Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Email To Subscription Owners

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: SecurityCenter-019

Ensure that Azure subscription owners receive security alert email notifications from Microsoft Defender for Cloud when compromised resources are detected within the Azure account. The contact information, in this case one or more email addresses, is used by the Azure subscription owners to contact the account administrator if the Microsoft Security Response Center (MSRC) discovers that the cloud resources and/or data has been accessed by an unauthorized actor or system.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Enable sending security alert emails to subscription owners ensures that they receive important alert notifications from Microsoft Security Response Center in order to become aware of the security issues identified, and take actions to mitigate the risks in a timely fashion.


Audit

To determine if Microsoft Defender for Cloud is configured to send security alert email notifications to Azure subscription owners, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to examine.

05 In the navigation panel, under Settings, choose Email notifications to access the security notification settings.

06 In the Email recipients section, check the value selected for the All users with the following roles dropdown list. If there is no value (i.e. role) selected, the users with the administrator roles can't receive security alert notifications from Microsoft. If one or more roles are selected but the Owner role is not one of them, Microsoft Defender for Cloud is not configured to send security alert email notifications to the subscription owner(s).

07 Repeat steps no. 4 – 6 for each Microsoft Azure subscription created within your Azure account.

Using Azure CLI

01 Run account get-access-token command (Windows/macOS/Linux) with custom query filters to determine if the Microsoft Defender for Cloud service is configured to send security alert notifications to the owner(s) of the current Azure subscription:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json"  https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2017-08-01-preview' | jq '.|.value[] | select(.type=="Microsoft.Security/securityContacts")'|jq '.properties.alertsToAdmins'

02 The command output should return the notification feature configuration status:

"Off"

If the account get-access-token command output returns "Off", as shown in the output example above, the Microsoft Defender for Cloud service is not configured to send security alert email notifications to the subscription owner(s).

03 Repeat steps no. 1 and 2 for each Microsoft Azure subscription available in your Azure cloud account.

Remediation / Resolution

To configure Microsoft Defender for Cloud to send security alert email notifications to Azure subscription owners, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to access.

05 In the navigation panel, under Settings, choose Email notifications to access the security notification settings.

06 In the Email recipients section, perform the following actions:

  1. Select Owner from the All users with the following roles dropdown list to enable sending security alert notifications to the owner(s) of the selected Azure account subscription.
  2. Choose Save to apply the changes.

07 Repeat steps no. 4 – 6 for each Microsoft Azure subscription available within your Azure account.

Using Azure CLI

01 Define the configuration parameters for the account get-access-token command in order to enable the Microsoft Defender for Cloud service to send security alert email notifications to the subscription owner(s) by setting the "alertsToAdmins" parameter to "On". Save the configuration document to a JSON file named enable-subscription-owner-security-alerts.json and replace the highlighted details, i.e. <azure-subscription-id> and <valid-email-address> (optional, see this conformity rule), with your own Azure account subscription details:

{
  "id": "/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/securityContacts/default",
  "name": "default",
  "type": "Microsoft.Security/securityContacts",
  "properties": {
    "email": "<valid-email-address>",
    "alertNotifications": "On",
    "alertsToAdmins": "On"
  }
}

02 Run account get-access-token command (Windows/macOS/Linux) using the configuration document defined at the previous step (i.e. enable-subscription-owner-security-alerts.json file), to enable sending security alert notifications to the owner(s) of the selected Azure account subscription:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@"enable-subscription-owner-security-alerts.json"'

03 The output should return the account get-access-token command request metadata:

{
  "id": "/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/securityContacts/default",
  "name": "default",
  "type": "Microsoft.Security/securityContacts",
  "properties": {
    "email": "<valid-email-address>",
    "alertNotifications": "On",
    "alertsToAdmins": "On"
  }
}

04 Repeat steps no. 1 – 3 for each Microsoft Azure subscription available in your Azure cloud account.

References

Publication date May 31, 2019