Skip to main content

lacework-global-526

Configure 'Additional email addresses' with a Security Contact Email (Manual)

note

This rule has been changed to manual, see Permanently Manual Policies (that were deemed automated) for CIS Azure 1.5.0 for details.

Profile Applicability

• Level 1

Description

Microsoft Defender for Cloud emails the subscription owners upon trigger of a high-severity alert for their subscription. You should provide a security contact email address as an additional email address.

Rationale

Microsoft Defender for Cloud emails the Subscription Owner to notify them about security alerts. Adding your Security Contact's email address to the 'Additional email addresses' field ensures that your organization's Security Team is included in these alerts. This ensures that the proper people are aware of any potential compromise in order to mitigate the risk in a timely fashion.

Audit

From Azure Portal

  1. From Azure Home select the Portal Menu.
  2. Select Microsoft Defender for Cloud
  3. Click on Environment Settings
  4. Click on the appropriate Management Group, Subscription, or Workspace
  5. Click on Email notifications
  6. Ensure that a valid security contact email address is listed in the Additional email addresses field

From Azure CLI

Ensure the output of the below command is set not empty and is set with appropriate email ids.

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2020-01-01-preview' | jq '.|.[] | select(.name=="default")'|jq '.properties.emails'

Remediation

From Azure Portal

  1. From Azure Home select the Portal Menu.
  2. Select Microsoft Defender for Cloud.
  3. Click Environment Settings.
  4. Click the appropriate Management Group, Subscription, or Workspace.
  5. Click Email notifications.
  6. Enter a valid security contact email address (or multiple addresses separated by commas) in the Additional email addresses field.
  7. Click Save.

From Azure CLI

Use the below command to set Security contact emails to On:

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default?api-version=2020-01-01-preview -d@"input.json"'

Where input.json contains the data below, replacing validEmailAddress with a single email address or multiple comma-separated email addresses:

{
"id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/securityContacts/default",
"name": "default",
"type": "Microsoft.Security/securityContacts",
"properties": {
"email": "<validEmailAddress>",
"alertNotifications": "On",
"alertsToAdmins": "On"
}
}

References

https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details
https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list
https://docs.microsoft.com/en-us/rest/api/securitycenter/security-contacts
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-incident-response#ir-2-preparation--setup-incident-notification

Additional Information

  • Excluding any entries in the input.json properties block disables the specific setting by default.