Skip to main content

🛡️ Azure Subscription Security Alert Notifications to subscription owners are not configured🟢

  • Contextual name: 🛡️ Security Alert Notifications to subscription owners are not configured🟢
  • ID: /ce/ca/azure/subscription/security-alert-notifications-to-subscription-owners
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic

Similar Policies

Similar Internal Rules

RulePoliciesFlags
✉️ dec-x-351e376f1

Description

Open File

Description

Enable security alert emails to subscription owners.

Rationale

Enabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion.

Audit

This policy flags an Azure Subscription as INCOMPLIANT if the Security Center: Contacts configuration does not include a default contact where notificationsByRoleRoles contains the Owner role and notificationsByRoleState is set to On.

Default Value

By default, Owner is selected.

References

  1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details
  2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list
  3. https://docs.microsoft.com/en-us/rest/api/securitycenter/security-contacts
  4. https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-incident-response#ir-2-preparation---setup-incident-notification

... see more

Remediation

Open File

Remediation

From Azure Portal

  1. From Azure Home select the Portal Menu.
  2. Select Microsoft Defender for Cloud.
  3. Under Management, select Environment Settings.
  4. Click on the appropriate Management Group, Subscription, or Workspace.
  5. Click on Email notifications.
  6. In the drop down of the All users with the following roles field select Owner.
  7. Click Save.

From Azure CLI

Use the below command to set Send email also to subscription owners to On:

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@"input.json"'

Where input.json contains the data below, replacing validEmailAddress with a single email address or multiple comma-separated email addresses:

{ 
    "id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/securityContacts/default1", 

