lacework-global-527
Set 'Notify about alerts with the following severity' to 'High' (Manual)
This rule has been changed to manual, see Permanently Manual Policies (that were deemed automated) for CIS Azure 1.5.0 for details.
Profile Applicability
• Level 1
Description
Enables emailing security alerts to the subscription owner or other designated security contact.
Rationale
Enabling security alert emails ensures that security alert emails are received from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risk.
Audit
From Azure Portal
- From Azure Home select the Portal Menu
- Select
Microsoft Defender for Cloud
- Click on
Environment Settings
- Click on the appropriate Management Group, Subscription, or Workspace
- Click on
Email notifications
- Ensure that the
Notify about alerts with the following severity (or higher)
setting is checked and set toHigh
From Azure CLI
Ensure the output of below command is set to true
, enter your Subscription ID at the $0 between /subscriptions/<$0>/providers.
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2020-01-01-preview' | jq '.|.[] | select(.name=="default")'|jq '.properties.alertNotifications'
Remediation
From Azure Portal
- From Azure Home select the Portal Menu.
- Select
Microsoft Defender for Cloud
. - Click
Environment Settings
. - Click the appropriate
Management Group
,Subscription
, orWorkspace
. - Click
Email notifications
. - Under Notification types, select
Notify about alerts with the following severity (or higher):
and selectHigh
from the drop down menu. - Click
Save
.
From Azure CLI
Use the below command to set Send email notification for high severity alerts to On:
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/<$0>/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@"input.json"'
Where input.json contains the data below, replacing validEmailAddress with a single email address or multiple comma-separated email addresses:
{
"id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/securityContacts/default1",
"name": "default1",
"type": "Microsoft.Security/securityContacts",
"properties": {
"email": "<validEmailAddress>",
"alertNotifications": "On",
"alertsToAdmins": "On"
}
}
References
https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details
https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list
https://docs.microsoft.com/en-us/rest/api/securitycenter/security-contacts
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-incident-response#ir-2-preparation--setup-incident-notification
Additional Information
- Excluding any entries in the input.json properties block disables the specific setting by default.
- This recommendation reflects recent changes to Microsoft REST APIs for getting and updating security contact information.