Ensure the 'ServiceAdmin' role is listed as an email recipient for Defender alerts

Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should also include the ServiceAdmin role on the list so that the alerts are automatically received by the respective administrators.

Suggest Edits

Risk Level: Low
Cloud Entity: Security Contact
CloudGuard Rule ID: D9.AZU.MON.86
Covered by Spectral: No
Category: Security Center

GSL LOGIC

SecurityContact should have properties.notificationsByRole.roles contain['ServiceAdmin']

REMEDIATION

From Portal

  1. Go to Microsoft Defender for Cloud
  2. Click on Environment Settings
  3. Click on the appropriate Management Group, Subscription, or Workspace
  4. Click on Email notifications
  5. Under Email recipients, for All users with the following roles, select the role named ServiceAdmin
  6. Click Save

From Command Line

Use the below command to have the emails sent to the ServiceAdmin role.
Run

az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X PUT -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default?api-version=2020-01-01-preview -d@'input.json''

Where input.json contains the Request body json data as mentioned below. And replace LIST OF ADMIN ROLES with csv for multiple roles in list format, such as ['Owner', 'ServiceAdmin'].

{
'id': '/subscriptions/YOUR-SUBSCRIPTIONID/providers/Microsoft.Security/securityContacts/default',
'name': 'default',
'type': 'Microsoft.Security/securityContacts',
'properties': {
'notificationsByRole.roles': 'LIST OF ADMIN ROLES',
'alertNotifications': 'On',
'alertsToAdmins': 'On'
}
}

References

  1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details
  2. https://docs.microsoft.com/en-us/cli/azure/account?view=azure-cli-latest#az-account-get-access-token

Security Contact

Security Contact is used to configure Email and alerts notifications to Owners or other users

Compliance Frameworks

  • Azure CIS Foundations v. 1.0.0
  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure ITSG-33
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset

Updated 7 months ago