Skip to main content

lacework-global-527

2.3.3 Ensure That 'Notify about alerts with the following severity' is Set to 'High' (Manual)

note

This rule has been changed to manual, see Permanently Manual Rules (that were deemed automated) for CIS Azure 1.5.0 for details.

Profile Applicability

• Level 1

Description

Enables emailing security alerts to the subscription owner or other designated security contact.

Rationale

Enabling security alert emails ensures that security alert emails are received from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risk.

Audit

From Azure Portal

  1. From Azure Home select the Portal Menu
  2. Select Microsoft Defender for Cloud
  3. Click on Environment Settings
  4. Click on the appropriate Management Group, Subscription, or Workspace
  5. Click on Email notifications
  6. Ensure that the Notify about alerts with the following severity (or higher) setting is checked and set to High

From Azure CLI

Ensure the output of below command is set to true, enter your Subscription ID at the $0 between /subscriptions/<$0>/providers.

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2020-01-01-preview' | jq '.|.[] | select(.name=="default")'|jq '.properties.alertNotifications'

Remediation

From Azure Portal

  1. From Azure Home select the Portal Menu
  2. Select Microsoft Defender for Cloud
  3. Click on Environment Settings
  4. Click on the appropriate Management Group, Subscription, or Workspace
  5. Click on Email notifications
  6. Under Notification types, check the check box next to Notify about alerts with the following severity (or higher): and select High from the drop down menu
  7. Click Save

From Azure CLI

Use the below command to set Send email notification for high severity alerts to On.

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/<$0>/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@"input.json"'

Where input.json contains the Request body json data as mentioned below.

To enable email notifications on multiple emails at once, replace "<validEmailAddress>" on the line "email": with "<directory>/<csvfilename>.csv"

 {
"id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/securityContacts/default1",
"name": "default1",
"type": "Microsoft.Security/securityContacts",
"properties": {
"email": "<validEmailAddress>",
"alertNotifications": "On",
"alertsToAdmins": "On"
}
}

References

https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details
https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list
https://docs.microsoft.com/en-us/rest/api/securitycenter/security-contacts
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-incident-response#ir-2-preparation--setup-incident-notification

Additional Information

  • Excluding any of the entries in recommendations block in input.json disables the specific setting by default

  • Microsoft has recently changed Rest APIs to get and Update Security Contact Information. This recommendation is updated accordingly