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 APRA CPG 234 → 💼 16a vulnerability and threat management;1010no data
💼 APRA CPG 234 → 💼 16e security testing, including penetration testing;99no data
💼 APRA CPG 234 → 💼 16f information security reporting and analytics;911no data
💼 APRA CPG 234 → 💼 36g vulnerability management controls — which identify and address information security vulnerabilities in a timely manner;1010no data
💼 APRA CPG 234 → 💼 36j monitoring controls — for timely detection of compromises to information security;911no data
💼 APRA CPG 234 → 💼 36k response controls — to manage information security incidents and feedback mechanisms to address control deficiencies;99no data
💼 APRA CPG 234 → 💼 39a implement mechanisms that access and analyse timely threat intelligence regarding vulnerabilities, threats, methods of attack and countermeasures;1010no data
💼 APRA CPG 234 → 💼 39d implement mechanisms to disrupt the various phases of an attack. Example phases include reconnaissance, vulnerability exploitation, malware installation, privilege escalation, and unauthorised access1010no data
💼 APRA CPG 234 → 💼 52e monitoring for unauthorised software and hardware (e.g. key loggers, password cracking software, wireless access points, business implemented technology solutions);99no data
💼 APRA CPG 234 → 💼 66 Under CPS 234, an APRA-regulated entity is required to have robust mechanisms in place to detect and respond to actual or potential compromises of information security in a timely manner. The term ‘potential’ is used to highlight that information security incidents are commonly identified when an event occurs (e.g. unauthorised access notification, customer complaint) requiring further investigation in order to ascertain whether an actual security compromise has occurred.99no data
💼 APRA CPG 234 → 💼 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;1922no data
💼 APRA CPG 234 → 💼 67c sensors that provide an alert when a measure breaches a defined threshold(s) (e.g. device, server and network activity);99no data
💼 APRA CPG 234 → 💼 68 Monitoring processes and tools remain in step with the evolving nature of threats and contemporary industry practices.99no data
💼 APRA CPG 234 → 💼 73a detection of an information security event through the use of automated sensors and manual review;99no data
💼 APRA CPG 234 → 💼 73b identification and analysis to determine if it is an incident or an event;99no data
💼 APRA CPG 234 → 💼 73d containment to minimise the damage caused, and reduce the possibility of further damage;99no data
💼 APRA CPG 234 → 💼 73e eradication which involves the removal of the source of the information security compromise (typically malware);99no data
💼 CIS Azure v1.1.0 → 💼 2.16 Ensure that 'Security contact emails' is set11no data
💼 CIS Azure v1.1.0 → 💼 2.19 Ensure that 'Send email also to subscription owners' is set to 'On'11no data
💼 CIS Azure v1.3.0 → 💼 2.15 Ensure that 'All users with the following roles' is set to 'Owner' - Level 1 (Automated)11no data
💼 CIS Azure v1.4.0 → 💼 2.15 Ensure That 'All users with the following roles' is set to 'Owner' - Level 1 (Automated)11no data
💼 CIS Azure v1.5.0 → 💼 2.3.1 Ensure That 'All users with the following roles' is set to 'Owner' - Level 1 (Automated)11no data
💼 CIS Azure v2.0.0 → 💼 2.1.18 Ensure That 'All users with the following roles' is set to 'Owner' - Level 1 (Automated)11no data
💼 CIS Azure v2.1.0 → 💼 2.1.17 Ensure That 'All users with the following roles' is set to 'Owner' - Level 1 (Automated)11no data
💼 CIS Azure v3.0.0 → 💼 3.1.12 Ensure That 'All users with the following roles' is set to 'Owner' (Automated)1no data
💼 CIS Azure v4.0.0 → 💼 9.1.12 Ensure That 'All users with the following roles' is set to 'Owner' (Automated)1no data
💼 Cloudaware Framework → 💼 Microsoft Defender Configuration26no data
💼 FedRAMP High Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)16no data
💼 FedRAMP High Security Controls → 💼 AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)62032no data
💼 FedRAMP High Security Controls → 💼 AU-9 Protection of Audit Information (L)(M)(H)3811no data
💼 FedRAMP High Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)265no data
💼 FedRAMP High Security Controls → 💼 IR-6(3) Supply Chain Coordination (M)(H)22no data
💼 FedRAMP High Security Controls → 💼 SI-4(20) Privileged Users (H)4851no data
💼 FedRAMP Low Security Controls → 💼 AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)24no data
💼 FedRAMP Low Security Controls → 💼 AU-9 Protection of Audit Information (L)(M)(H)10no data
💼 FedRAMP Low Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)65no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)16no data
💼 FedRAMP Moderate Security Controls → 💼 AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)232no data
💼 FedRAMP Moderate Security Controls → 💼 AU-9 Protection of Audit Information (L)(M)(H)110no data
💼 FedRAMP Moderate Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)65no data
💼 FedRAMP Moderate Security Controls → 💼 IR-6(3) Supply Chain Coordination (M)(H)2no data
💼 ISO/IEC 27001:2013 → 💼 A.16.1.2 Reporting information security events910no data
💼 ISO/IEC 27001:2022 → 💼 5.5 Contact with authorities23no data
💼 ISO/IEC 27001:2022 → 💼 5.6 Contact with special interest23no data
💼 ISO/IEC 27001:2022 → 💼 5.20 Addressing information security within supplier agreements23no data
💼 ISO/IEC 27001:2022 → 💼 5.24 Information security incident management planning and preparation23no data
💼 NIST CSF v1.1 → 💼 DE.DP-4: Event detection information is communicated2933no data
💼 NIST CSF v1.1 → 💼 RS.CO-2: Incidents are reported consistent with established criteria1922no data
💼 NIST CSF v1.1 → 💼 RS.CO-3: Information is shared consistent with response plans1618no data
💼 NIST CSF v2.0 → 💼 DE.AE-06: Information on adverse events is provided to authorized staff and tools33no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events145no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events85no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events142no data
💼 NIST CSF v2.0 → 💼 RC.CO-04: Public updates on incident recovery are shared using approved methods and messaging22no data
💼 NIST CSF v2.0 → 💼 RS.CO-02: Internal and external stakeholders are notified of incidents31no data
💼 NIST CSF v2.0 → 💼 RS.CO-03: Information is shared with designated internal and external stakeholders19no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(4) Account Management _ Automated Audit Actions1416no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-12 Audit Record Generation44765no data
💼 SOC 2 → 💼 CC5.2-3 Establishes Relevant Security Management Process Controls Activities1536no data