Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable High Severity Email Notifications

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Enable sending high severity alert notifications to the security contact email address defined within the Microsoft Defender for Cloud settings. The contact information provided will be used by Microsoft Defender for Cloud to contact the subscription owners and/or administrators if the Microsoft Security Response Center (MSRC) detects security issues, such as Remote Desktop Protocol (RDP) attacks or customer data accessed by an unauthorized party. MSRC performs in-depth security monitoring of the Azure network and infrastructure and receives threat intelligence and abuse complaints from third-party partners.

Security

By upgrading the "Notify about alerts with the following severity (or higher)" setting to "High", you make sure that the right people get notified when potential security risks are identified in your Azure cloud account, in order to be able to mitigate the risks in a timely fashion.


Audit

To determine if sending high severity alert notifications is enabled within Microsoft Defender for Cloud, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to examine.

05 In the navigation panel, under Settings, choose Email notifications to access the security notification settings.

06 In the Notification types section, check the Notify about alerts with the following severity (or higher) checkbox. If the setting checkbox is not selected, the type of security notifications to be sent by Microsoft Defender for Cloud is not configured. If the Notify about alerts with the following severity (or higher) is selected but is not set to High, high severity alert notifications are not enabled for Microsoft Defender for Cloud in the selected Azure subscription.

07 Repeat steps no. 4 – 6 for each Microsoft Azure subscription created within your Azure account.

Using Azure CLI and PowerShell

01 Run account get-access-token command (Windows/macOS/Linux) with custom query filters to determine if high severity alert notifications are enabled for Microsoft Defender for Cloud service in the current Azure subscription:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2017-08-01-preview' | jq '.|.value[] | select(.type=="Microsoft.Security/securityContacts")'|jq '.properties.alertNotifications'

02 The command output should return the requested feature configuration status:

"Disabled"

If the account get-access-token command output returns "Off", as shown in the output example above, high severity alert notifications are not enabled for Microsoft Defender for Cloud within the current Azure subscription.

03 Repeat steps no. 1 and 2 for each Microsoft Azure subscription available in your Azure cloud account.

Remediation / Resolution

To enable high severity alert email notifications for Microsoft Defender for Cloud, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to access.

05 In the navigation panel, under Settings, choose Email notifications to access the security notification settings.

06 In the Notification types section, perform the following actions:

  1. Select the Notify about alerts with the following severity (or higher) setting checkbox.
  2. Choose High from the Notify about alerts with the following severity (or higher) setting dropdown list to enable high severity alert notifications for Microsoft Defender for Cloud in the selected Azure subscription.
  3. (Optional) To configure additional email addresses for these types of notifications, follow the instructions outlined in this conformity rule.
  4. Choose Save to apply the configuration changes.

07 Repeat steps no. 4 – 6 for each Microsoft Azure subscription available within your Azure account.

Using Azure CLI and PowerShell

01 Define the configuration parameters for the account get-access-token command in order to enable high severity alert notifications for Microsoft Defender for Cloud by setting the "alertNotifications" parameter to "On". Save the configuration document to a JSON file named enable-high-severity-alerts.json and replace the highlighted details, i.e. <azure-subscription-id> and <valid-email-address> (optional, see this conformity rule), with your own Azure account subscription details:

{
  "id": "/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/securityContacts/default",
  "name": "default",
  "type": "Microsoft.Security/securityContacts",
  "properties": {
    "email": "<valid-email-address>",
    "alertNotifications": "On",
    "alertsToAdmins": "On"
  }
}

02 Run account get-access-token command (Windows/macOS/Linux) using the configuration document defined at the previous step (i.e. enable-high-severity-alerts.json file), to enable high severity alert email notifications for Microsoft Defender for Cloud in selected Azure subscription:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@"enable-high-severity-alerts.json"'

03 The output should return the account get-access-token command request metadata:

{
  "id": "/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/securityContacts/default",
  "name": "default",
  "type": "Microsoft.Security/securityContacts",
  "properties": {
    "email": "<valid-email-address>",
    "alertNotifications": "On",
    "alertsToAdmins": "On"
  }
}

04 Repeat steps no. 1 – 3 for each Microsoft Azure subscription available in your Azure cloud account.

References

Publication date Jul 18, 2022