Skip to main content

lacework-global-527

Set 'Notify about alerts with the following severity' to 'High' (Manual)

note

This rule has been changed to manual, see Permanently Manual Policies (that were deemed automated) for CIS Azure 1.5.0 for details.

Profile Applicability

• Level 1

Description

Enables emailing security alerts to the subscription owner or other designated security contact.

Rationale

Enabling security alert emails ensures that security alert emails are received from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risk.

Audit

From Azure Portal

  1. From Azure Home select the Portal Menu
  2. Select Microsoft Defender for Cloud
  3. Click on Environment Settings
  4. Click on the appropriate Management Group, Subscription, or Workspace
  5. Click on Email notifications
  6. Ensure that the Notify about alerts with the following severity (or higher) setting is checked and set to High

From Azure CLI

Ensure the output of below command is set to true, enter your Subscription ID at the $0 between /subscriptions/<$0>/providers.

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2020-01-01-preview' | jq '.|.[] | select(.name=="default")'|jq '.properties.alertNotifications'

Remediation

From Azure Portal

  1. From Azure Home select the Portal Menu.
  2. Select Microsoft Defender for Cloud.
  3. Click Environment Settings.
  4. Click the appropriate Management Group, Subscription, or Workspace.
  5. Click Email notifications.
  6. Under Notification types, select Notify about alerts with the following severity (or higher): and select High from the drop down menu.
  7. Click Save.

From Azure CLI

Use the below command to set Send email notification for high severity alerts to On:

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/<$0>/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@"input.json"'

Where input.json contains the data below, replacing validEmailAddress with a single email address or multiple comma-separated email addresses:

{
"id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/securityContacts/default1",
"name": "default1",
"type": "Microsoft.Security/securityContacts",
"properties": {
"email": "<validEmailAddress>",
"alertNotifications": "On",
"alertsToAdmins": "On"
}
}

References

https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details
https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list
https://docs.microsoft.com/en-us/rest/api/securitycenter/security-contacts
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-incident-response#ir-2-preparation--setup-incident-notification

Additional Information

  • Excluding any entries in the input.json properties block disables the specific setting by default.
  • This recommendation reflects recent changes to Microsoft REST APIs for getting and updating security contact information.