Description
Enable security alert emails to subscription owners.
Rationaleβ
Enabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion.
Auditβ
From Azure Portalβ
- From Azure Home select the Portal Menu.
- Select
Microsoft Defender for Cloud. - Under
Management, selectEnvironment Settings. - Click on the appropriate Management Group, Subscription, or Workspace.
- Click on
Email notifications. - Ensure that
All users with the following rolesis set toOwner.
From Azure CLIβ
Ensure the command below returns state of On and that Owner appears in roles:
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2020-01-01-preview'| jq '.[] | select(.name=="default").properties.notificationsByRole'
Default Valueβ
By default, Owner is selected.
Referencesβ
- https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details
- https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list
- https://docs.microsoft.com/en-us/rest/api/securitycenter/security-contacts
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-incident-response#ir-2-preparation---setup-incident-notification
Additional Informationβ
Excluding any entries in the input.json properties block disables the specific setting by default.