Control: 2.1.19 Ensure 'Additional email addresses' is Configured with a Security Contact Email
Description
Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.
Microsoft Defender for Cloud emails the Subscription Owner to notify them about security alerts. Adding your Security Contact's email address to the 'Additional email addresses' field ensures that your organization's Security Team is included in these alerts. This ensures that the proper people are aware of any potential compromise in order to mitigate the risk in a timely fashion.
Remediation
From Azure Portal
- From Azure Home select the Portal Menu.
- Select
Microsoft Defender for Cloud
. - Click on
Environment Settings
. - Click on the appropriate Management Group, Subscription, or Workspace.
- Click on
Email notifications
. - Enter a valid security contact email address (or multiple addresses separated by commas) in the
Additional email addresses
field. - Click
Save
.
From Azure CLI
Use the below command to set Security contact emails
to On
.
az account get-access-token --query"{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json"https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/se curityContacts/default?api-version=2020-01-01-preview -d@"input.json"'
Where input.json
contains the data below, replacing validEmailAddress
with a single email address or multiple comma-separated email addresses:
{ "id":"/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/securityC ontacts/default", "name": "default", "type": "Microsoft.Security/securityContacts", "properties": { "email": "<validEmailAddress>", "alertNotifications": "On", "alertsToAdmins": "On" }}
Default Value
By default, there are no additional email addresses entered.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v200_2_1_19
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v200_2_1_19 --share
SQL
This control uses a named query:
securitycenter_additional_email_configured