @(
@{
Rules = @(
@{ PropertyJPath = "dataType"; PropertyType = "String"; ExpectedValue = "AttackPath"; Operator = "Equals" }
)
}
)
}