Control: 2.3.1 Ensure That 'All users with the following roles' is set to 'Owner'

Description

Enable security alert emails to subscription owners

Enabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion.

Remediation

From Azure Portal

From Azure Home select the Portal Menu
Select Microsoft Defender for Cloud
Select Environment Settings
Click on the appropriate Management Group, Subscription, or Workspace
Click on Email notifications
In the drop down of the All users with the following roles field select Owner
Click Save

From Azure CLI

Use the below command to set Send email also to subscription owners to On.

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Securi

Where input.json contains the Request body json data as mentioned below. And replace validEmailAddress with email ids csv for multiple.

{
  "id":"/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/securityContacts/default1",
  "name": "default1",
  "type": "Microsoft.Security/securityContacts",
  "properties": {
  "email": "<validEmailAddress>",
  "alertNotifications": "On",
  "alertsToAdmins": "On",
  "notificationsByRole": "Owner"
}

Default Value

By default, Owner is selected.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v150_2_3_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v150_2_3_1 --share

SQL

This control uses a named query:

securitycenter_security_alerts_to_owner_enabled