🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
13Dashboards
1311Benchmarks
430Queries
2Variables
GitHub

Control: 2.1.19 Ensure 'Additional email addresses' is Configured with a Security Contact Email

Description

Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.

Microsoft Defender for Cloud emails the Subscription Owner to notify them about security alerts. Adding your Security Contact's email address to the 'Additional email addresses' field ensures that your organization's Security Team is included in these alerts. This ensures that the proper people are aware of any potential compromise in order to mitigate the risk in a timely fashion.

Remediation

From Azure Portal

  1. From Azure Home select the Portal Menu.
  2. Select Microsoft Defender for Cloud.
  3. Click on Environment Settings.
  4. Click on the appropriate Management Group, Subscription, or Workspace.
  5. Click on Email notifications.
  6. Enter a valid security contact email address (or multiple addresses separated by commas) in the Additional email addresses field.
  7. Click Save.

From Azure CLI

Use the below command to set Security contact emails to On.

az account get-access-token --query
"{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json"
https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/se curityContacts/default?api-version=2020-01-01-preview -d@"input.json"'

Where input.json contains the data below, replacing validEmailAddress with a single email address or multiple comma-separated email addresses:

{
  "id":"/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/securityC ontacts/default",
  "name": "default",
  "type": "Microsoft.Security/securityContacts",
  "properties": {
    "email": "<validEmailAddress>",
    "alertNotifications": "On",
    "alertsToAdmins": "On"
  }
}

Default Value

By default, there are no additional email addresses entered.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v200_2_1_19

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v200_2_1_19 --share

SQL

This control uses a named query:

with contact_info as (
  select
    jsonb_agg(email) filter (where name = 'default' and email != '') as default_email,
    count(*) filter (where name != 'default') as non_default_count,
    count(*) filter (where name = 'default') as default_count,
    subscription_id
  from
    azure_security_center_contact
  group by
    subscription_id
  limit 1
)
select
  sub.subscription_id as resource,
  case
    when non_default_count > 0 then 'ok'
    when default_count = 1 and jsonb_array_length(default_email) != 0 then 'ok'
    else 'alarm'
  end as status,
  case
    when non_default_count > 0 then 'Additional email addresses configured.'
    when default_count = 1 and default_email is not null then'Additional email addresses configured.'
    else 'Additional email addresses not configured.'
  end as reason
  
  , sub.display_name as subscription
from
  azure_subscription sub
  left join contact_info ci on sub.subscription_id = ci.subscription_id;

Tags

category = Compliance
cis = true
cis_item_id = 2.1.19
cis_level = 1
cis_section_id = 2.1
cis_type = automated
cis_version = v2.0.0
plugin = azure
service = Azure/SecurityCenter