Skip to main content

πŸ“ Azure Subscription Security Alert Notifications to subscription owners are not configured 🟒

  • Contextual name: πŸ“ Security Alert Notifications to subscription owners are not configured 🟒
  • ID: /ce/ca/azure/subscription/security-alert-notifications-to-subscription-owners
  • Located in: πŸ“ Azure Subscription

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-351e376f1

Logic​

Description​

Open File

Description​

Enable security alert emails to subscription owners.

Rationale​

Enabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion.

Audit​

This policy flags an Azure Subscription as INCOMPLIANT if the Security Center: Contacts configuration does not include a default contact where notificationsByRoleRoles contains the Owner role and notificationsByRoleState is set to On.

Default Value​

By default, Owner is selected.

References​

  1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details
  2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list
  3. https://docs.microsoft.com/en-us/rest/api/securitycenter/security-contacts
  4. https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-incident-response#ir-2-preparation---setup-incident-notification

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

  1. From Azure Home select the Portal Menu.
  2. Select Microsoft Defender for Cloud.
  3. Under Management, select Environment Settings.
  4. Click on the appropriate Management Group, Subscription, or Workspace.
  5. Click on Email notifications.
  6. In the drop down of the All users with the following roles field select Owner.
  7. Click Save.

From Azure CLI​

Use the below command to set Send email also to subscription owners to On:

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@"input.json"'

Where input.json contains the data below, replacing validEmailAddress with a single email address or multiple comma-separated email addresses:

{ 
    "id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/securityContacts/default1", 

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 16a vulnerability and threat management;1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 16e security testing, including penetration testing;99
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 16f information security reporting and analytics;911
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36g vulnerability management controls β€” which identify and address information security vulnerabilities in a timely manner;1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36j monitoring controls β€” for timely detection of compromises to information security;911
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36k response controls β€” to manage information security incidents and feedback mechanisms to address control deficiencies;99
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 39a implement mechanisms that access and analyse timely threat intelligence regarding vulnerabilities, threats, methods of attack and countermeasures;1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 39d implement mechanisms to disrupt the various phases of an attack. Example phases include reconnaissance, vulnerability exploitation, malware installation, privilege escalation, and unauthorised access1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 52e monitoring for unauthorised software and hardware (e.g. key loggers, password cracking software, wireless access points, business implemented technology solutions);99
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 66 Under CPS 234, an APRA-regulated entity is required to have robust mechanisms in place to detect and respond to actual or potential compromises of information security in a timely manner. The term β€˜potential’ is used to highlight that information security incidents are commonly identified when an event occurs (e.g. unauthorised access notification, customer complaint) requiring further investigation in order to ascertain whether an actual security compromise has occurred.99
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;1922
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 67c sensors that provide an alert when a measure breaches a defined threshold(s) (e.g. device, server and network activity);99
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 68 Monitoring processes and tools remain in step with the evolving nature of threats and contemporary industry practices.99
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 73a detection of an information security event through the use of automated sensors and manual review;99
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 73b identification and analysis to determine if it is an incident or an event;99
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 73d containment to minimise the damage caused, and reduce the possibility of further damage;99
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 73e eradication which involves the removal of the source of the information security compromise (typically malware);99
πŸ’Ό CIS Azure v1.1.0 β†’ πŸ’Ό 2.16 Ensure that 'Security contact emails' is set11
πŸ’Ό CIS Azure v1.1.0 β†’ πŸ’Ό 2.19 Ensure that 'Send email also to subscription owners' is set to 'On'11
πŸ’Ό CIS Azure v1.3.0 β†’ πŸ’Ό 2.15 Ensure that 'All users with the following roles' is set to 'Owner' - Level 1 (Automated)11
πŸ’Ό CIS Azure v1.4.0 β†’ πŸ’Ό 2.15 Ensure That 'All users with the following roles' is set to 'Owner' - Level 1 (Automated)11
πŸ’Ό CIS Azure v1.5.0 β†’ πŸ’Ό 2.3.1 Ensure That 'All users with the following roles' is set to 'Owner' - Level 1 (Automated)11
πŸ’Ό CIS Azure v2.0.0 β†’ πŸ’Ό 2.1.18 Ensure That 'All users with the following roles' is set to 'Owner' - Level 1 (Automated)11
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 2.1.17 Ensure That 'All users with the following roles' is set to 'Owner' - Level 1 (Automated)11
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 3.1.12 Ensure That 'All users with the following roles' is set to 'Owner' (Automated)1
πŸ’Ό CIS Azure v4.0.0 β†’ πŸ’Ό 9.1.12 Ensure That 'All users with the following roles' is set to 'Owner' (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Microsoft Defender Configuration26
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(4) Automated Audit Actions (M)(H)16
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)62030
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-9 Protection of Audit Information (L)(M)(H)3810
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)265
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IR-6(3) Supply Chain Coordination (M)(H)22
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4(20) Privileged Users (H)4851
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)24
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-9 Protection of Audit Information (L)(M)(H)10
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)65
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(4) Automated Audit Actions (M)(H)16
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)230
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-9 Protection of Audit Information (L)(M)(H)110
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)65
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IR-6(3) Supply Chain Coordination (M)(H)2
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.16.1.2 Reporting information security events910
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.5 Contact with authorities23
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.6 Contact with special interest23
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.20 Addressing information security within supplier agreements23
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.24 Information security incident management planning and preparation23
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.DP-4: Event detection information is communicated2932
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.CO-2: Incidents are reported consistent with established criteria1922
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.CO-3: Information is shared consistent with response plans1617
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-06: Information on adverse events is provided to authorized staff and tools32
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events115
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events81
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events134
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.CO-04: Public updates on incident recovery are shared using approved methods and messaging22
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.CO-02: Internal and external stakeholders are notified of incidents30
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.CO-03: Information is shared with designated internal and external stakeholders18
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(4) Account Management _ Automated Audit Actions1416
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-12 Audit Record Generation44765
πŸ’Ό SOC 2 β†’ πŸ’Ό CC5.2-3 Establishes Relevant Security Management Process Controls Activities1535