Ensure 'Additional email addresses' is Configured with a Security Contact Email
Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.
Risk Level: Low
Cloud Entity: Security Contact
CloudGuard Rule ID: D9.AZU.MON.59
Covered by Spectral: Yes
Category: Security Center
GSL LOGIC
SecurityContact should not have properties.emails isEmpty()
REMEDIATION
From Portal
- Go to Microsoft Defender for Cloud
- Click on Environment Settings
- Click on the appropriate Management Group, Subscription, or Workspace
- Click on Email notifications
- Enter a valid security contact email address (or multiple addresses separated by commas) in the Additional email addresses field
- Click Save
From TF
Set the 'email' argument under 'azurerm_security_center_contact' as below:
resource "azurerm_security_center_contact" "example" {
...
email = "[email protected]"
...
}
From Command Line
Use the below command to set Security contact emails to On.
Run
az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X PUT -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default?api-version=2020-01-01-preview -d@'input.json''
Where input.json contains the Request body json data as mentioned below. And replace EMAIL-ADDRESS with email ids csv for multiple.
{
'id': '/subscriptions/YOUR-SUBSCRIPTIONID/providers/Microsoft.Security/securityContacts/default',
'name': 'default',
'type': 'Microsoft.Security/securityContacts',
'properties': {
'email': 'EMAIL-ADDRESS',
'alertNotifications': 'On',
'alertsToAdmins': 'On'
}
}
References
- https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details
- https://docs.microsoft.com/en-us/cli/azure/account?view=azure-cli-latest#az-account-get-access-token
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_contact
Security Contact
Security Contact is used to configure Email and alerts notifications to Owners or other users
Compliance Frameworks
- Azure CIS Foundations v. 1.2.0
- Azure CIS Foundations v. 1.3.0
- Azure CIS Foundations v. 1.3.1
- Azure CIS Foundations v. 1.4.0
- Azure CIS Foundations v. 1.5.0
- Azure CIS Foundations v.2.0
- Azure CloudGuard Best Practices
- Azure NIST 800-53 Rev 5
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago