Skip to main content

πŸ“ Azure Subscription Security Alert Notifications for alerts with High severity are not configured 🟒

  • Contextual name: πŸ“ Security Alert Notifications for alerts with High severity is not configured 🟒
  • ID: /ce/ca/azure/subscription/security-alert-notifications-for-alerts-with-high-severity
  • Located in: πŸ“ Azure Subscription

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-ba4c5b1c1

Logic​

Description​

Open File

Description​

Enables emailing security alerts to the subscription owner or other designated security contact.

Rationale​

Enabling security alert emails ensures that security alert emails are received from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risk.

Audit​

From Azure Portal​
  1. From Azure Home select the Portal Menu.
  2. Select Microsoft Defender for Cloud.
  3. Under Management, select Environment Settings.
  4. Click on the appropriate Management Group, Subscription, or Workspace.
  5. Click on Email notifications.
  6. Ensure that the Notify about alerts with the following severity (or higher) setting is checked and set to High.
From Azure CLI​

Ensure the output of below command is set to True, enter your Subscription ID at the $0 between /subscriptions/<$0>/providers:

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2020-01-01-preview' | jq '.|.[] | select(.name=="default")'|jq '.properties.alertNotifications'

... [see more](description.md)

Remediation​

Open File

Remediation​

From Azure Portal​

  1. From Azure Home select the Portal Menu.
  2. Select Microsoft Defender for Cloud.
  3. Under Management, select Environment Settings.
  4. Click on the appropriate Management Group, Subscription, or Workspace.
  5. Click on Email notifications.
  6. Under Notification types, check the check box next to Notify about alerts with the following severity (or higher) and select High from the drop down menu.
  7. Click Save.

From Azure CLI​

Use the below command to set Send email notification for high severity alerts to On.

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/<$0>/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@"input.json"'

Where input.json contains the data below, replacing validEmailAddress with a single email address or multiple comma-separated email addresses:

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 16f information security reporting and analytics;911
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 16g incident detection and response, including recovery, notification and communication;22
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36i service level management mechanisms β€” to monitor, manage and align information security with business objectives;22
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36j monitoring controls β€” for timely detection of compromises to information security;911
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;1821
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 73c escalation to ensure that decision-makers are aware of the incident and to trigger incident response processes;22
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 2.1.19 Ensure That 'Notify about alerts with the following severity' is Set to 'High' - Level 1 (Automated)1
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 3.1.14 Ensure That 'Notify about alerts with the following severity' is Set to 'High' (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Microsoft Defender Configuration26
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(4) Automated Audit Actions (M)(H)113
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)247
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4(20) Privileged Users (H)4648
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)47
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(4) Automated Audit Actions (M)(H)13
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)47
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events83
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events59
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events89
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(4) Account Management _ Automated Audit Actions1113
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-12 Audit Record Generation44547