Ensure the 'ServiceAdmin' role is listed as an email recipient for Defender alerts
Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should also include the ServiceAdmin role on the list so that the alerts are automatically received by the respective administrators.
Risk Level: Low
Cloud Entity: Security Contact
CloudGuard Rule ID: D9.AZU.MON.86
Covered by Spectral: No
Category: Security Center
GSL LOGIC
SecurityContact should have properties.notificationsByRole.roles contain['ServiceAdmin']
REMEDIATION
From Portal
- Go to Microsoft Defender for Cloud
- Click on Environment Settings
- Click on the appropriate Management Group, Subscription, or Workspace
- Click on Email notifications
- Under Email recipients, for All users with the following roles, select the role named ServiceAdmin
- Click Save
From Command Line
Use the below command to have the emails sent to the ServiceAdmin role.
Run
az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X PUT -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default?api-version=2020-01-01-preview -d@'input.json''
Where input.json contains the Request body json data as mentioned below. And replace LIST OF ADMIN ROLES with csv for multiple roles in list format, such as ['Owner', 'ServiceAdmin'].
{
'id': '/subscriptions/YOUR-SUBSCRIPTIONID/providers/Microsoft.Security/securityContacts/default',
'name': 'default',
'type': 'Microsoft.Security/securityContacts',
'properties': {
'notificationsByRole.roles': 'LIST OF ADMIN ROLES',
'alertNotifications': 'On',
'alertsToAdmins': 'On'
}
}
References
- https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details
- https://docs.microsoft.com/en-us/cli/azure/account?view=azure-cli-latest#az-account-get-access-token
Security Contact
Security Contact is used to configure Email and alerts notifications to Owners or other users
Compliance Frameworks
- Azure CIS Foundations v. 1.0.0
- Azure CloudGuard Best Practices
- Azure HITRUST v9.5.0
- Azure ITSG-33
- Azure NIST 800-53 Rev 5
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago