lacework-global-525
2.3.1 Ensure That 'All users with the following roles' is set to 'Owner' (Manual)
note
This rule has been changed to manual, see Permanently Manual Rules (that were deemed automated) for CIS Azure 1.5.0 for details.
Profile Applicability
• Level 1
Description
Enable security alert emails to subscription owners.
Rationale
Enabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion.
Audit
From Azure Portal
- From Azure Home select the Portal Men
- Select
Microsoft Defender for Cloud
- Then
Environment Settings
- Click on the appropriate Management Group, Subscription, or Workspace
- Click on
Email notifications
- Ensure that
All users with the following roles
is set toOwner
From Azure CLI
Ensure the output of below command is set to true
.
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2020-01-01-preview' | jq '.|.value[] | select(.name=="default")'|jq '.properties.notificationsByRole'
Remediation
From Azure Portal
- From Azure Home select the Portal Men
- Select
Microsoft Defender for Cloud
- Click on
Environment Settings
- Click on the appropriate Management Group, Subscription, or Workspace
- Click on
Email notifications
- In the drop down of the
All users with the following roles
field selectOwner
- Click
Save
From Azure CLI
Use the below command to set Send email also to subscription owners
to On
.
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@"input.json"'
Where input.json
contains the Request body json data as mentioned below.
And replace validEmailAddress
with email ids csv for multiple.
{
"id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/securityContacts/default1",
"name": "default1",
"type": "Microsoft.Security/securityContacts",
"properties": {
"email": "<validEmailAddress>",
"alertNotifications": "On",
"alertsToAdmins": "On",
"notificationsByRole": "Owner"
}
}
References
https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details
https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list
https://docs.microsoft.com/en-us/rest/api/securitycenter/security-contacts
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-incident-response#ir-2-preparation--setup-incident-notification
Additional Information
- Excluding any of the entries in recommendations block in input.json disables the specific setting by default