Control: 9.1.15 Ensure that 'Notify about attack paths with the following risk level (or higher)' is enabled
Description
Enables emailing attack paths to the subscription owner or other designated security contact.
Enabling attack path emails ensures that attack path emails are sent by Microsoft. This ensures that the right people are aware of any potential security issues and can mitigate the risk.
Remediation
From Azure Portal
- From Azure Home select the Portal Menu.
- Select
Microsoft Defender for Cloud. - Under
Management, selectEnvironment settings. - Click on the appropriate Subscription.
- Click on
Email notifications. - Under Notification types, check the box next to
Notify about attack paths with the following risk level (or higher), and select an appropriate risk level from the drop-down menu. - Repeat steps 1-6 for each Subscription.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v400_9_1_15Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v400_9_1_15 --shareSQL
This control uses a named query:
with contact_info as ( select subscription_id, count(*) filter (where alert_notifications = 'On') as notification_alert_count from azure_security_center_contact group by subscription_id)select c.id as resource, case when c.name = 'AttackPath' and c.enabled and ci.notification_alert_count > 0 then 'ok' else 'alarm' end as status, case when c.name = 'AttackPath' and c.enabled and ci.notification_alert_count > 0 then 'Attack path notifications are enabled.' when c.name = 'AttackPath' and not c.enabled then 'Attack path notifications are disabled.' when ci.notification_alert_count = 0 then 'Security alert notifications are disabled.' else 'Attack path notifications not configured.' end as reason, c.subscription_id, c.cloud_environmentfrom azure_security_center_setting c left join contact_info ci on c.subscription_id = ci.subscription_idwhere c.name = 'AttackPath';