Skip to main content

lacework-global-525

2.3.1 Ensure That 'All users with the following roles' is set to 'Owner' (Manual)

note

This rule has been changed to manual, see Permanently Manual Rules (that were deemed automated) for CIS Azure 1.5.0 for details.

Profile Applicability

• Level 1

Description

Enable security alert emails to subscription owners.

Rationale

Enabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion.

Audit

From Azure Portal

  1. From Azure Home select the Portal Men
  2. Select Microsoft Defender for Cloud
  3. Then Environment Settings
  4. Click on the appropriate Management Group, Subscription, or Workspace
  5. Click on Email notifications
  6. Ensure that All users with the following roles is set to Owner

From Azure CLI

Ensure the output of below command is set to true.

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2020-01-01-preview' | jq '.|.value[] | select(.name=="default")'|jq '.properties.notificationsByRole'

Remediation

From Azure Portal

  1. From Azure Home select the Portal Men
  2. Select Microsoft Defender for Cloud
  3. Click on Environment Settings
  4. Click on the appropriate Management Group, Subscription, or Workspace
  5. Click on Email notifications
  6. In the drop down of the All users with the following roles field select Owner
  7. Click Save

From Azure CLI

Use the below command to set Send email also to subscription owners to On.

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@"input.json"'

Where input.json contains the Request body json data as mentioned below. And replace validEmailAddress with email ids csv for multiple.

 {
 "id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/securityContacts/default1",
 "name": "default1",
 "type": "Microsoft.Security/securityContacts",
 "properties": {
 "email": "<validEmailAddress>",
 "alertNotifications": "On",
 "alertsToAdmins": "On",
 "notificationsByRole": "Owner"
 }
 }

References

https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details
https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list
https://docs.microsoft.com/en-us/rest/api/securitycenter/security-contacts
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-incident-response#ir-2-preparation--setup-incident-notification

Additional Information

  • Excluding any of the entries in recommendations block in input.json disables the specific setting by default