lacework-global-526
2.3.2 Ensure 'Additional email addresses' is Configured with a Security Contact Email (Manual)
note
This rule has been changed to manual, see Permanently Manual Rules (that were deemed automated) for CIS Azure 1.5.0 for details.
Profile Applicability
• Level 1
Description
Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.
Rationale
Microsoft Defender for Cloud emails the Subscription Owner to notify them about security alerts. Adding your Security Contact's email address to the 'Additional email addresses' field ensures that your organization's Security Team is included in these alerts. This ensures that the proper people are aware of any potential compromise in order to mitigate the risk in a timely fashion.
Audit
From Azure Portal
- From Azure Home select the Portal Menu.
- Select
Microsoft Defender for Cloud
- Click on
Environment Settings
- Click on the appropriate Management Group, Subscription, or Workspace
- Click on
Email notifications
- Ensure that a valid security contact email address is listed in the
Additional email addresses
field
From Azure CLI
Ensure the output of the below command is set not empty and is set with appropriate email ids.
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2020-01-01-preview' | jq '.|.[] | select(.name=="default")'|jq '.properties.emails'
Remediation
From Azure Portal
- From Azure Home select the Portal Menu
- Select
Microsoft Defender for Cloud
- Click on
Environment Settings
- Click on the appropriate Management Group, Subscription, or Workspace
- Click on
Email notifications
- Enter a valid security contact email address (or multiple addresses separated by commas) in the
Additional email addresses
field - Click
Save
From Azure CLI
Use the below command to set Security contact emails
to On
.
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default?api-version=2020-01-01-preview -d@"input.json"'
Where input.json
contains the Request body json data as mentioned below. And replace validEmailAddress with email ids csv for multiple.
{
"id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/securityContacts/default",
"name": "default",
"type": "Microsoft.Security/securityContacts",
"properties": {
"email": "<validEmailAddress>",
"alertNotifications": "On",
"alertsToAdmins": "On"
}
}
References
https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details
https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list
https://docs.microsoft.com/en-us/rest/api/securitycenter/security-contacts
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-incident-response#ir-2-preparation--setup-incident-notification
Additional Information
- Excluding any of the entries in recommendations block in
input.json
disables the specific setting by default