Skip to main content

πŸ“ Azure Subscription Security Alert Notifications to subscription owners are not configured 🟒

  • Contextual name: πŸ“ Security Alert Notifications to subscription owners are not configured 🟒
  • ID: /ce/ca/azure/subscription/security-alert-notifications-to-subscription-owners
  • Located in: πŸ“ Azure Subscription

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-351e376f1

Logic​

Description​

Open File

Description​

Enable security alert emails to subscription owners.

Rationale​

Enabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion.

Audit​

From Azure Portal​
  1. From Azure Home select the Portal Menu.
  2. Select Microsoft Defender for Cloud.
  3. Under Management, select Environment Settings.
  4. Click on the appropriate Management Group, Subscription, or Workspace.
  5. Click on Email notifications.
  6. Ensure that All users with the following roles is set to Owner.
From Azure CLI​

Ensure the command below returns state of On and that Owner appears in roles:

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2020-01-01-preview'| jq '.[] | select(.name=="default").properties.notificationsByRole'

... [see more](description.md)

Remediation​

Open File

Remediation​

From Azure Portal​

  1. From Azure Home select the Portal Menu.
  2. Select Microsoft Defender for Cloud.
  3. Under Management, select Environment Settings.
  4. Click on the appropriate Management Group, Subscription, or Workspace.
  5. Click on Email notifications.
  6. In the drop down of the All users with the following roles field select Owner.
  7. Click Save.

From Azure CLI​

Use the below command to set Send email also to subscription owners to On:

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@"input.json"'

Where input.json contains the data below, replacing validEmailAddress with a single email address or multiple comma-separated email addresses:

{ 
    "id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/securityContacts/default1", 

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 16a vulnerability and threat management;1111
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 16e security testing, including penetration testing;1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 16f information security reporting and analytics;911
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36g vulnerability management controls β€” which identify and address information security vulnerabilities in a timely manner;1111
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36j monitoring controls β€” for timely detection of compromises to information security;911
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36k response controls β€” to manage information security incidents and feedback mechanisms to address control deficiencies;1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 39a implement mechanisms that access and analyse timely threat intelligence regarding vulnerabilities, threats, methods of attack and countermeasures;1111
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 39d implement mechanisms to disrupt the various phases of an attack. Example phases include reconnaissance, vulnerability exploitation, malware installation, privilege escalation, and unauthorised access1111
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 52e monitoring for unauthorised software and hardware (e.g. key loggers, password cracking software, wireless access points, business implemented technology solutions);1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 66 Under CPS 234, an APRA-regulated entity is required to have robust mechanisms in place to detect and respond to actual or potential compromises of information security in a timely manner. The term β€˜potential’ is used to highlight that information security incidents are commonly identified when an event occurs (e.g. unauthorised access notification, customer complaint) requiring further investigation in order to ascertain whether an actual security compromise has occurred.1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;1821
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 67c sensors that provide an alert when a measure breaches a defined threshold(s) (e.g. device, server and network activity);1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 68 Monitoring processes and tools remain in step with the evolving nature of threats and contemporary industry practices.1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 73a detection of an information security event through the use of automated sensors and manual review;1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 73b identification and analysis to determine if it is an incident or an event;1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 73d containment to minimise the damage caused, and reduce the possibility of further damage;1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 73e eradication which involves the removal of the source of the information security compromise (typically malware);1010
πŸ’Ό CIS Azure v1.1.0 β†’ πŸ’Ό 2.16 Ensure that 'Security contact emails' is set11
πŸ’Ό CIS Azure v1.1.0 β†’ πŸ’Ό 2.19 Ensure that 'Send email also to subscription owners' is set to 'On'11
πŸ’Ό CIS Azure v1.3.0 β†’ πŸ’Ό 2.15 Ensure that 'All users with the following roles' is set to 'Owner' - Level 1 (Automated)11
πŸ’Ό CIS Azure v1.4.0 β†’ πŸ’Ό 2.15 Ensure That 'All users with the following roles' is set to 'Owner' - Level 1 (Automated)11
πŸ’Ό CIS Azure v1.5.0 β†’ πŸ’Ό 2.3.1 Ensure That 'All users with the following roles' is set to 'Owner' - Level 1 (Automated)11
πŸ’Ό CIS Azure v2.0.0 β†’ πŸ’Ό 2.1.18 Ensure That 'All users with the following roles' is set to 'Owner' - Level 1 (Automated)11
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 2.1.17 Ensure That 'All users with the following roles' is set to 'Owner' - Level 1 (Automated)11
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 3.1.12 Ensure That 'All users with the following roles' is set to 'Owner' (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Microsoft Defender Configuration26
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(4) Automated Audit Actions (M)(H)113
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)62126
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-9 Protection of Audit Information (L)(M)(H)3911
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)247
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IR-6(3) Supply Chain Coordination (M)(H)22
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4(20) Privileged Users (H)4648
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)23
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-9 Protection of Audit Information (L)(M)(H)11
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)47
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(4) Automated Audit Actions (M)(H)13
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)226
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-9 Protection of Audit Information (L)(M)(H)111
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)47
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IR-6(3) Supply Chain Coordination (M)(H)2
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.16.1.2 Reporting information security events910
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.5 Contact with authorities22
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.6 Contact with special interest22
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.20 Addressing information security within supplier agreements22
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.24 Information security incident management planning and preparation22
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.DP-4: Event detection information is communicated3033
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.CO-2: Incidents are reported consistent with established criteria2023
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.CO-3: Information is shared consistent with response plans1617
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-06: Information on adverse events is provided to authorized staff and tools33
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events83
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events59
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events89
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.CO-04: Public updates on incident recovery are shared using approved methods and messaging23
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.CO-02: Internal and external stakeholders are notified of incidents30
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.CO-03: Information is shared with designated internal and external stakeholders17
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(4) Account Management _ Automated Audit Actions1113
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-12 Audit Record Generation44547