lacework-global-525
Set 'All users with the following roles' to 'Owner' (Manual)
This rule has been changed to manual, see Permanently Manual Policies (that were deemed automated) for CIS Azure 1.5.0 for details.
Profile Applicability
• Level 1
Description
Enable security alert emails to subscription owners.
Rationale
Enabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion.
Audit
From Azure Portal
- From Azure Home select the Portal Men
- Select
Microsoft Defender for Cloud
- Then
Environment Settings
- Click on the appropriate Management Group, Subscription, or Workspace
- Click on
Email notifications
- Ensure that
All users with the following roles
is set toOwner
From Azure CLI
Ensure the output of below command is set to true
.
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2020-01-01-preview' | jq '.|.value[] | select(.name=="default")'|jq '.properties.notificationsByRole'
Remediation
From Azure Portal
- From Azure Home select the Portal Menu.
- Select
Microsoft Defender for Cloud
. - Click
Environment Settings
. - Click the appropriate
Management Group
,Subscription
, orWorkspace
. - Click
Email notifications
. - In the drop down of the
All users with the following roles
field selectOwner
. - Click
Save
.
From Azure CLI
Use the below command to set Send email also to subscription owners to On:
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@"input.json"'
Where input.json contains the data below, replacing validEmailAddress with a single email address or multiple comma-separated email addresses:
{
"id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/securityContacts/default1",
"name": "default1",
"type": "Microsoft.Security/securityContacts",
"properties": {
"email": "<validEmailAddress>",
"alertNotifications": "On",
"alertsToAdmins": "On",
"notificationsByRole": "Owner"
}
}
References
https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details
https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list
https://docs.microsoft.com/en-us/rest/api/securitycenter/security-contacts
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-incident-response#ir-2-preparation--setup-incident-notification
Additional Information
- Excluding any entries in the input.json properties block disables the specific setting by default.