lacework-global-527
2.3.3 Ensure That 'Notify about alerts with the following severity' is Set to 'High' (Manual)
note
This rule has been changed to manual, see Permanently Manual Rules (that were deemed automated) for CIS Azure 1.5.0 for details.
Profile Applicability
• Level 1
Description
Enables emailing security alerts to the subscription owner or other designated security contact.
Rationale
Enabling security alert emails ensures that security alert emails are received from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risk.
Audit
From Azure Portal
- From Azure Home select the Portal Menu
- Select
Microsoft Defender for Cloud
- Click on
Environment Settings
- Click on the appropriate Management Group, Subscription, or Workspace
- Click on
Email notifications
- Ensure that the
Notify about alerts with the following severity (or higher)
setting is checked and set toHigh
From Azure CLI
Ensure the output of below command is set to true
, enter your Subscription ID at the $0 between /subscriptions/<$0>/providers.
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2020-01-01-preview' | jq '.|.[] | select(.name=="default")'|jq '.properties.alertNotifications'
Remediation
From Azure Portal
- From Azure Home select the Portal Menu
- Select
Microsoft Defender for Cloud
- Click on
Environment Settings
- Click on the appropriate Management Group, Subscription, or Workspace
- Click on
Email notifications
- Under
Notification types
, check the check box next toNotify about alerts with the following severity (or higher):
and selectHigh
from the drop down menu - Click
Save
From Azure CLI
Use the below command to set Send email notification for high severity alerts
to On
.
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/<$0>/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@"input.json"'
Where input.json
contains the Request body json data as mentioned below.
To enable email notifications on multiple emails at once, replace "<validEmailAddress>"
on the line "email": with "<directory>/<csvfilename>.csv"
{
"id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/securityContacts/default1",
"name": "default1",
"type": "Microsoft.Security/securityContacts",
"properties": {
"email": "<validEmailAddress>",
"alertNotifications": "On",
"alertsToAdmins": "On"
}
}
References
https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details
https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list
https://docs.microsoft.com/en-us/rest/api/securitycenter/security-contacts
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-incident-response#ir-2-preparation--setup-incident-notification
Additional Information
Excluding any of the entries in recommendations block in
input.json
disables the specific setting by defaultMicrosoft has recently changed Rest APIs to get and Update Security Contact Information. This recommendation is updated accordingly