Ensure That 'All users with the following roles' is set to 'Owner'

Enable security alert emails to subscription owners.

Risk Level: Low
Cloud Entity: Security Contact
CloudGuard Rule ID: D9.AZU.MON.61
Covered by Spectral: Yes
Category: Security Center

GSL LOGIC

SecurityContact should have properties.notificationsByRole.state='On' and properties.notificationsByRole.roles contain [ 'Owner']

REMEDIATION

From Portal

  1. Go to Microsoft Defender for Cloud
  2. Click on Environment Settings
  3. Click on the appropriate Management Group, Subscription, or Workspace
  4. Click on Email notifications
  5. In the drop down of the All users with the following roles field select Owner
  6. Click Save

From TF
Set the 'alerts_to_admins' argument under 'azurerm_security_center_contact' to true:

resource "azurerm_security_center_contact" "example" {
	...
	alerts_to_admins    = true
	...
}

From Command Line

Use the below command to set Send email notification for high severity alerts to On.
Run

az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X PUT -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default?api-version=2020-01-01-preview -d@'input.json''

Where input.json contains the Request body json data as mentioned below. And replace EMAIL-ADDRESS with email ids csv for multiple.

{
'id': '/subscriptions/YOUR-SUBSCRIPTIONID/providers/Microsoft.Security/securityContacts/default1',
'name': 'default1',
'type': 'Microsoft.Security/securityContacts',
'properties': {
'email': 'EMAIL-ADDRESS',
'alertNotifications': 'On',
'alertsToAdmins': 'On',
'notificationsByRole': 'Owner'
}
}

References

  1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details
  2. https://docs.microsoft.com/en-us/cli/azure/account?view=azure-cli-latest#az-account-get-access-token
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_contact#alerts_to_admins

Security Contact

Security Contact is used to configure Email and alerts notifications to Owners or other users

Compliance Frameworks

  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset