Ensure 'Additional email addresses' is Configured with a Security Contact Email

Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.

Risk Level: Low
Cloud Entity: Security Contact
CloudGuard Rule ID: D9.AZU.MON.59
Covered by Spectral: Yes
Category: Security Center

GSL LOGIC

SecurityContact should not have properties.emails isEmpty()

REMEDIATION

From Portal

  1. Go to Microsoft Defender for Cloud
  2. Click on Environment Settings
  3. Click on the appropriate Management Group, Subscription, or Workspace
  4. Click on Email notifications
  5. Enter a valid security contact email address (or multiple addresses separated by commas) in the Additional email addresses field
  6. Click Save

From TF
Set the 'email' argument under 'azurerm_security_center_contact' as below:

resource "azurerm_security_center_contact" "example" {
	...
	email = "[email protected]"
	...
}

From Command Line

Use the below command to set Security contact emails to On.
Run

az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X PUT -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default?api-version=2020-01-01-preview -d@'input.json''

Where input.json contains the Request body json data as mentioned below. And replace EMAIL-ADDRESS with email ids csv for multiple.

{
'id': '/subscriptions/YOUR-SUBSCRIPTIONID/providers/Microsoft.Security/securityContacts/default',
'name': 'default',
'type': 'Microsoft.Security/securityContacts',
'properties': {
'email': 'EMAIL-ADDRESS',
'alertNotifications': 'On',
'alertsToAdmins': 'On'
}
}

References

  1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details
  2. https://docs.microsoft.com/en-us/cli/azure/account?view=azure-cli-latest#az-account-get-access-token
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_contact

Security Contact

Security Contact is used to configure Email and alerts notifications to Owners or other users

Compliance Frameworks

  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset