Skip to main content

lacework-global-525

Set 'All users with the following roles' to 'Owner' (Manual)

note

This rule has been changed to manual, see Permanently Manual Policies (that were deemed automated) for CIS Azure 1.5.0 for details.

Profile Applicability

• Level 1

Description

Enable security alert emails to subscription owners.

Rationale

Enabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion.

Audit

From Azure Portal

  1. From Azure Home select the Portal Men
  2. Select Microsoft Defender for Cloud
  3. Then Environment Settings
  4. Click on the appropriate Management Group, Subscription, or Workspace
  5. Click on Email notifications
  6. Ensure that All users with the following roles is set to Owner

From Azure CLI

Ensure the output of below command is set to true.

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2020-01-01-preview' | jq '.|.value[] | select(.name=="default")'|jq '.properties.notificationsByRole'

Remediation

From Azure Portal

  1. From Azure Home select the Portal Menu.
  2. Select Microsoft Defender for Cloud.
  3. Click Environment Settings.
  4. Click the appropriate Management Group, Subscription, or Workspace.
  5. Click Email notifications.
  6. In the drop down of the All users with the following roles field select Owner.
  7. Click Save.

From Azure CLI

Use the below command to set Send email also to subscription owners to On:

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@"input.json"'

Where input.json contains the data below, replacing validEmailAddress with a single email address or multiple comma-separated email addresses:

{
"id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/securityContacts/default1",
"name": "default1",
"type": "Microsoft.Security/securityContacts",
"properties": {
"email": "<validEmailAddress>",
"alertNotifications": "On",
"alertsToAdmins": "On",
"notificationsByRole": "Owner"
}
}

References

https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details
https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list
https://docs.microsoft.com/en-us/rest/api/securitycenter/security-contacts
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-incident-response#ir-2-preparation--setup-incident-notification

Additional Information

  • Excluding any entries in the input.json properties block disables the specific setting by default.