turbot/azure_compliance

Control: 3.1.14 Ensure That 'Notify about alerts with the following severity' is Set to 'High'

Description

Enables emailing security alerts to the subscription owner or other designated security contact.

Enabling security alert emails ensures that security alert emails are received from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risk.

Remediation

From Azure Portal

  1. From Azure Home select the Portal Menu.
  2. Select Microsoft Defender for Cloud.
  3. Under Management, select Environment Settings.
  4. Click on the appropriate Management Group, Subscription, or Workspace.
  5. Click on Email notifications.
  6. Under Notification types, check the check box next to Notify about alerts with the following severity (or higher): and select High from the drop down menu.
  7. Click Save.

From Azure CLI

Use the below command to set Send email notification for high severity alerts to On.

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/<$0>/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@"input.json"'

Where input.json contains the data below, replacing validEmailAddress with a single email address or multiple comma-separated email addresses:

{
"id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/securityContacts/default1",
"name": "default1",
"type": "Microsoft.Security/securityContacts",
"properties": {
"email": "<validEmailAddress>",
"alertNotifications": "On",
"alertsToAdmins": "On"
}
}

Default Value

By default, Notify about alerts with the following severity (or higher): is set to High.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v300_3_1_14

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v300_3_1_14 --share

SQL

This control uses a named query:

securitycenter_notify_alerts_configured

Tags