Ensure That 'Notify about alerts with the following severity' is Set to 'High'

Enables emailing security alerts to the subscription owner or other designated security contact.

Risk Level: Low
Cloud Entity: Security Contact
CloudGuard Rule ID: D9.AZU.MON.60
Covered by Spectral: No
Category: Security Center

GSL LOGIC

SecurityContact where properties.alertNotifications.minimalSeverity='High' should have properties.alertNotifications.state regexMatch /[Oo][nN]/

REMEDIATION

From Portal

  1. Go to Microsoft Defender for Cloud
  2. Click on Environment Settings
  3. Click on the appropriate Management Group, Subscription, or Workspace
  4. Click on Email notifications
  5. Under 'Notification types', check the check box next to Notify about alerts with the following severity (or higher): and select High from the drop down menu
  6. Click Save

From TF
Set the 'alert_notifications' argument under 'azurerm_security_center_contact' to true:

resource "azurerm_security_center_contact" "example" {
	...
	alert_notifications = true
	...
}

From Command Line

Use the below command to set Send email notification for high severity alerts to On.
Run

az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X PUT -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default?api-version=2020-01-01-preview -d@'input.json''

Where input.json contains the Request body json data as mentioned below. And replace EMAIL-ADDRESS with email ids csv for multiple.

{
'id': '/subscriptions/YOUR-SUBSCRIPTIONID/providers/Microsoft.Security/securityContacts/default1',
'name': 'default1',
'type': 'Microsoft.Security/securityContacts',
'properties': {
'email': 'EMAIL-ADDRESS',
'alertNotifications': 'On',
'alertsToAdmins': 'On'
}
}

References

  1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details
  2. https://docs.microsoft.com/en-us/cli/azure/account?view=azure-cli-latest#az-account-get-access-token
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_contact

Security Contact

Security Contact is used to configure Email and alerts notifications to Owners or other users

Compliance Frameworks

  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset